RD Connection Broker fails to redirect user to RD Session Host

CMC 21 Reputation points
2022-03-29T05:55:24.49+00:00

RDS configuration has two servers.

S1
Windows Server 2016
Internal DNS name: s1.corp.domain.com
2 NICs
IPv4 Address (public): 1.2.3.4
IPv4 Address (private): 10.10.10.100
RDS Roles: RD Gateway, RD Web Access, RD Connection Broker, RD Session Host

S2
Windows Server 2019
Internal DNS name: s2.corp.domain.com
IP Address (private): 10.10.10.200, fd12:5678::101
RDS Roles: RD Web Access, RD Connection Broker, RD Session Host, RD Licensing

External DNS
rds.domain.com > 1.2.3.4

Internal DNS
rds.corp.domain.com > 10.10.10.100, 10.10.10.200

The external RD Gateway address is rds.domain.com. High Availability is configured. The DNS name for the RD Connection Broker cluster as set in the RDS Deployment Properties window is rds.corp.domain.com. A multi SAN certificate is properly installed and assigned to each RDS service. Only a single session type collection is configured (Collection1). A single host server (S2) is assigned to Collection1.

When an external user connects to rds.domain.com, the gateway properly picks a connection broker based on a DNS lookup to rds.corp.domain.com. If S2 is chosen as the connection broker, the Remote Desktop Client quickly completes the connection and the user's remote desktop appears. However if S1 is chosen as the connection broker, the Remote Desktop Client proceeds as normal for a moment then hangs on Configuring remote session and never completes the connection.

The event log on S1 shows progress.

Event log Microsoft-Windows-TerminalServices-SessionBroker/Operational

Event ID 800

RD Connection Broker received connection request for user DOMAIN\user. 
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.Collection1 
Initial Application = NULL 
Call came from Redirector Server = s1.corp.domain.com 
Redirector is configured as Virtual machine redirector

Followed by event ID 801

RD Connection Broker successfully processed the connection request for user DOMAIN\user Redirection info: 
Target Name = S2 
Target IP Address = 10.10.10.200 
Target Netbios = S2
Target FQDN = s2.corp.domain.com 
Disconnected Session Found = 0x0

Nothing else is logged at this point though. A successful/complete login would have a couple more entries - Event 787 and 818. In addition nothing is logged on S2 in the Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational event log. A successful connection would have several entries here.

Using TCPView, I can confirm that the tssdis.exe (connection broker) process on S1 is in fact contacting S2. Likewise the TCP connection is also visible on S2. But yet something is not allowing the connection to fully complete. After about 5 minutes, event ID 819 is logged on S1.

This connection request has timed out. User could not log on to the end point within the alloted time. Remote Desktop Connection Broker will stop monitoring this connection request.

This appears to be a similar problem to what is reported here
rds_2019_azure_mfa_hp_thin_clients

I have tried every possible fix that I can find but nothing has resolved this yet. I do have a temporary workaround. This only works though because there is only one RDSH in use at the moment. I can edit the internal DNS record for rds.corp.domain.com to only point to 10.10.10.200 (S2). This forces the gateway to direct all connections to the connection broker on S2. When S2 is the connection broker it is able to successfully complete the connection to the session host also running on S2.

The bottom line... A connection broker connecting to a session host on a different server doesn't work. A connection broker connecting to a session host on the same server does work.

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,628 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Ralph Zeller 5 Reputation points
    2023-04-21T20:51:39.32+00:00

    I've the same problem and tried everything to resolve ist. Observations I made: no problems with Windows Server 2022, but Windows Server 2019 or lower hang at mstsc.exe configuration screen. From my perspective it's a bug in mstsc.exe client with gatewayusagemethod:i:2 setting in .rdp file (Bypass RD Gateway server for local addresses). When I change the paramter to gatewayusagemethod:i:1 connection will work.

    If tested the eqivalent parameter usage-method:detect with latest version of wfreerdp found here https://ci.freerdp.com/view/All/job/freerdp-nightly-windows/ and connection string: wfreerdp.exe /gateway:g:<gateway>,usage-method:detect,type:auto,no-websockets /v:<broker> /u:<domain>\<user> /p:<password> /cert:ignore /size:1280x1024 /load-balance-info:"tsv://MS Terminal Services Plugin.1.<collection>"

    Without type:auto,no-websockets mouse will unusable slow.

    Hope this helps.

    Best regards, Ralph

    1 person found this answer helpful.
    0 comments No comments

  2. Joseph Malloy 1 Reputation point
    2022-04-11T21:24:10.14+00:00

    Hello, did you ever get this resolved? we have same issue!


  3. joaocipriani 1 Reputation point
    2022-10-20T12:19:31.997+00:00

    Hello, I faced this issue and it was on Firewall. The host that was trying to connect was dropping on udp/3389; I suggest disabling Farm AV for testing and also checking a bypass on FW for testing..

    0 comments No comments

  4. Skyz0 1 Reputation point
    2022-12-22T11:29:56.767+00:00

    Not sure if you're still having this issue, but if S1 and S2 are part of the same HA pair, they should be the same OS level as outlined in the RDS documentation:

    "If you are creating a highly available environment, all of your Connection Brokers need to be at the same OS level."


  5. Nick Evans 1 Reputation point
    2022-12-29T11:26:11.597+00:00

    We have exact the same Issue. I am trying to use FreeRDP (Probably same as the HP Thinclients) in Version 2.8.

    my Connection String is:

    xfreerdp /g:GATEWAY-NAME /v:FARM-NAME /u:USER /p:PASSWORD /d:DOMAIN /gu:GATEWAY-USER /gp:GATEWAY-PASSWORD

    If I try to connect i get the Propmt on my Mobile for MFA. My Gateway Server succesfully authenticates the user with our AZURE Broker. Then asks the SESSION Broker on which of the RDSHOSTS to connect. It then sends the Information to the Client, but of that moment nothing happens.

    If i change the connection Parameter /v: from FARM-NAME to a RDSHOST directly. Everything works fine. So it must have something to do with the Redirection from the Sessionbroker to the RDSHOST.

    Connecting from a win10 Client throught the Gateway works flawlesly.

    Anyone else had any Luck?

    Best Regards Nick Evans

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.