RDS 2012 R2 – Error when launching apps from RemoteApp – RemoteApp Disconnected
Hello World,
We are still working on our nice and lovely RDS and RemoteApp infrastructure project. This is a great product and we were able to develop an interesting concept for our customers using such technology. In this post, we will be describing a “strange” behaviour that occured at one of our customer premises.
This post is actually completing our series of article about possible problematic situation that can happen when using RemoteApp and RDS technologies. If you want to have a look at our previous posts about issues with RDS, please have a look at
- RDS 2012 R2 – Access is Denied While connecting – Issue 1
- RDS 2012 R2 – Account Restrictions are preventing to signing in – Issue 2
- RDS 2012 R2 – Access is Denied While connecting to remoteApp- Issue 3
- RDS 2012 R2 – Access is denied – Issue 4
- RDS 2012 R2 – DMZ and failing connections
The Situation
We had established a RemoteApp infrastructure with one of our customers. This customers had a complex AD topology. Multiple forests were available within the organization. One forest needed to access resources in the forest hosting the remoteApp infrastructure. No Trust was available between these two forests.
So, no problem, we had created a user account in the resource forest and asked the user from the other forest to try to access the web interface and launch the required application. The user was able to login into the web page and could see the published applications made available to him. When the user tried to launch an application, the following error message appeared
Your computer can’t connect to the remote computer because an error occured on the remote computer that you want to connect to. Contact your network administrator for assistance
Click on picture for better resolution
Based on google research, the most frequent reason for such error was related to the version of the remote desktop client. In our case, this was clearly not our scenario. Both environment were using the latest version of the rdp client.
Troubleshooting Process
After ensuring tha the firewall was not causing an issue, we needed to move forward and see what was happening. The customer was using a RD Gateway infrastructure to make the connection to the RD Session host servers.
So, we went to the RD Gateway server and start reading the Event Viewer messages available over there. Looking into the event viewer, at the Applications and Services Logs > Microsoft > Windows >TerminalServices-Gatewaynode, we were able to retrieve the connections steps we were performing.
As you can see, the connection to the RD Gateway was indeed initiated (Event ID 312/313) but never acknowledged by the server.
Click on picture for better resolution
During the sequence, we can see that the event ID 200 is generated and it’s telling me that the user is authorized to access through the RD Gateway and that authentication method is NTLM
Click on picture for better resolution
So, at this stage, we were able to assess that a connection between the client and the RD Gateway was performed. However, connection between the RD Gateway and the RD connection broker was not going through.
So, we decided to have a look at the security log and there we found out that audit failure were registered at the same time of the connection. We tried again and found out that indeed, when trying to perform the connection, the Event ID 4625 was registered. The message was quite clear. An account failed to logon.
Click on picture for better resolution
So, yes, we had an authentication issue there.
The solution
It took us some time to find out that the LAN Manager settings between the forests were not set to the same level. This was actually causing the authentication issue.
After some research, we found out that the NTLM settings in the resource forest and the one where the computer trying to connect to our infrastructure were not the same. By default, Windows 2012 R2 (and even windows 7) are using the NTLM v2 for authentication process.
The client and the server were not talking the same language. In the forest where the client computer was located, the sysadmin had lowered the NTLM Security level while the server was still using the default version (i.e. NTLMv2)
The client computer had the following settings applied via the GPO. You can see that the option for the LAN Manager authentication setting on this computer was set to Send LM & NTLM – use NTLMv2 security if negotiated.
Click on picture for better resolution
On the server side, the same settings is by default set to not defined which means that the default will be used (i.e. Send NTLMv2 Response Only.).
Click on picture for better resolution
You can confirm that this is the default settings by looking at the explanation of the Group policy settings
Click on picture for better resolution
So, to resolve this issue, we had to set on the client computer the LAN Manager authentication level to Send NTLMv2 Response Only. After a restart of the machine and having the gpo applied, the user was able to perform the remote desktop connection and start using our lovely RemoteApp Infrastructure.
The funny thing is that you would expect that the option Send LM & NTLM – use NTLMv2 security if negotiated would be enough. Indeed, the description of this settings says that the client will try to use NTLMv2 if the server support this. Apparently, this is not working. You need to set the value to NTLMv2 Response only
IMPORTANT NOTE :
You need to restart the machine to have the GPO applied correctly. A GPUPDATE might not be sufficient. If after the restart, you notice that this is not solving your issue, you might need to reset your NTLM settings manually by deleting the following registry key :
HKLM\System\CurrentControlSet\Control\lsa
Click on Picture for better Resolution
You will need to delete the lmcompatiblitylevel key and this one will be recreated automatically when restarting or when the gpo will apply.
Final Notes
This error was a difficult one. We had to look at multiple things before thinking of NTLM authentication level. So, if you encounter such situation and that you see that your RD Gateway server is throwing eventid 200/312/313and nothing happens, you should start checking your Security logs for event id 4625. So, if you see all these Event Id, you might be in the same situation as we were and you might need to adapt your NTLM Settings….
That’s it for me for today…
Till next time
See ya
Thanks to this link: http://c-nergy.be/blog/?p=8187
—————————
https://support.microsoft.com/en-ph/kb/2830477
https://www.microsoft.com/en-us/download/confirmation.aspx?id=40986
64bit
Update for Windows 7 for x64-based Systems (KB2830477)
If your download does not start after 30 seconds,
Click here
Install Instructions
To start the download, click the Download button and then do one of the following, or select another language from Change Language and then click Change.
Click Run to start the installation immediately.
Click Save to copy the download to your computer for installation at a later time.
These KB’s must be installed in the following order: KB2574819, KB2830477, KB2857650, KB2913751
——————————
https://www.microsoft.com/en-us/download/confirmation.aspx?id=41036
32bit
To start the download, click the Download button and then do one of the following, or select another language from Change Language and then click Change.
Click Run to start the installation immediately.
Click Save to copy the download to your computer for installation at a later time.
These KB’s must be installed in the following order: KB2574819, KB2830477, KB2857650, KB2913751
————————————————————