1

I have a single Server 2012 R2 RD Server running RD Gateway, Connection Broker and Session Host roles. I users sharing a common Windows user account for a RemoteApp (the actual remote app being launched has its own authentication/login mechanism, so this is highly practical and appropriate...it also allows for secure password caching via Credentials Manager since ).

The collection is configured as such

enter image description here

There are no RD GPO settings applied.

Clients are configured to connect to the RemoteApp using the following rdp file

    redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:1
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:0
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:1
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:4
full address:s:localhost
alternate shell:s:||OfficeMate
remoteapplicationprogram:s:||OfficeMate
gatewayhostname:s:rdgateway.mydomain.com
remoteapplicationname:s:OfficeMate
workspace id:s:localhost
use redirection server name:i:1
usbdevicestoredirect:s:*
UserName:s:corp\remoteapp-user

Randomly (seemingly more likely as more users are connected concurrently), one user will seize another client's session (even if the other client's session IS active). I'm guessing this has to do with a combination of RPC over HTTP being used by RD Gateway and little drops in the client connections, but I'm really not sure. Is there any way to avoid or debug this? Or an alternative approach that would avoid having dedicated per user accounts (which would require double username/password entry)?

Kara
  • 6,115
  • 16
  • 50
  • 57
Jeff
  • 35,755
  • 15
  • 108
  • 220
  • Some clarifying questions: 1) what does "seize another client's session" mean? Can you please explain more and if possible put a screenshot / diagram? 2) Do you have multiple users logging in (e.g.: testuser1, testuser2) or just multiple connections with the same user (e.g.: testuser1 connecting multiple times)? – cdavid Jun 21 '16 at 02:02
  • testuser1 connects from different workstations. testuser1 from ws2 disconnects testuser1 from ws1 and sees exactly what was on their desktop – Jeff Jun 21 '16 at 02:08
  • Does this happen as: testuser1(ws1) connects, testuser1(ws1) disconnects, *1 minute passes*, testuser1(ws2) connects? I can see that the setting above says that the session will be ended (logged out) after 1 minute - could it be possible that less than 1 minute is between ws1 disconnect and ws2 connect? – cdavid Jun 21 '16 at 07:20
  • No that is not what happens. ws2 seizes an already connected session from ws1. They also see the windows that were open from ws1 so it's not a new session – Jeff Jun 21 '16 at 10:56
  • Yes, I understand. But are you sure that 1 minute passes between the disconnect and the next login? The screenshot you posted shows that *disconnected sessions will be logged out after 1 minute*. – cdavid Jun 21 '16 at 17:59
  • I am sure that no time passss at all – Jeff Jun 22 '16 at 00:03
  • Then the system behaves as expected - users will be logged off 1 minute after the session is disconnected (the first option in the screenshot that you posted). What are you actually trying to achieve? Maybe if I understand that, I can suggest something better. – cdavid Jun 23 '16 at 06:19
  • You're either not reading my question correctly or I'm not understanding what you are saying. No one is logging off. No one is disconnecting by choice. A new computer connecting seizes another computer's existing connected session – Jeff Jun 23 '16 at 22:06

1 Answers1

1

Perhaps the remote users are connecting to the "console" session (maybe its called admin now in 2012 server). This might be the default config in your server - where there is no terminal server with multiple sessions, only 1 session, which is the main desktop / console / admin (sorry, not sure about the correct terminology for 2012).

Here is a related serverfault question:

https://serverfault.com/questions/549297/how-to-enable-the-2-concurrent-1-console-sessions-on-windows-server-2012

Update:

On the server, set "Restrict Remote Desktop Services users to a single Remote Desktop Services session" Disabled

Registry key for this is:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

fSingleSessionPerUser REG_DWORD 0x00000000

Community
  • 1
  • 1
Nick
  • 2,735
  • 1
  • 29
  • 36
  • they are not - I posted the rdp file config – Jeff Jun 25 '16 at 03:37
  • Can you post the value of `Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections` – Nick Jun 25 '16 at 15:04