Category Archives: Terminal Services

Install a Certificate for Remote Desktop Services or Terminal Services on a Terminal Server

You’ll need a .pfx certificate in this guide, so once you have your certificate and any intermediates that need to be installed, export the certificate and include the entire chain the export, assign a password and then save the .pfx somewhere where you can access it from the terminal server.

On the Terminal Server in Question:

  1. Click “Start” and then “Run”.
  2. Enter “mmc” and then click “OK”.
  3. Click on the “File” menu and then select “Add/Remove Snap-in…”.
  4. Click “Certificates” and then click “Add >”, when prompted choose option “Computer Account” and then click “Next >”.
  5. Select “Local Computer” and then click “Finish”.
  6. Click “OK” to complete the add snap-in wizard and then expand “Certificates (Local Server)”.
  7. Right click on the “Personal” folder and then select “All Tasks”, then “Import…”.
  8. Click “Next >” and then locate the .pfx you’ve saved earlier. Click “Next >”
  9. Enter your password, and then click “Next >”, click “Next >”, click “Finish”.
  10. Now open “Remote Desktop Session Host Configuration”.
  11. Right click on “RDP-tcp” in the center of the window and select “Properties”.
  12. On the “General” tab, click the “Select” button, Select your certificate, and then click “OK”.
  13. Click “OK” one more time, and then all future connections will be secured by the certificate.

 

Use Group Policy to enable Remote Desktop Connection on a group of PCs

This is a group policy that I use pretty often to enable Remote Desktop Connection on a group of PCs, add the proper users to the local Remote Desktop Users group, and enable RDP access on Windows Firewall. I’ve decided to post this here because there have been some slight changes in Group Policy Management on Windows 2008 R2 / SBS 2011 / Windows 7 (just for the actual enabling of RDP, the other things stay the same as they were with 2003 / XP)

Here is how I configure this when I need to enable RDP on a collection of machines:

  1. Create a new OU in Active Directory for all of the computers, or if one already exists make sure all of the computer accounts that need to be changed are in it.
  2. Open Group Policy Management Console and create and link a new GPO to this OU. I typically right click at the root of the GPO, select Properties, and disable the User Configuration Settings. (I do this to cut down on GPO processing time, if we know there will only be computer settings in this GPO, why process all of the unchanged User Policy Settings?)
  3. First we’ll need to add the firewall exception, expand Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > enable the policy “Windows Firewall: Allow inbound Remote Desktop Exceptions”
  4. Repeat the above for the Standard Profile as well.
  5. Next we Enable Remote Desktop Connectivity, expand Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > enable the policy “Allow Users to connect remotely using Remote Desktop Services” Note: this used to be  > Windows Components > Terminal Services > “Allow users to connect remotely using Terminal Services”
  6. Next we need to add the proper users/groups to the Remote Desktop Users group on each PC, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  7. Right Click on “Restricted Groups” and select “Add Group…”
  8. Enter “Remote Desktop Users” Note: don’t click the “Browse” button because you’re on a Domain Controller (well more than likely anyway) and you don’t want to choose BUILTIN\Remote Desktop Users, which is where the browse button will take you, you want to edit the membership of the local “Remote Desktop Users” group on each PC) and click OK
  9. Click the “Add…” button next to “Members of this group:”, and now click the “Browse” button, enter “Domain Users” (or whichever group you created) and then click “Check Names”, once you’ve verified that you’ve got the right group click “OK”
  10. Click “OK” twice more and close the GPO, once all of the machines have rebooted you’ll now be able to remote into any of these PCs as a member of Domain Users.

Remote Web Workplace 2008 Users can only see one or few computers in the list of computers to connect to (RDP)

I just noticed that some of my users that use Remote Web Workplace (on SBS 2008) don’t have the ability to connect to certain computers within the network when they attempt to view a list of all computers. To be honest, I’m not quite certain how the list was originally created for each user, and I’m far to lazy to spend any time trying to figure that out.

I’m already certain that users have the right to connect to each PC because there is already a group policy in place that grants Domain Users RDP permissions to each computer in the domain (You can read about how to do that here), it’s just that when they click to view a list of computers to connect to on the RWW website, they only see one computer, or at best a few computers.

I’ve tried to find a more eloquent way to do this, but failed. The only way I could change this list was to make individual changes to each User’s or Computer’s properties within the Windows SBS Console, this is fine for networks with 5 computers, but if you’ve got 50 computers this could become painful.

Here are the steps to add computers to a user’s list:

  1. Open the Windows SBS Console
  2. Click on “Users and Groups” at the top
  3. on the “Users” tab, Right click the user in question and select “Edit user account properties”
  4. Select “Computers” on the left
  5. Highlight each computer individually, and then check the box labeled “Can remotely access this computer”
  6. Click Apply when done, and have the user log off of the RWW site, and log back on
  7. They should now be able to see all computers when they view the list of computers to connect to.

