Troubleshooting session log offs on Microsoft RDS

At the moment I’m helping out on a project that has a Windows 2008 R2 RDS farm with some problems. The issue that was seen was that at random moments the users could log on to a server but was logged of immediately with out any errors in the event logs. First thing I did was install the missing updates and searched for hotfixes for the RDS farm and found KB2312539. It’s a pretty big list containing the current hotfixes for RDS:

 

Authentication
2203302

An RDP connection that uses SSL authentication and CredSSP protocol fails in Windows 7, in Windows Server 2008 R2, in Windows Vista and in Windows Server 2008
975943

  Error code when an application uses the CredSSP if the authenticated user account is a member of many security groups on a computer that is running Windows Vista or Windows Server 2008: “0x80090329″
972595

You cannot log on or the system stops responding when the Stored User Names and Passwords feature is enabled on a computer that is running Windows Server 2008 or Windows Vista
954910

Error message when you use smart card authentication to log on to a Windows Server 2008-based terminal server from a client computer that is running Windows Vista or Windows Server 2008: “0xC000040C”
953760

When you enable SSO for a terminal server from a Windows XP SP3-based client computer, you are still prompted for user credentials when you log on to the terminal server
952234

When you establish a Terminal Services session that requires smart card authentication to log on to a Windows Server 2008-based terminal server, the Terminal Services session stops responding
951608

Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3
Core
2523307

A shadowed Windows Server 2008 Terminal Services session is disconnected from a computer that is running Windows Server 2008 R2 SP1 or Windows 7 SP1
2518298

“0x0000003B” Stop error on a terminal server in Windows Server 2008
2481109

MS11-017: Description of the security update for Remote Desktop client 6.1 and Remote Desktop client 6.0: March 8, 2011
2462310

A 16-bit application that uses initialization (.ini) files does not work correctly in a Windows Server 2008 x86 Terminal Services session
982303

Terminal Services performance counters report an incorrect number of sessions when a heavy load situation occurs in Windows Server 2008 R2 or in Windows Server 2008
980568

A terminal server that is running Windows Server 2008 stops responding when lots of clients make terminal sessions to the server
978829

The CTRL and ALT keys in a Terminal Service session get stuck when you unlock a local computer
977269

Error message when you make a remote desktop connection to a terminal server that is running Windows Server 2008: “The requested operation requires elevation”
976110

A terminal server session that is shadowed is incorrectly disconnected when the terminal server session that is shadowing stops shadowing on a computer that is running Windows Vista or Windows Server 2008
971338

The terminal server roaming profile of a user account is not loaded correctly on a terminal server that is running Windows Server 2008 R2 or Windows Server 2008 after the user password is changed during session logon
971253

You receive a blank screen when you log on to a terminal server that is running Windows Server 2008
970911

The “Terminal Services” service cannot protect a console session from being disconnected in Windows Server 2008
970089

A hotfix is available that addresses occasional crashes of Vmwp.exe processes on a Windows Server 2008-based Hyper-V host computer
970067

You find high CPU usage for the Wmiprvse.exe process on a terminal server that is running Windows Server 2008 when you run the Windows System Resource Manager
969851

Instead of the specified startup program, the whole desktop is started on a remote desktop connection when you change the “Terminal Services Profile” setting for the user account
969940

When you start a terminal session to a computer that is running Windows Server 2008 and that has the terminal server role installed, the full Windows desktop starts instead of the program that is specified by the terminal server
969851

Instead of the specified startup program, the whole desktop is started on a remote desktop connection when you change the “Terminal Services Profile” setting for the user account
941641

Remote Desktop Connection 6.0 prompts you for credentials before you establish a remote desktop connection
Device Redirection & Printing
2655998

Long logon time when you establish an RD session to a Windows Server 2008 R2-based RD Session Host server if Printer Redirection is enabled
2532459

Print queue does not work if the queue is not one of the first 100 queues installed in a Windows Server 2008 or Windows Server 2008 R2 Terminal Services session
2059743

You cannot print to multiple trays in a terminal server session in Windows Server 2008
2028453

The redirected printer does not print a document in Windows Server 2008 if the TS Easy Print feature is used in a terminal server session
981650

You cannot print text in a terminal server session in Windows Server 2003, in Windows Server 2008, or in Windows Vista if the printer uses the “Generic / Text Only” driver
979163

Many pages are printed when you try to print an Excel worksheet by using a redirected printer if the Terminal Services Easy Print feature is used
973744

You cannot exit an application that uses a redirected printer when you enable the Terminal Services Easy Print feature on a terminal server that is running Windows Server 2008
973356

Error message when you create one or more network printers in a Windows Server 2008-based terminal server session: “Printers cannot be installed”
973062

The audio redirection feature does not work when you use Remote Desktop Connection Client for Mac 2.0 to make a terminal server session to a computer that is running Windows Server 2008 x64 Edition or Windows Vista x64 Edition
972600

After you disconnect from a remote desktop session to a destination computer that is running Windows Vista or Windows Server 2008, the default printer is changed when you log on the destination computer from the console
971370

You randomly hear audio from another terminal server session when you play audio in a terminal server session that is hosted on server that is running Windows Server 2008
970603

The content of a printout is different when you print a PDF document by using Terminal Services Easy Print in a Terminal Services (TS) session in Windows Vista or Windows Server 2008
958596

Users cannot use a smart card to log on to a Terminal Services session on a computer that is running Windows Server 2008
954744

