This was a very strange, intermittent issue. Using Remote Desktop Gateway on Windows Server 2012, all users had been able login and connect to their desktop remotely by clicking on the Desktop pool icon in RDWeb.
Everything had been perfectly fine since I upgraded from Server 2008 R2. The desktop pool has assigned machines for each user, so they no longer need to know the name of their private virtual machine, they can just click on ‘Desktop’ and they are away. There are also other pools for testing etc. as well as some remote apps.
About 2 months ago, one user bought a Microsoft Surface Pro tablet machine running Windows 8.1 and then started reporting that he could no longer connect to his virtual machine using the remote desktop gateway. Well, he said he had connected fine once, but then on subsequent tries it would fail. (This lead me to think maybe it was a licensing issue and perhaps he was getting a temporary license on the first connect and then the next time the license wasn’t being upgraded correctly, or we were out of licenses, perhaps? I checked in RD Licensing manager and everything looked ok)
The weird thing was that it didn’t seem to be linked to the users account as they could login on other machines, although when other users (including myself) used their personal machine it did work. Another user upgraded to 8.1 on their home machine and reported the issue but then rebuilt his machine with a fresh 8.1 ISO and reported that the issue had gone, leading me to believe it was not an 8.1 issue, but and upgrade from 8.0 to 8.1 issue.
I decided to inform staff to hold off upgrading to 8.1 until this was resolved, but another user upgraded anyway and was then facing the same issue, so now it was a bit more urgent, but I still had very little to go on.
The issue would be that the user in question could login to the RDWeb site which would show all the machine icons, the user would then click on the ‘Desktop’ pool icon and quickly a box would flash up and then disappear and nothing else would happen and it would not connect.
I upgraded my virtual desktop to 8.1 thinking that might be part of the issue, I had considered upgrading the gateway to 2012 R2 but with it being in use constantly this had not yet been upgraded. However, this 8.1 didn’t seem to make a difference and as I could connect to my machine when it was running 8.0 this didn’t make sense.
Today, I had two 8.1 machines side by side, a Microsoft Surface Table running 8.1 and a Sony Vaio Tap 20 SVJ202. I could login to my Desktop fine on each, but the users that they belonged to could not.
The message box that was popping up and disappearing was the “logon message” that has been enabled on the gateway server:
To be PCI compliant, this box pops up and displays the old “Only authorized users. Etc…”. However, this box has an option to allow users to bypass this message, at least until the message is next updated on the server, then they have to agree again.
Windows 8 users, had been clicking on “Don’t show this again” and next time it would not show and would connect fine. However, 8.1 users could connect fine the first time, check “Don’t show this again” but the next time it would flash up and disappear quickly.
So, after a bit of registry digging, I found: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Gateway\Messages\<DOMAIN>\<USERNAME>
And if you clicked on “Don’t show this again”, it stored the logon message and username here. I deleted the <USERNAME> key, tried it again, and hey presto it worked!
So, there are a few fixes for this:
- Tell 8.1 users not to check the reminder tick box.
- Give all users the instructions to delete the key above.
- Disable the logon message on the gateway server.
- Wait for Microsoft to fix this
I opted for option 3 and instead enabled the Logon banner via Group Policy until Windows resolve the 8.1 RDWeb banner issue.