Q: I can't connect to my Server 2012 R2 RD Gateway. I setup default CAP and RAP policies that should allow everyone, but I get the error "Remote Desktop Can't Connect to the Remote Computer...Your user account is not listed in the RD Gateway's permission list". How do I fix this?
A: This can be caused by a Resource Authorization Policy (RAP) check failure. Edit your RAP policy, then goto the Network Resource tab and set this to "Allow users to connect to any network resource." If it is set to "Domain Users" or any other user group, note that this will fail because RD Gateway is validating the MACHINE the user connects to here, not the user.
Q: How do I determine if my remote desktop connection is using an RD Gateway, or if it's connected directly to an RD Session Host/computer?
A: On the client, right click the system menu and look for a menu item named "Gateway Information". If present, this client is connected to an RD Gateway, otherwise it is directly connected to an RD host/computer.
Q: How do I force a connection to RD Gateway when it is installed on a computer that also has RD Session Host?
A: Follow these instructions:
- Find the RDP icon, right click it, and select Edit.
- Goto Advanced|Settings
- Set Connection Settings to Use these RD Gateway server settings.
- Set the server name to the hostname/IP of the machine with RD Gateway.
- Uncheck "Bypass the RD Gateway server for local addresses"
- Click OK
Don't forget to Save the settings to persist them, if desired.
Q: I can't RD from Server 2003 to Windows 8.1, but I can view shares on the Windows 8.1 machine.
A: Server 2003 does not support the newer RDP protocol in Windows 8.1 To fix this, install the RDP 6.0 protocol update for Server 2003 available here.
Q: I get the error "The remote computer requires network level authentication" when trying to RD to Windows 8. How do I fix this?
A: On the Windows 8.x machine:
- Goto Control Panel|System|Advanced system settings
- Click the Remote tab.
- Uncheck the box "Allow connections only from computers running Remote Desktop with Network Level Authentication" and click OK.
Q: TSGrindr or running MSTSC with /CLXDLL doesn't work for me.
A: Microsoft removed support for this command line option in the RDP 6.0 update. To restore functionality, run this on a computer with an MSTSC version earlier than 6.0. TSGrindr will work when connecting to hosts as late as Server 2008 R2, provided their Network Level Authentication setting is disabled.
Q: I can't connect to my session host, the DC, using an RD Gateway 2012 on the same machine, with the error "Remote Desktop can't connect to the remote computer X for one of the following reasons: 1) Your user account is not listed in the RD Gateway's permission list..." How do I fix this?
A: By default, RD Gateway creates a resource authorization policy that authorizes access to any computer in the domain EXCEPT domain controllers. To fix this:
- Start Server Manager.
- Goto Tools|Terminal Services|Remote Desktop Gateway Manager.
- Expand your server, then Policies, select Resource Authorization Policies.
- Right-click the only listing and select Properties.
- Click the Network Resource tab and select "Allow users to connect to any network resource."
- Click OK.
Q: How can I determine if an RDP file is configured to connect via RD Gateway, or is connecting directly to a session host?
A: There are several ways, depending on the context:
- Not connected to host: Open the RDP file in a text editor and check for the following settings:
gatewayhostname:s:[FQDN OF RDG]
Note that the primary setting that specifies the client should connect to an RD Gateway is gatewayprofileusagemethod, corresponding to Advanced|Settings with the selection Use these RD Gateway server settings.
- If you have the RDP client 8.x (Win8/Server 2012), you can check a running session on the client. Right-click the window handle and check for a menu option named "Gateway Information". If the session is full-screened, the option is unavailable; reduce the window to non-full screened, then it will be available.
Q: Where can I find a list of all .RDP file settings?
A: Microsoft has not published a list since Server 2008. The best known list appears to be a 3rd-party list-of-lists available here.
Q: How do I specify an RDP file setting in Server 2012?
A: In Server 2012, Microsoft removed the GUI for specifying RDP file settings, but did not remove the capability. To do so, use the PowerShell applet Set-RDSessionCollectionConfiguration. For example, to configure the RDP files to use a non-standard port after configuring RD Gateway to that port, use the following command:
Set-RDSessionCollectionConfiguration –CollectionName "Your Session Collection" -CustomRdpProperty " gatewayhostname:s:<RDGW-FQDN>:<yourport>"
Q: How do I get the Remote Desktop Client 6.1 Update for Server 2003?
A: Install Security Update for Windows Server 2003 (KB2481109), available here. Also, see this article for a comprehensive list of what older Windows operating systems have updates available for RDC 6.1.
