Slow remote login using RDS RemoteApp with user using UPN Suffix

Question

I've setup a small RDS environment consisting of 3 servers (Windows 2019) in Azure with the following roles

Server 1: Domain Controller and Licensing Server
Server 2: Connection Broker, Remote Gateway, RDWeb Access
Server 3: Session Host

AD Domain is: domain.com
UPN Suffix added through Active Directory Domains and Trusts: abc

I have a wildcard certificate for *.domain.com and it is assigned to the roles.

I have created a remoteApp for an application

Ports 3389,443 and 3391 UDP are allowed on Server 2 and Port 3389 on Server 3.

Using the following format for the user during login: user1@keyman .com, the login takes about 3 seconds and logs in fine.

Using the following format using the suffix: user1@jaswant , the login takes about 20-23 seconds and then logs in fine.

EDIT: I tried connecting from the Domain Controller using the RemoteApp RDP file and the delay DOES NOT happen. So it is only happening externally.

It sits on this dialog for around 2-3 seconds:

Then on this dialog for about 18-20 seconds:

Any idea why the difference in log in time using the two different formats.

Any help would be appreciated.

Answer 1

Hello @Ruben Nunez

It is going to be difficult to troubleshoot slow performance issues without any error messages. You could start with capture logs and dumps to investigate further with MS support. But before that, you could check the event logs and verify if anything related to UPD or the slow performance.

Event logs for instance:

TerminalServices-RemoteConnectionManager and TerminalServices-LocalSessionManager logs to view information about connections.

Regards,

Answer 2

I've checked the logs on the Gateway/Connection Broker Server.

Here are some entries from logins using the two different user name formats:
I initiated a new login attempt from the remote computer @ 12:33:14 using UPN suffix and at 12:54:05 using user1@keyman .com format.

Under TerminalServices-Gateway there is an entry at 12:23:21 that the client computer has initiated an outbound connection. (12:54:06)

Under TerminalServices-SessionBroker there is an entry at 12:33:27 that the RD Connection Broker received a connection request. (12:54:08)

Under TerminalServices-RemoteConnectionManager there is an entry at 12:33:27 that User authentication succeeded at 12:33:27. (12:54:08)

There is a log entry under TerminalServices-Licensing on the DC at 12:33:29 that it has successfully issued an RDS per user CAL. (12:54:10)

So right now the difference is 10 seconds. 15 seconds vs 5 seconds. This is using the same AD account to login.

If by UPD you mean User Profile Disks, they are not enabled on this Session Collection.

Could it be a DNS issue when using UPN suffixes?

Answer 3

Another observation from another similar configuration I was testing...

Domain: domain.local
Gateway: gw.domain.com (Have wildcard certificate for *.domain.com installed and assigned to the roles)

When logging in using testuser@keyman .local it is fast (2-3 seconds), when using domain\testuser it is also slow like above 15-20 seconds.

So it looks like it takes it longer to figure out how to authenticate unless you use the testuser@keyman .local syntax for the user name. If you use the domain\testuser or testuser@upnsuffix it takes quite a bit longer.

Also, this does not happen when connecting via MSTSC directly, only through a RemoteApp from a Session Collection.

EDIT: Slowness also does not happen if I use only the username without domain or UPN suffix for login in the User Name field.

Just don't have an idea where to start to look to fix this issue.

Answer 4

Hi. We have the same problem. Is there a solution?

Answer 5

No, I haven't figured out a way to speed up the log in using a UPN suffix and haven't found an answer anywhere else.

Using the username@keyman .com format it is always fast but using any other format for the user name there is a delay before it logs in.