This can also be performed on a computer basis by following these steps:

  1. Open the Windows SBS Console
  2. Click on “Network” at the top
  3. on the “Computers” tab, Right click the computer in question and select “View computer properties”
  4. Select “User Access” on the left
  5. Highlight each user individually, and then check the box labeled “Can log on remotely to this computer”
  6. Click Apply when done, and have the user log off of the RWW site, and log back on
  7. They should now be able to see all computers when they view the list of computers to connect to

That should do it, if anyone knows of a faster/better/easier way to do this please let me know.

When trying to use Remote Web Workplace on an SBS 2008 server you get error: (error 50331688)

Recently came across this problem on a SBS 2008 deployment (just missed the SBS 2011 release), where users who were trying to connect to their computers using the Remote Web Workplace, but were unable and were getting this error:

An internal error has occurred (error 50331688). For more information, please
contact your network administrator or Microsoft Product Support.

Turns out the problem is related to the Terminal Services Gateway not having a certificate configured.

To resolve this follow these steps:

  1. Open TS Gateway Manager MMC
  2. Select your server in the Left hand pane
  3. In the Middle pane, click “View or modify certificate properties”
  4. Click “Select an existing Certificate for SSL encryption (recommended)”
  5. Click “Browse Certificates….”
  6. Select the correct 3rd party certificate from the list, and then click “Install”
  7. Click “Apply”, and then try to connect via RWW again.

This should also resolve any issues you have when trying to connect in via RDP when using a Terminal Services Gateway.

Enable the hidden Remote Desktop Gateway Manager MMC snap-in SBS 2011

For whatever reason, the Remote Desktop Gateway Manager MMC Snap-in is disabled in SBS 2011 by default. For those of you who want to edit the TS CAPs and RAPs you can re-enable the snap in by entering the following command in the command prompt as an administrator:

dism /online /Enable-Feature:Gateway-UI

Note: It’s not recommended to install the remote Desktop Gateway Role on an SBS 2011 server, It’s already installed as a component of SBS 2011 and configured to work with the Remote Web Access site.

Dragon Naturally Speaking 10 / 10.1 Beeps and skips a word when using Terminal Services

We have a client that uses Dragon Naturally Speaking 10.1 for Medical Practices. They ran into a problem that when a user was using Dragon, and had an open Remote Desktop Connection to a terminal server, Dragon would beep and then skip one or more words before continuing to transcribe.

After considerable testing we were able to verify that this only happens when the user has and open RDP connection, and the focus is in that RDP session.

This problem was resolved by editing a file called “nsapps.ini” that’s located in “c:\documents and settings\all users\application data\nuance\NaturallySpeaking10\

The following 2 lines were added to the file:
[MSTSC]
Key Delay=1

Once these changes were made, I restarted Dragon Naturally Speaking and was able to have the user test the software, there were no beeps, and no missed words, but there was a small keystroke delay between when the user stopped talking, and when Dragon transcribed the text.

Internet Explorer 8 continually asking users to log into web sites in Terminal Services (2008 R2)

Ran into a super painful problem about 3 weeks ago. When users were logged onto a Terminal Server (Server 2008 R2) and running Internet Explorer 8 (Why, you ask, would I allow IE to run in Terminal Services? Normally I wouldn’t but the client’s app needs to be run within IE) any time they tried to download a file, or open a link that moved them to a new tab or window, the site “forgot” who they were and prompted them to re-authenticate.  This happened on many different sites, and not just on the app I mentioned.

We started down the normal troubleshooting path, allowing the site in Pop-up blocker, adding the site to the Trusted Sites list, lowering the security on the Trusted Sites list to “Low”, enabling Computability Mode, etc. Nothing would allow the file to be downloaded without having to re-login to the site.

As we continued testing, we removed all Group Policies that were locking down the Terminal Server, we created new users with fresh profiles, and double checked registry and file system permissions, again nothing would resolve the problem.

Finally, we came across this blog post over at the MSDN site, Here. Turns out, that when a new tab is opened, it starts running under a different process, combine that with users running on a Server 2008 R2 without “Power Users” permissions, like in the case of Terminal Services, and it creates a situation where the new process does not have permission to access the cookie that was stored by the other running process. This is not the case on Windows 7, as users without “Power Users” permissions don’t experience this same problem.

Internet Explorer changes it’s behavior of where it stores cookies and other data depending on the permissions for the user running the process. Any application which launches a new tab, in turn launches a new process and this will not have permission to access data like cookies from the process which launched it. Since the users are in a locked down environment, this Internet Explorer behavior should be turned off.

The registry value that we needed to change was located here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN

We needed to create a new DWORD called “TabProcGrowth” and set it’s value to 0.

The reason we are setting this value at HKLM and not HKCU is so that every users who uses this machine will have this setting applied to them. I’m far too lazy to change it and every user’s HKCU level.

After making this changed we were able to log in with new test users, and existing users alike and verify that we were no longer seeing the problem!