Q: Cannot connect via Remote Desktop from Server 2003 with the RD 6.1 update + the SHA2 update to Server 2012 via RD Gateway 2012. On Server 2003, mstsc always reports "This computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.". However, the same client can connect directly to a session host running on the same RDG 2012 computer.
A: No known resolution.
Q: The Remote Desktop page of Server Manager 2012 on two servers looks different. On one server, the collection is shown but the other server doesn't recognize it. How do I fix this?
A: Both remote desktop servers must be in the same server group to manage both from the same Server Manager console anywhere. To fix this:
- Start Server Manager on either server
- Click Create a Server Group, Active Directory, Find Now.
- Select both servers, click the right-arrow icon, then click OK.
- Wait briefly, or you may need to restart Server Manager.
Q: How do I create a certificate for Remote Desktop Web/Broker/Gateway/Host purposes that chains to the root cert for the domain?
A: There are several ways to do so. Use the following steps to do so via the GUI. These steps appear a little long because the Certificates page in RD Deployment Properties cannot select a certificate in the Windows certificate store; it must use a certificate stored in a file. Most of the steps are present to support exporting the cert so this wizard can select it.
- Run mmc
- Select File|Add/Remove Snap-In
- Select Certificates and click Add.
- Specify Computer Account, click Next, then Local Computer (this is important), and click Finish.
- Click OK.
- In the left-hand pane, select Certificates (Local Computer)
- Right-click Personal.
- Select All Tasks|Request New Certificate.
- At Before You Begin, click Next.
- At Select Certificate Enrollment Policy, click Next.
- At Request Certificates, find the Row for Computer.
- Check the checkbox at the left of the row, then click the Details button at the right to expand it and click the Properties button that appears below it.
- Click the Private Key tab, expand Key Options, and check Make private key exportable.
- Click OK.
- Click Enroll.
- Click tab Details button.
- Click the View Certificate button that appears below.
- Click the Details tab.
- Click the Copy to File button at the bottom.
- Click Next.
- Click Yes, export the private key and click Next.
- Click Next.
- Check Password and enter a password/confirm, then click Next.
- Click Browse and enter a filename.
- Click Next.
- Click Finish, then click OK at the "export was successful" pop-up.
- In the certificate details dialog, click OK.
- In the certificate enrollment wizard, click Finish.
Q: The Remote Desktop Services does not automatically start-up on my server after boot-up, but the service start mode is "Startup (Delayed)".. How do I fix this so they start automatically?
A: This is a usage issue; the problem actually does not exist. Services marked as delay start do start automatically, but the server waits until several minutes after boot-up until starting the services. To resolve this problem, do any of the following:
- Wait two minutes after logging in.
- Change the service start mode to Automatic
- Reduce the Windows Delayed Start delay. See this MSDN blog post.
Q: In PowerShell, when running any of the remote desktop commandlets such as get-rdserver, set-rdsessioncollectionconfiguration, etc., I get the error "The RD Connection Broker server is not available. Verify that you can connect to the RD Connection Broker server." However, I have all RD services installed and working except Broker High Availability on this machine and the Server Manager recognizes them.
A: This occurs if PowerShell is not run elevated. Repeat the command from an elevated PowerShell prompt and it should work.
Q: In Server 2012, what certificate is used by the RD Session Host?
A: The thumbprint of the certificate to use is specified by the SSLCertificateSHA1Hash field of the Win32_TSGeneralSetting WMI object in \\root\CIMV2\TerminalServices. Note the Server Manager Deployment Properties does not specify which certificate is used by hosts. Source this MSDN social article.
Q: What is the RDP use redirection server name setting for?
A: It is used to resolve certification validation failures due to a mismatch between the certificate name and the server name when ".local" domains are used. For more information, see this link.
Q. How do I view the RDP authentication traffic from a Windows client to a Remote Desktop Host via a Remote Desktop Gateway?
A: You must access the host via a Remote Desktop Gateway in order to force the protocol to https. The steps from this point are straightforward though detailed. To do so:
1. Download and install https://www.wireshark.org/download.html. Make sure to get the version corresponding to the bitness of your operating system.
EXPORT THE CERT AND KEY USED BY THE REMOTE DESKTOP COMPUTER
2. At the Remote Desktop Server, run Server Manager.
3. In Server Manager, in the left-hand pane, click Remote Desktop Services (normally the bottom-most entry).
4. In the middle pane, click Overview.
5. In the right-hand pane, find Deployment Overview, click the Tasks button next to it, and select Edit Deployment Properties.
