Microsoft Windows Experts

You may not be able to connect to published RemoteApp when connecting via RD Web through RD Gateway. November 2, 2011

When you try to open a Remote App via RD Gateway, you may get the following errors:

“You may not be able to connect to your remote apps when connecting remote apps on RD Web through RD Gateway.”

or “The logon attempt failed”.

While the default logon page for RD Web Access indicates “Domain\user name” for the user name field, using only the user name works fine. However, this works fine as long as your not using RD Gateway and Single Sign-On, then the either of the above error messages will occur when trying to start a RemoteApp.

The catch is when RD Gateway and Single Sign-On are being used, you must supply the domain as part of the user name (domain\user name), else the SSO-feature will break.



Remote Desktop Service cannot be restarted if Keep-Alive feature is enabled October 9, 2011

If the RDP Keep-Alive feature is enabled on a Windows Server 2008 (or Windows Server 2008 R2) server, manually stopping the Remote Desktop Services service (Windows Server 2008 R2) or Terminal Services service (Windows Server 2008) will leave the server in an unstable state: restarting the service will not re-enable RDP functionality, and the server will hang during shutdown.

The keep-alive thread is started by the Remote Desktop Services (Terminal Services) service if Keep-Alive is enabled, however it runs in Kernel mode and can therefore not be terminated automatically when the service stops.

So let’s not attempt to stop or restart the Remote Desktop Services (Terminal Services) service if the RDP keep-alive mechanism is enabled.

When Keep-Alive is enabled and the Remote Desktop Services (Terminal Services) service is stopped, its svchost.exe process will remain in the Task list, even though the service is reported to have stopped correctly.  When the service is started again, a new svchost.exe will be started however the server will not accept incoming RDP connections due to inconsistency in the TermDD driver state.

The Keep-Alive feature can be enabled by Group Policy:

 Windows Server 2008 R2:

 Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

 Configure Keep-Alive Connection Interval

Windows Server 2008:

 Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections

 Configure Keep-Alive Connection Interval

 To configure directly in the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]




Retrieve Terminal Services Licensing Grace Period Days info via WMI January 25, 2011

Script to retrieve the number of days left in your TS Licensing Grace Period:
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\CIMV2\TerminalServices”)
‘ Obtain an instance of the the class
‘ using a key property value. (more…)


Set Relative Weight in a Terminal Services Session Directory/Broker based Farm via WMI

Script to set a Relative weight value of 100 in a Terminal Services Session Directory/Broker based Farm via a Script:


Set Relative Weight to a TS Farm

strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\CIMV2\TerminalServices”)
‘ Obtain an instance of the the class
‘ using a key property value.
Set objShare = objWMIService.Get(“Win32_TSSessionDirectory”) (more…)


An authentication error has occurred. The specified target is unknown or unreachable. NLA Error, XP SP3 January 23, 2011

Filed under: Remote Desktop Services — helpforsure @ 11:19 pm
Tags: , , , , ,

This is really annoying and it took me a little while to find the fix, so I am blogging about this in hopes that others waste less time!

I have a 2008 R2 RD Session Host server farm. IT is set to accept only connections from NLA clients. Connecting from any Win7 machine works great.

Then I tried to connect via a client running XP SP3, running RDC 6.1 (supports NLA) with CredSSP enabled.  I got the following error: An authentication error has occurred. The specified target is unknown or unreachable.


If I turn off requiring NLA on the farm servers, I can connect.

Next, I added RDC 7.0 and tried again. I get the same error.

I tried from more XP clients, with the same setup and I get some that get in and some that give the error.  VERY CONFUSING.

Turns out,  there is a hotfix out there that fixes this:

I added:, and rebooted.

Now it works.

What I find interesting is that the hotfix does not specifically lay out this exact error result.ARGH.If it had I would have found it SO much faster.

Note: WebSSO will still not work unless you have RDC 7.0 on your XP client – RDC 7.0 is a requirement for WebSSO.


