RDP from Mac fails

mac-osxrdsremote desktopremote-desktop-gatewaywindows-server-2016

Situation:

  • 4 Windows 2016 RDS servers in a collection
  • 1 Windows 2016 server that serves as RD Gateway and connection broker.

Authentication is done via NAP/Radius using a 2FA (Microsoft Multi-Factor Authentication).

Connection using Windows works just fine, either via RD Web Access in Internet Explorer, a custom RDP File (adding loadbalanceinfo:s:tsv://MS Terminal Services Plugin.CollectionName) or via RemoteApp and Desktop Connections. All fine (and my users like the flexibility).

Now the Mac. Using the latest version of the Microsoft Remote Desktop App (https://itunes.apple.com/us/app/microsoft-remote-desktop-10/id1295203466)
Remote Resources kind of works. Users get multiple authentication prompts (for the RD Gateway and the RDS server).

I found this article (https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-uri) for creating an RDP uri.

rdp://promptcredentialonce=i:1&gatewayusagemethod=i:2&Use%20redirection%20server%20name=i:1&full%20address=s:connectionbroker.contoso.com&gatewayhostname=s:rdgw.contoso.com&loadbalanceinfo=s:tsv%3A%2F%2FMS%20Terminal%20Services%20Plugin.1.CollectionName&screen%20mode%20id=i:2

The uri works fine on iOS, single logon prompt and I get connected. This does not work on the Mac, giving either an Port reset by peer error on the old version of the RDP client (v8) or an access denied error in the new MS RDP client (v10).

Why won't this work on the Mac? It should be supported as far as I can see. And seeing the uri works fine on iOS it seems that is ok.

Best Answer

Well apparently this issue can be fixed by adding a DefaultTsvUrl value in de registry of the RDS Broker server. This redirects incompatible RD clients to a default collection.

See: https://blogs.technet.microsoft.com/askperf/2015/06/11/walkthrough-on-session-hint-tsvurl-on-windows-server-2012/

1. Start Registry Editor (Regedit.exe).

2. Locate and then click the following key in the registry:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings

3. On the Edit menu, click Add Value, and then add the following registry value:

Value name: DefaultTsvUrl 
Data type: REG_SZ 
Value data: tsv://<TSVURL>

NOTE: This is being suggested as an alternate/workaround when you do not have upgrading the client as an option. It has the following caveats that one should be aware of:

This would only be read when the client is unable to understand the tsvurl sent in the RDP file (from the remote app) and thus does not present the tsvurl to connection broker. Whenever such a client comes the DefaultTsvUrl sends it to one single collection as specified in the registry value. DefaultTsvUrl can only point to one single collection only and thus you may want to plan and create a single collection for non compatible clients that has all their required apps in it. There is no provision of defining multiple collections in this registry so if you want to use incompatible clients over multiple collections then it won't be possible. In case you change that collection, you will have to change the defauDefaultTsvUrl lttsvurl registry value as well. This registry is only a workaround for tsvurls and will not work if the clients are not compatible with remoteapps itself. It is only for providing a workaround for clients that were able to access remoteapps earlier in Windows 2008/R2 but cannot access them through collections as explained in the section "Change in the way we connect in 2012 -Session Hint / TSVUrl".

So this also work for Windows 2016. Why the new RDP client for the Mac seemingly ignores the loadbalanceinfo=s: info is unkown, it should be supported.

Also this is not really a solution but more a workaround but good enough for now.

Related Topic