6. In the left-hand pane of the Deployment Properties wizard, click Certificates.
7. Select the row where Row Service is RD Gateway, then click View Details, right under the table. These instructions assume the SAME CERTIFICATE is used for all remote desktop services (all four rows on this page).
8. Note the certificate thumbprint and expiration date, then click OK.
9. In Deployment Properties, click Cancel.
10. Run mmc.
11. Select File|Add/Remove Snap-In.
12. Select Certificates and click Add. At the Certificates snap-in prompt, select Computer Account and click Next.
13. At the Select Computer page, select Local Computer (the default) and click Finish.
14. At Add or Remove Snap-ins, click OK.
15. Expand Certificates (Local Computer)\Personal\Certificates.
16. Find the certificate whose thumbprint matches the thumbprint noted in step 8. For each certificate, the thumbprint can be found by double-clicking it, then selecting the Details tab and scrolling down to select the Thumbprint field, normally the last listing. Because this requires going into the properties of each listing, it is quicker to filter by entries with a matching expiration date first.
17. Right click the certificate found in step 16 and select Export...
18. In the Certificate Export Wizard at Welcome, click Next.
19. At Export Private Key, select Yes.
20. At Expert File Format, select PKCS #12 (.PFX) (the default). Uncheck all the boxes below it and click Next.
21. At Security, check Password and enter a password/confirm, then click Next.
22. At File to Export, enter a pathname and click Net.
23. At Completing the Certificate Export Wizard, click Finish.
24. At the Export was successful pop-up, click OK.
CONVERT THE CERT/KEY INTO A FORMAT USABLE BY WIRESHARK
25. Download and install OpenSSL for Windows. This is currently published by Shining Light Productions at http://slproweb.com/products/Win32OpenSSL.html. The edition used doesn't matter, but note all editions require the VC 2008 runtime but do not include it. The install options taken are irrelevant.
26. Open a command prompt and change to the OpenSSL directory. Depending on your install option, you may need to be in the OpenSSL\bin directory.
27. Enter the command line "openssl pkcs12 -in "<full pathname of PFX file specified in step 22>" -nocerts -nodes -out "<PEM Filename>.pem". Ignore any warnings about not being able to open the config file.
28. Enter the command line "openssl rsa -in "<PEM filename.pem" -out "<Key filename>.key". Ignore any warnings about not being able to open the config file.
CONFIGURE WIRESHARK TO USE THE KEY
29. Start WireShark
30. Select the adapter used to communicate with the RD Gateway and click Start.
31. Start the remote desktop client and connect to the host.
32. In WireShark, goto Edit|Preferences, select Protocols, scroll down to find SSL and select it.
33. Click the Edit button to the right of RSA Keys List.
33. Click New, then enter the target server IP, standard https port of 443, protocol as http (this also specifies https). Click the Key File button, then select the key file exported in step 28 and click OK.
34. In SSL Decyprt, click OK. In Preferences, click OK.
35. Back in the main WireShark window, the packet display should now change, with many packets being listed in green with the Protocol column = "http".
35. To view the initial authentication traffic, right-click any packet from the client to the gateway with protocol=http and select "Follow SSL Stream".
Q: In WireShark, how do I view the RDP traffic from a Windows client to a Remote Desktop Host?
A: Follow the steps for the FAQ to connect via an RD Gateway, but skip the Configure Wireshark Steps and replace them with the following:
- Find one of the rows where Protocol is TLSv1.2, right-click it, and select Protocol Preferences|RSA Keys List...
- Click New, then enter the IP of the RD host, port 3389, protocol as ssl. Click the Key File button, then select the key file exported in step 28 and click OK.
- In SSL Decrypt, click OK.
- Notice the display has changed. The TLSv1.2 packets Info now states "Continuation Data" and if you right-click any of them and select Follow SSL Stream, you'll get data. Also, some packets change protocol to CredSSP.
Q: When a script in Internet Explorer invokes the Launch method of IMsRdpClientShell (component MsRdpWebAccess.MsRdpClientShell, CLSID 6A5B0C7C-5CCB-4F10-A043-B8DE007E1952), an exception with an error code of 0x80072ee6 (-2147012890) is thrown. How do I fix this?
A: This occurs when the RDP file served specifies "gatecredentialsource:i:5", but the setting "cookie based authentication server address:s:<web app URL>" is missing.
Q: I get an error "web browser is not supported" when I login to the Server 2008 Remote Desktop Web application using IE 11. How do I fix this?
A: The Server 2008 RD Web App requires IE6 compatibility mode. To enable this, follow these instructions:
- Start Internet Explorer.