HowTo: Create Self-Signed Certificate via SelfSSL utility [Included in IIS 6 Reskit Tools]‏

Download the IIS 6 Resource Kit and use a tool called SelfSSL.exe. Using this tool, you can create a self signed certificate, whose  is exportable, and whose common name can be anything we want. For example, to create a self signed certificate for the RDS farm called farm1.ash.local, you would run this command (make sure to start your command console with elevated privileges!):

C:\Program Files (x86)\IIS Resources\SelfSSL>selfssl /N:cn=farm1.ash.local /K:2048

Microsoft (R) SelfSSL Version 1.0

Copyright (C) 2003 Microsoft Corporation. All rights reserved.


Do you want to replace the SSL settings for site 1 (Y/N)?y

The self signed certificate was successfully assigned to site 1.


Then when you look in the computer certificates store, you will find the certificate under the personal store:

Note: You can run SelfSSL on a Windows 7 machine.

The private key is exportable, as shown by the little key located in the upper left hand corner of the certificate icon. This means you can move it to another server.

Next you need to export the certificate so you can import it to all of your RD Session Host servers in the farm:

1. Right click on the certificate and choose All Tasks —> Export….

2. As you run through the Export Certificate Wizard, make sure to choose to export the private key.

3. Enter a password for the file for security, and save the resulting .PFX file.

Now you need to import the self signed certificate to your RD Session Host server farm members.  On each member:

1. open the computer certificates MMC, right click on the Personal store/Certificates folder, and choose: All tasks —> Import…

2. This starts the Import Certificate Wizard.

3. browse to the PFX file you created earlier.

4. Make sure the file extension dropdown box is set to All Files, and then choose your file and click Open.

5. Enter the password

6. install the certificate to the personal store (it is chosen by default)

7. Click Finish.

Now you have a self signed certificate that contains the farm name on all of your farm members, so you can test farm access now without getting a message that the machine you specified in RDC was not the name of the responding server.

Now, you also have to install the self signed cert into the Trusted Root Certification Authorities / Certificates folder in the Computer Certificate Store, on every computer you will connect to the farm with. If you don’t you will get this error:

In a real life situation, you would purchase an SSL certificate from a public CA that is part of the Microsoft Root Certificate Program ( so the CA certificate used to sign the SSL certificate would automatically be downloaded to the computer Trusted Root folder via Windows Updates.

But in a test situation, you have to do this part for yourself, since your self signed certificate is not part of this program.


Troubleshooting Connectivity Issues with Terminal Services

One of Microsoft’s biggest support call generators has always been the dreaded ‘Remote Desktop Disconnected’ or ‘Can’t Connect to Remote Computer’ error messages when trying to connect to a terminal server from a client. The problem with this issue is that there are a myriad of causes that all end up causing the same symptom. Since there are several causes for the same thing, there is a lot of information out there on how to troubleshoot the various causes. The problem is, all of this troubleshooting material is spread out in multiple Knowledge Base articles and who knows where else on the internet, and even worse, there is no way to tell which cause may be the root of the problem in a given case. So, even if you query the internet and find articles that mention the error message, the articles you find may or may not even apply to your situation.

So, the point of this post is to simply point out the links to the three articles in question. If you are the administrator of any sort of terminal server environment, I recommend keeping these links in your favourites in case you need them in the future:

186645    Troubleshooting RDP Client Connection Problems (aggregate article that points to the three below);EN-US;186645

2477023    Remote Desktop Disconnected or Can’t Connect to Remote Computer or Remote Desktop Server (Terminal Server) running Windows Server 2003;en-US;2477023

2477133    Remote Desktop Disconnected or Can’t Connect to Remote Computer or Remote Desktop Server (Terminal Server) running Windows Server 2008;en-US;2477133

2477176    Remote Desktop Disconnected or Can’t Connect to Remote Computer or Remote Desktop Server (Terminal Server) running Windows Server 2008 R2;en-US;2477176

More Information:

These symptoms are fairly common as seen from below articles/posts:

1. Port assignment issue:

2. This following article from talks about how to troubleshoot a remote desktop disconnected problem but does not cover all the symptoms:

Additionally, we have more symptoms documented under the following article:

Troubleshooting General Remote Desktop Error messages