RDS 2012 R2 Users can connect to VMs by VM name but not by Collection.

I have a new RDS 2012 R2 installation with a gateway problem. Users can connect to VMs by VM name but not by Collection. I am using the following configuration:

  • 2 connection brokers in the internal 10.5.1.0 subnet also running RD web access
  • 1 gateway in the DMZ 10.0.0.0 subnet also running RD web access with a public facing DNS name of RDSVM.contoso.com and a gateway name of RDSVMGW.contoso.com.
  • 4 VDI Hosts in the 10.5.1.0 subnet running 12 collections of Windows 7 VMs.
  • All server firewalls are turned off on all nodes.
  • All ports to the internal network from the gateways servers are enabled.
  • CAP and RAP on Gateway are set to allow domain_users to access any resource.
  • All RDS resources are configured to use a wild card certificate where sn=*.contoso.com.
  • Al servers are members of the contoso.com domain.

From the internal network I have NO problems connecting to VMs in any collection using the URL: htps://RDSVM.contoso.com/rdweb. This traffic does not go through the gateway, rather it goes directly to the connection broker.

From the Internet I get the following strange results:

Case 1:   Windows 7 cant connect to a collection through the gateway

A windows 7 machine connecting to the gateway server authenticates properly to the gateway and display the collections, but when the user click on one of the collections he cannot connect to the associated VM.

When I click on collection icon "wsoo1" I get the following event log messages on the gateway server:

The user "rick", on client computer "68.36.14.7:65535", has initiated an outbound connection. This connection may not be authenticated yet.

The user "rick", on client computer "68.36.14.7:65535", has initiated an outbound connection. This connection may not be authenticated yet.

The user "rick", on client computer "68.36.14.7:49154", has initiated an inbound connection. This connection may not be authenticated yet.

The user "rick", on client computer "68.36.14.7:49154", has initiated an inbound connection. This connection may not be authenticated yet.

The user "rick", on client computer "68.36.14.7:49154", has initiated an inbound connection. This connection may not be authenticated yet.

The user "CONTOSO\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".

The user "CONTOSO\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "RDSVM.CONTOSO.COM".

The user "CONTOSO\Rick", on client computer "68.36.14.7", connected to resource "RDSVM.CONTOSO.COM". Connection protocol used: "HTTP".

The user "CONTOSO\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "RDSVM.CONTOSO.COM". Before the user disconnected, the client transferred 6338 bytes and received 7673 bytes. The client session duration was 1 seconds. Connection protocol used: "HTTP".

Case 2:   Windows 7 can connect to a named VM through the gateway.

If the same windows 7 machine connects to the gateway, selects connect to remote PC, and manually names a VM in the previously selected collection, he can connect to the VM.

When I specify a specific VM in the collection, it works and I get this on the gateway:

The user "Rick@Contoso", on client computer "68.36.14.7:56587", has initiated an outbound connection. This connection may not be authenticated yet.

The user "Rick@Contoso", on client computer "68.36.14.7:56588", has initiated an inbound connection. This connection may not be authenticated yet.

The user "Rick@Contoso", on client computer "68.36.14.7:56588", has initiated an inbound connection. This connection may not be authenticated yet.

The user "Contoso\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "wsoo1-1".

The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "wsoo1-1". Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "wsoo1-1". Before the user disconnected, the client transferred 2235 bytes and received 2402 bytes. The client session duration was 20 seconds. Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "wsoo1-1".

The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "wsoo1-1". Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "wsoo1-1". Before the user disconnected, the client transferred 2235 bytes and received 2706 bytes. The client session duration was 2 seconds. Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "wsoo1-1".

The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "wsoo1-1". Connection protocol used: "HTTP".

Case 3:   IPad can connect to a collection through the gateway

IPad connecting to a collection through the gateway authenticates properly to the gateway, displays the collections, and CAN connect to the associated VM.