- If the menu is not shown, tap the <Alt> key to display it.
- Select Tools|Compatibility View Settings.
- In Add to this website, enter the hostname for the web app and click Add.
- Click OK.
- Restart the browser.
- When the ActiveX control prompt appears at the bottom of the page, make sure to click Allow.
Q: A Server 2012 session host permits only up to 1 RD connection at a time.
A: This is the default limit. To increase it:
- Open the Group Policy or Local Security Policy editor and goto Computer Configuration|Administrative Templates|Windows Components.
- Browse to the setting Remote Desktop Services|Remote Desktop Session Host|Connections.
- Set the value to the desired upper limit - e.g., 99.
- Source: this blog.
Note that by design, this setting is ineffective on client Windows editions.
Q: How do I send a Ctrl-Alt-Del from a Remote Desktop session?
A: Press <Ctrl-Alt-End>.
Q: Why does Visual Studio pause slightly when debugging RDWeb?
A: The RDWeb web application is structured so the RDWeb//Pages directory is a separate web application, from IIS's perspective. Each web application runs in a separate .NET AppDomain. When you attach Visual Studio to the w3wp process, Visual Studio attaches to the default AppDomain for /RDWeb. The first time you hit a breakpoint within the "child" AppDomain, Visual Studio has to attach to it and do some debugger initialization, plus deal with the fact that it is now attached to two separate AppDomains - this typically takes about 10 seconds. This structure can be problematic as it means that any HttpModule/Handler loaded in the parent is re-instantiated in the child and cannot share state, so the app as a whole may not behave as intended. However, the structure is supported and not that unusual.
Q: Where is the Remote Desktop infrastructure (gateway, web, broker, etc.) programming interface?
A: There are two official publicly available APIs: 1. the PowerShell API, documented at this link, and 2. the WMI interface. The WMI interface is the best infrastructure API available and makes use of a number of methods in addition to data structure representation.
There is NO acknowledged, publicly available .NET assembly for configuring and controlling RDWeb, RDGateway, or the rest of the RD infrastructure as of 2016 Jan 25. However, one does exist. The PowerShell scripts in Server 2012 and above defer some functionality to Microsoft.RemoteDesktopServices.Management.Activities.dll. This assembly is installed in the GAC on Windows Server machines with the RD roles installed and is a .NET 4.0 assembly. The PowerShell distribution on 2008 and above contains TSPSEngine.dll, a .NET assembly that appears intended for internal use only and not particularly useful to configuring or controlling the RD infrastructure.
Q: How do I configure the protocols an RD Gateway can use?
A: In Server 2012, use WMI. Find the Win32_TSGatewayServerSettings object for the gateway, then call Enable. See this article.
Q: I get the following error when attempting to connect to the RDG host: This computer can't connect to the remote computer. The two computers couldn't connect in the amount of time allotted. Try connecting again. If the problem continues, contact your network administrator or technical support.
A: The TSGateway has rejected the connection, most likely because the Auth plug-in refused it.
Q: When using Remote Desktop PAA authentication cookie, I cannot connect to the session host with an error "You must login to the site http://<rdweb hostname>" first.
A: This occurs if the length of the cookie exceeds about 880 characters on Server 2008. There is no fix; the cookie must be shortened. Also, note CoInternetParseUrl will not return a buffer size needed if either the output buffer is NULL or 0 size.
Q: When I login to Remote Desktop Web from IE11, I get a "Browser Not Supported" error. How do I fix this?
A: There are two ways.
- In IE, press <F12>
- Scroll to the bottom of the left hand pane
- Select the Emulation page (computer with monitor picture)
- Set Document mode to 9 or 10.
- Start IIS Manager
- Select Sites\Default Web Site\RDWeb.
- In the middle pane under the IIS group, double-click HTTP Response Headers.
- In the right-hand pane, click Add...
- Set Name to X-UA-Compatible
- Set Value to IE=9
Q: When connecting to a RemoteApp via Remote Desktop Gateway 2012 R2, I get inconsistent errors "Your computer can't connect to the remote computer" with the RD Gateway service appearing to freeze. How do I fix this?
A: This is a bug in RDG. Download the Microsoft hotfix available here. Courtesy Richard Lai Yuen Leung at Stanford IT.
Q: What is the best way to rebuild a Remote Desktop 2012 deployment?
A: Use the Remote Desktop tab of Server Manager to remove, then recreated the server roles. If you instead use Remove Roles directly, the RD broker may not get updated with the change, which can break the deployment. Courtesy Richard Lai Yuen Leung at Stanford IT.