Unable to connect to a RDS collection with two different user account simultaneously from the same workstation

Ok folks, I'm stumped.

I have a Server 2016 RDS Environment with 6 session hosts and a separate server holding the Connection broker, Gateway, and Web Access roles.
Everything works great, for the 125 users we ask this environment to handle.  The only wrinkle is that we have a small subset of users that have two user accounts due to our business rules.  

The issue is that those users cannot connect with both user accounts simultaneously.  I must have them log into one account, and log off before they can log into the other account.  If the user attempts to double click the shortcut on their desktop (downloaded from RDWEB) it simply uses the credentials cached with the connection broker.  I cannot find a way to prompt for credentials.

Any help much appericated!
Eric_BuzzelliAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Note that the connection broker does not cache credentials.  That is happening on the client.  You should be able to clear the credentials in Credential Manager though and that should work under most circumstances.
0
Eric_BuzzelliAuthor Commented:
Sorry, I misspoke.  I believe the RD Gateway is passing the credentials.  The credentials are not being stored on the workstations.
0
Cliff GaliherCommented:
Nope. RDGateway doesn't cache anything either. Either they are in credential manager. Or you set up SSO. Which SSO by definition bypasses credential prompts so you can't have both SSO configured and have that subset of users log into multiple RDS windows as different users simultaneously. Those are mutually exclusive options.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Eric_BuzzelliAuthor Commented:
How can I check to see if SSO is configured (partially or in full)?
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
All of our RD Farms are SSO (Single Sign-On) Active Directory integrated. So, start MSTSC to log on and the user gets logged on automagically with their AD credentials.

To avoid this, click START --> mstsc [ENTER] --> Type Farm Name --> Tick "Ask for Credentials" --> Save Shortcut.

We do the above when working in a user setting to get around SSO when needing to log on to other servers in the domain during troubleshooting.
0
Eric_BuzzelliAuthor Commented:
This screenshot might be helpful.  Look at the circled item at the bottom.  
This occurs when the user has logged in with one of their user accounts without logging off.
screenshot.png
0
Cliff GaliherCommented:
With 2016 when using rdweb and collections, this is configured in server manager. You can't edit the. RDP files because the files are digitally signed to prevent tampering.
0
Eric_BuzzelliAuthor Commented:
Ok, what changes need to be made in Server manager to effect the change I am looking for?
0
Cliff GaliherCommented:
I'm mobile at the moment,  but there are blog posts about SSO in 2012/2016. Google will help.. Just be aware that this will impact all users, not just that subset. Users will be prompted to log in whenever the connect to RDS. In general, I'd say this is a sign that the business process needs to change, not the current implementation. There are always edge cases, but often people tend to ignore the road signs indicating that they are trying to do something that is bad security practice.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The method I outlined above works just fine as a workaround for SSO enabled environments.

Open the .RDP file in NotePad and remove the signature at the bottom of the file. Save it as "Whateverv2.RDP" with the quotes in NotePad SaveAs dialogue. Then, double click and it should work just fine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cliff GaliherCommented:
That creates a new prompt though, a bright yellow warning about opening an unsigned file.

I abhor training users to ignore or click through bright yellow warning boxes. I don't consider bad security to be a good solution. Just my opinion.
0
Eric_BuzzelliAuthor Commented:
Thanks for the help guys, Philip's suggestion is viable for the subset of users we are currently concerned with.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Yes, the signature edit is done by us for managing things. The users get the signed file and an updated version when required. I should have put a caveat with that.

But, for Session Host desktop access the first method works fine.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.