When I click on collection icon "wsoo1" from my IPad I get the following event log messages on the gateway server:

The user "Rick@Contoso.com", on client computer "68.36.14.7:49170", has initiated an outbound connection. This connection may not be authenticated yet.

The user "Rick@Contoso", on client computer "68.36.14.7:49170", has initiated an outbound connection. This connection may not be authenticated yet.

The user "Rick@Contoso.com", on client computer "68.36.14.7:49167", has initiated an outbound connection. This connection may not be authenticated yet.

The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.

The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.

The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.

The user "Contoso\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".

The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.

The user "Contoso\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".

The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.

The user "Contoso\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "RDSVM.CONTOSO.COM".

The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "RDSVM.CONTOSO.COM". Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "RDSVM.CONTOSO.COM". Before the user disconnected, the client transferred 6418 bytes and received 8945 bytes. The client session duration was 1 seconds. Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "172.26.0.51".

The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "172.26.0.51". Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "172.26.0.51". Before the user disconnected, the client transferred 937 bytes and received 1750 bytes. The client session duration was 0 seconds. Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "172.26.0.51".

The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "172.26.0.51". Connection protocol used: "HTTP".

The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "wsoo1-1". Before the user disconnected, the client transferred 59920 bytes and received 865127 bytes. The client session duration was 833 seconds. Connection protocol used: "HTTP".

And at this point my IPad connects to wsoo1-1.

I have been trying to resolve this problem for a month now and have found nothing on the Internet or the forums that is applicable.

Any assistance available would be appreciated.

What am I doing wrong?

March 30th, 2015 5:21pm

Hi,

Are you connecting remote access through IPad from same network?
Do you use latest MRD IPad for your connection?
Please try with v 8.1.7 and verify.
https://itunes.apple.com/in/app/microsoft-remote-desktop/id714464092?mt=8

Also try to uncheck the option Bypass RD Gateway for local address on server and see whether there is any result. In addition other thing to try the policy setting, 
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager Authentication level
Set to Send NTLM response only

Hope it helps!

Thanks.
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2015 2:13am

Hi Dharmesh,

The IPad works through the gateway. It's all windows7 PCs that do not work.

Changing the gateway configuration modified the log only slightly as follows:

The user "Rick@Contoso", on client computer "68.36.14.7:50588", has initiated an outbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso", on client computer "68.36.14.7:50589", has initiated an inbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso", on client computer "68.36.14.7:50589", has initiated an inbound connection. This connection may not be authenticated yet.yet.The user "CONTOSO\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".
The user "CONTOSO\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "RDSVM.CONTOSO.COM".
The user "CONTOSO\Rick", on client computer "68.36.14.7", connected to resource "RDSVM.CONTOSO.COM". Connection protocol used: "HTTP".
The user "CONTOSO\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "RDSVM.CONTOSO.COM". Before the user disconnected, the client transferred 6761 bytes and received 10574 bytes. The client session duration was 4 seconds. Connection protocol used: "HTTP".
The user "CONTOSO\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "172.26.0.96".
The user "CONTOSO\Rick", on client computer "68.36.14.7", connected to resource "172.26.0.96". Connection protocol used: "HTTP".
The user "CONTOSO\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "172.26.0.96". Before the user disconnected, the client transferred 2276 bytes and received 2728 bytes. The client session duration was 6 seconds. Connection protocol used: "HTTP".
At this point the connection just hangs forever on the Windows 7 Screen waiting for RDP to "Initiate Connection".

It appears that the process gets further along than before the change you recommended, but it is still not getting all the way there. I do get to a certificate warning screen that is the self signed cert of the VM itself. I accept the risk and then it just stops.

Could the fact that the VM is using a self-signed certificate be my problem? If so, why can I connect to the VM if I call for it by name instead of using the collection?

Has anyone actually documented the steps that occur when connecting to a collection via an RDS connection Broker? Is this published somewhere I can get to it?

Looking forward to your advice!

April 4th, 2015 5:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics