Wildcard Certificate for RD Session Host server farms (2008 R2 SP1)

Kristin Griffen (Microsoft MVP on RDS) has done an interesting discovery. Since SP1 using wildcard certificates for an RD Session Host server farm now no longer generates an error! Which is great!

"...Since installing 2008 R2 SP1, I have again tested securing RDSH farm servers using a wildcard certificate and a UCC certificate, and now I get no errors!

Example: I used a wildcard certificate (*.domain.com) for securing RD Gateway, securing the RDWA website, all RDSH farm servers, and for RemoteApp signing, and I now get no errors.

I have not been able to confirm exactly what change has been made by Microsoft but SOMEthing has definitely changed to make using wildcard and UCC certificates for RDSH farm servers work..."

Source: http://blog.kristinlgriffin.com/2011/07/using-wildcard-certificate-and-ucc.html#comment-form

KB2582684 Running a Remote Desktop session within another Remote Desktop session is not supported

A new KB article was released by Microsoft, KB2582684. For the experiences RDP people will seem like an open door. But this is a KB in the "FAST PUBLISH" series by Microsoft Support so I guess they get lots of questions about it. The KB basically is about nested RDP and it states that using an RDP session from within another RDP session is not supported nor tested. If you're an experienced RDP user you'll know it works. But Microsoft is right of course when they say that certain Remote Desktop functionality may not work properly, or may lead to unexpected behavior.

As an administrator we all have used nested RDP to quickly get to a server that can't be reached from the outside. In fact I have used nested RDP over 3 servers on more than one occasion :-) However, nested RDP is of course not something you would advise your customer as the primary way of work for their end-users. And I guess that's what this article is about.

The only thing they neglected to do in this KB is describing the "Applies To" section, which is empty right now.

Article ID: 2582684 - Last Review: July 15, 2011 - Revision: 1.0
Running a Remote Desktop session within another Remote Desktop session is not supported

"...Running a Remote Desktop (Terminal Server) RDP session within another Remote Desktop RDP session is not supported on the operating systems listed in the Applies To section of this article. For instance, users connecting to a Remote Desktop Session Host server for their desktop environment and then connecting to another Remote Desktop server for Remote Apps is neither tested nor supported...."

RDS - The certificate is not valid for this usage

An interesting blog post by RDS MVP Kristen Griffen. I've never run into this myself, but aparently a SSL certificate that you use for RDS can have a certificate chain that is too long, causing the following error:

The certificate is not valid for this usage

If you run into this, have your CA re-issue a certificate with a shorter chain.

Credits: http://blog.kristinlgriffin.com/2011/07/rds-certificate-issue-certificate-is.html

Microsoft Forums will change their recognition system on July 14th 2011

Next week, on the 14th of July, the TechNet and MSDN forums are going to migrate to a new recognition system! This is definitely a big step forward in rewarding community contributors for the quality of their contributions, instead of only focussing on the quantity. The achivements will also be better visible to other forum users. Some of the main features are:

Centralized Recognition
The old recognition system was just based on Forums. Starting from July the 14th, points will also be rewarded for Profile an Galleries. The next step will be, to also add participation on Blogs and Wikis

Points and Achievements
Points are gained by contributing content the community finds valuable. Achievements are gained by users for volume based activity, like posting or answering a lot. The bug in the old system where one could self-mark their own answer and get rewarded is also removed!

Points Changes
On July 14th user points will be updated for all users. Users will see new point totals and achievements for the history of their participation in the forums for the past six years. Some users will gain points but most points will be adjusted to a lower value based on the new points algorithm.

You can preview what the new system will look like in the CTP Preview here:
http://ctp.social.technet.microsoft.com/Forums/en-US/categories

I took a quick a look at what my profile will look like, see below.

More info on the forum change: http://blogs.msdn.com/b/addeditdelete/archive/2011/06/30/forums-recognition-update-coming-july-14th-2011.aspx

Changebase offering AOK for RDS 2008 R2

Together with Microsoft, ChangeBASE has recently developed and released reporting rules / plugins for RDS 2008 R2 to help you automatically test applications for issues. These RDS plugins will enable you to find out which applications will work out of the box on RDS 2008 R2 and which ones may experience issues and what those exact issues are.

ChangeBase AOK for RDS 2008 R2 performs the following tests:

• Elevated Privileges Detection
• Global User Data Settings Detection
• Host Detection
• Per User Install Detection
• Printer Driver Detection

To ensure a comprehensive coverage, it also covers a series of tests for compatibility with Server 2008 and 64-bit.

They’re also offering a free AOK license for an RDS Application Assessment! (limited time)

“…ChangeBASE are now offering a FREE AOK license for an RDS Application Assessment. The objective of the program is to assess around 10% of your applications (or up to 100 MSI applications if your estate is larger than 1000 applications) for FREE and provide you with a detailed RAG report as to whether those applications will work optimally on RDS…”

The press release: http://changebase.com/NewsPage.aspx?page=News/news_release_2011_6_30.xml&style=~/Style/PressRelease.xsl

More information on the product:
http://www.changebase.com/products_rds.aspx

Microsoft MSDN blogpost about this:
http://blogs.msdn.com/b/rds/archive/2011/07/06/free-rds-application-assessment-program-by-changebase.aspx

GPO "Restrict each user to a single session" set to disabled while using shared domain accounts

As you might know there is a GPO named "Restrict each user to a single session". In most production environments this GPO setting is enabled on a RD Session Host because generally you assign each individual person a unique domain account. And in my opinion you should enable it. However, I've seen scenario's where people share a domain account to access a Remote Desktop Services environment assuming that disabling the above policy will fully fulfill their needs. What they are usually not aware of is the following:

A first user connects to the RD Session Host using account1 and gets a new session.
While the first user is still active, a second user connects to RD Session Host using account1. Since the above GPO is disabled, he also receives a new session. So far so good. Both users log off.

Now consider this:

Again, a first user connects to the RD Session Host using account1 and gets a new session. This time this first user disconnects from the RD Session Host (leaving a disconnected session). While the first user's session is disconnected, a second user connects to RD Session Host using account1. He now does not get a new session but is being reconnected to the other user's disconnected session.

This is of course expected behavior and as designed, but it might not be what some people expect. General word of advice; assign each person a unique account. There actually is a ("fast publish") KB about this as well, that was recently updated. See below.

Article ID: 2572658 - Last Review: July 5, 2011 - Revision: 2.0
Remote Desktop users may be connected to a different session than expected if the session is initiated using the same logon credentials.

Windows Thin PC (WinTPC) is available, boost for VDI and SBC implementations

Desktop Virtualization is becoming (if not already) more and more proven technology. Many organizations are exploring and implementing the possibilities of centrally storing their desktops and are using Microsoft techniques like VDI or Session Virtualization (Remote Desktop Services). A statement from Microsoft taken from the WinTPC whitepaper:

“…Some analysts predict that Virtual Desktop Infrastructure (VDI) may become a 1.7B market in 2014, with around 16M seats of VDI deployed at enterprises…”

With the desktop being hosted in the datacenter the next useful step is taking a look at the devices that end-users use to connect to the central environment. For a reasonable amount of those users, a fully blown desktop OS locally is not a requirement anymore. An option, of course, would be to replace those client PC’s with devices likes thin clients. The downside of this is of course the initial purchase of those all those extra thin clients. So why not reuse the existing clients and provide those clients with a small, secure and easy to maintain footprint of the Windows 7 operating system? This is where Microsoft’s Windows Thin PC (short WinTPC) comes in place!

Taken from the WinTPC whitepaper:

“…An Introduction to WinTPC
Windows Thin PC is a low footprint version of Windows 7, that enables organizations to repurpose their Windows 7 capable devices as thin clients. WinTPC enables organizations with an excellent thin client experience, through features of thin clients like write filters (preventing users from modifying the operating system), rich remote desktop experience with RemoteFX, and the familiar Windows 7 interface (reduced training). WinTPC has been designed to leverage existing management investments, since it integrates easily with System Center Configuration Manager. WinTPC is a benefit of Software Assurance (SA) and does not require the Windows VDA license that other thin clients require to access VDI desktops. This provides IT with significant cost savings for their thin client computing model, but still gives administrators the ability to have a locked down computing device. This also gives organizations the flexibility to postpone PC hardware refreshes while enjoying most of the benefits of Thin Client devices today…”

“…Features and Benefits of WinTPC
WinTPC enables organizations to enjoy the benefits of thin client computing on their existing PCs. In a nutshell, Windows Thin PC is designed to provide the following benefits to organizations:
1) Reduce the cost of VDI
2) Provide an excellent thin client experience
3) Enable enterprise ready manageability and security…”

I think WinTPC is a great way for SA customers to give the implementation of VDI and Session Virtualization (Remote Desktop Services) an extra boost!

More information on WinTPC here: http://www.microsoft.com/windows/enterprise/solutions/virtualization/products/thinpc.aspx

Download the WinTPC whitepaper here:
http://download.microsoft.com/download/E/E/7/EE740852-95D2-48F2-A661-0771E693E620/Windows%20Thin%20PC%20Whitepaper%20v1%200.pdf

Download the 90-day trial here:
http://download.microsoft.com/download/C/D/7/CD789C98-6C1A-43D6-87E9-F7FDE3806950/ThinPC_110415_EVAL_x86fre.iso

More questions on WinTPC? Get the FAQ here:
http://www.microsoft.com/windows/enterprise/solutions/virtualization/products/thinpc.aspx

KB article 2526946 released regarding SSO on Win Server 2008 R2 SP1 and Win 7

A new KB article was released regarding SSO on Windows Server 2008 R2 SP1 and Windows 7

Article ID: 2526946 - Last Review: June 16, 2011 - Revision: 1.0

An SSO solution that calls the LsaLogonUser function to pass a KERB_TICKET_LOGON structure for Kerberos authentication does not work in Windows 7 SP1 or in Windows Server 2008 R2 SP1

http://support.microsoft.com/kb/2526946

Additional info:

In an Active Directory domain environment, you deploy a Single Sign-On (SSO) solution on client computers that are running Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 Service Pack 1 (SP1).

The SSO solution calls the LsaLogonUser function to pass a KERB_TICKET_LOGON structure for Kerberos authentication.

In this scenario, the SSO solution does not work. Additionally, you receive an error message that resembles the following:

STATUS_TRUSTED_RELATIONSHIP_FAILURE

Note The SSO solution works on client computers that are running other Windows operating systems.

Follow up: new features or improvements in future release RDS platform

Here's the followup on my post "What new features or improvements would you like to see in the next future release of Microsoft’s Remote Desktop Services platform?"

I promised to share the collection of the feedback that I got on posting this question in different online platforms. Apart from my personal suggestion's (see the original post) Here's the feedback that I got:

----------
George Gardon • I would like to see Microsoft improving the performance of Remote Desktop Protocol (RDP), which at times has trailed behind remote display protocols from other virtual desktop infrastructure (VDI) vendors (like Citrix-ICA and VMware-PCoIP)
----------
Faeq Sediqi • - Overall Performance - SSO should be simplified.
 ----------
thomas • My personal suggestions are these:
1) Being able to sort the RemoteApp programs to Folders
2) Limit simultanious connections to an app to a specific number users without having to use security groups
3) An iPad / Andorid App supporting RemoteApps or WebApps
 ----------
Emanuel Fernandes • more use of GPU capabilities on client machine, so using RDP for 3D rendering or Video Editing could boost more Small Business into Windows domains.
If you have any other suggestions or comments, feel free to add them!

Original post:
http://microsoftplatform.blogspot.com/2011/06/what-new-features-or-improvements-would.html