  FIX: Some pages are printed in the incorrect orientation when you use Terminal Services Easy Print to print a document that contains both portrait-oriented pages and landscape-oriented pages
Licensing
2542272

You receive a temporary TS CAL when the DN of a user account contains the forward slash-mark character in Windows Server 2008 if Per User licensing mode is used
2028637

A domain administrator or local administrator incorrectly receives a warning message “Cannot find a valid Terminal Services Licensing Server” when this user account logs on to a Windows Server 2008 Terminal server
2021885

Terminal Server License Server/Remote Desktop License Server Only Issuing Temporary Licenses and Event ID 17 Logged
983385

Event ID 17 is logged in the System log on a TS Licensing server or on a RD Licensing server in Windows Server 2003 SP2, in Windows Server 2008, or in Windows Server 2008 R2
979548

You cannot enter an agreement number of a volume license that contains more than seven digits in Remote Desktop Licensing Manager or in TS Licensing Manager
977686

The Licensing Diagnosis tool incorrectly reports that there are no available Terminal Services client access licenses in Windows Server 2008
972069

A terminal server that is running Windows Server 2008 cannot obtain terminal licenses from a Terminal Server license server that is running Windows Server 2008 after you enable the “License Server Security Group” Group Policy setting
971302

Single CALs support is available for Terminal Server license servers that are running Windows Server 2008
968995

The Terminal Server Licensing MMC snap-in or the TS Licensing Manager MMC snap-in uses NT LAN Manager instead of the Kerberos protocol to pass authentication, respectively, in Windows Server 2003 or in Windows Vista and Windows Server 2008
968074

An update is available that enables the Terminal Services license servers that are running Windows Server 2008 to be able to use the CALs for the Windows Server 2008 R2 Remote Desktop Services
TS Gateway
2620264

You cannot start any RemoteApp applications through a Windows Server 2008-based TS gateway
974195

You cannot connect to a terminal server that is running Windows Server 2008 through the TS Gateway by using its FQDN if it is in a disjointed namespace and if the TCP port 445 is disabled between the terminal server and the TS Gateway
TS RemoteApp
2579055

A started RemoteApp application is intermittently not visible in Windows Server 2008
2381675

The RemoteApp program is not terminated after the idle session time limit expires on a computer that is running Windows Server 2008
983533

The pop-up windows are hidden and the TS RemoteApp application stops responding in Windows Vista, in Windows 7, in Windows Server 2008, and in Windows Server 2008 R2
981211

A RemoteApp program does not show the saved user name when you start the program on a computer that is running Windows Vista
979425

A combo box item in a RemoteApp application is updated incorrectly when you connect by using Remote Desktop Connection (RDC) 7.0
978927

The highlighted menus of all the running applications are displayed incorrectly in a Windows Server 2008-based terminal server session
970689

A Windows Server 2008-based terminal server denies connection requests with the error message “The remote procedure call failed and did not execute” randomly under a heavy logon/logoff condition
TS Session Broker
2522829

Sessions are not correctly distributed after the Terminal Services Session Broker service runs for 25 or more days consecutively in Windows Server 2008
977541

You are not redirected to the previously-disconnected terminal server session through the TS Session Broker service in a Windows Server 2008-based farm in TS Session Broker
TS Web Access
951607

You cannot connect to a remote computer or start a remote application when you use Terminal Services Web Access or Remote Web Workspace on a Windows XP SP3-based or Windows Small Business Server 2003 SP1-based computer

To bad none of the hotfixes solved the problem I was troubleshooting so I just installed the updates that where delivered from Windows Update directly.

As Microsoft FEP (ForeFront Endpoint Protection) was used I searched in the SCCM console to take a good look at the current policies but the RDS farm was deployed with a default server policy instead of an policy specific for this RDS farm so I went on a quest on the internet to search for best practises for FEP on RDS:

BP FEP for specific roles

BP for RES Workspace Manager on antivirus

BP for Citrix XenApp but can be applied to RDS for a large part

A colleague found the following site: http://www.microsoft.com/en-us/download/details.aspx?id=13088. If you download the fepserverrolepoliciesforusewithconfigmgrui.exe and extract it you’ll find a couple of XML files and one of them is FEP_Default_TermSrv.xml in which is stated:

Microsoft Forefront Endpoint Protection performance optimized server role policy for Terminal Server workloads. This policy combines default server workload policy settings with settings optimized for terminal servers. This policy is applicable to terminal servers running on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2.

So we imported this XML file, made some changes based on the first BP’s and applied it to all RDS servers.

There where different GPO’s applied and they had conflicting settings (mostly in the user conf) which couldn’t cause the problems as mentioned but to ensure optimal user performance we decided to create a new OU and re-do the GPO’s; putting all the stuff configured in the User policies into RES Workspace Manager and configure all the Computer policies into one.

So what we did in 3 steps:

  1. Install all available Windows Updates.
  2. Configure antivirus using vendor best practices but you decide what to configure.
  3. Keep GPO’s simple, try to keep the number of policies to a minimal.

After all these configuration changes we tested the environment and the issues where gone. Point of this blogpost is to show you should try to keep it simple and make sure you read all the best practices and choose what’s relevant for you and your environment.

 

 

The following two tabs change content below.

Kees Baggerman

Kees works for Inter Access as Senior Technical Consultant. His main areas of work are migrations and implementations of Microsoft and Citrix infrastructures and writing functional/technical designs.

One comment

  1. [...] Troubleshooting session log offs on Microsoft RDS [...]

Leave a Reply