Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Unable to access RDP session of a host in a Windows 2012 RDS farm.

Posted on 2016-07-27
8
Medium Priority
?
114 Views
Last Modified: 2016-07-28
We have a Windows 2012 RDS farm that contains 3 RDS hosts.  When I try to access a published app as a domain user, I am getting an error "The user was denied access".  

When I try to RDP to a farm host as a domain user, I am getting "The requested session access is denied".  

I have already made sure the local Remote Desktop User Group includes mydomain\domain users.

Please advise where I should look at.  

Thanks,
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41731826
How did you configure the farm? If you used server manager and created a collection, you add users/groups there *(by default) and don't need to edit the local remote desktop users group manually at all. But if you try to forcibly configure everything by hand, you'll definitely have issues as the RDCB will not have the appropriate policies to properly redirect and therefore will close the connection, even if you edit groups manually.  2012 relies on the RDCB role far more heavily than previous versions of windows
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41731862
While the link you provided is indeed a Microsoft property, they are in turn linking to a non-Microsoft property. Which isn't to say the advice is necessarily bad, but sometimes independent author's change things and clarity gets lost or other changes occur.

I'd recommend this guide instead. It is more concise, far fewer links, but still covers all of the same steps. And perhaps I missed it, but editing the local remote desktop group didn't seem to be mentioned in the guide you linked to either. So, again, going off the rails can have unintended consequences.

https://blogs.technet.microsoft.com/askperf/2012/10/30/windows-8-windows-server-2012-remote-desktop-management-server/

The blog post I am linking to includes adding users to the deployment and granting permissions to the published app/desktop.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:nav2567
ID: 41731943
I have read it carefully and do not see anything I have missed in my setup or anything difference between your link and the one I use.  

Question, when you remote connect to a host in your farm, do you see the below message?

The remote computer ..... that you are trying to connect is redirecting you to another remote computer named .... Remote Desktop Connection cannot verify that the computers belong to the same RD session host server farm.  You must use the farm name not the comptuer name when you connect to an RD session host server farm.
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 41731949
I have only seen that when someone us using an external load balancer or has configured round robin DNS.  In 2012, all connectins should go to the RDCB first, and the RDCB will redirect as needed, and does indeed use individual server names. "Farms' are virtually dead in 2012. Instead you have "collections" and the RDCB balances across servers in a collection an since RDCB knows those members, it won't throw that error. But a machine with a name mismatching its certificate (which happens when one of the above conditions...load balancer or round robin DNS) mismatches.

I see it often when people follow 2008 habits/guidance.

At this point, since this sounds like a new deployment, I'd tear it down and start fresh. Doing a basic one RDCB, one RDSH server deployment is very straightforward. You can then add additional servers as needed/desired once you've got a functional deployment. But at this point, you've got multiple misconfigurations that are going to muddy the troubleshooting. Faster and easier just to rebuild.
0
 

Author Comment

by:nav2567
ID: 41733285
I have realized using mstsc.exe, logging as a regular user to access a host does not work in Windows 2012.  I have to actually use either a RDWEB/RDP file to launch my app.   I can use mstsc /admin and login as the administrator to admin the server.  I think this is by designed.  Does it sound right to you?

I asked a question previously  which I have not heard back - In your RDS environment, can you use mstsc to access a host and login as a regular user without any issue?
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41733320
As I've said multiple times, mstsc does not have a GUI to properly connect to a load balanced collection. No, I don't ever launch mstsc directly for end-user tasks. That is not the indended or designed workflow and hasn't been for some time.
0
 

Author Comment

by:nav2567
ID: 41733412
I am doing that for troubleshooting purpose only.  

Thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question