Windows NT TS NLB name problem

  • Thread starter Thread starter Jeff
  • Start date Start date
J

Jeff

I have a NLB cluster name like tsfarm.domain.com with ip of 192.168.1.5 (not
real ip's hehe) that has 4 nodes that are tsfarmA, tsfarmB, etc. A user can
login to each of the nodes without issue since the group the user is in
resides in the Remote Desktop Users in the local group of each node. When
the user tries to log into the tsfarm.domain.com virtual it says that the
user has to be granted remote terminal access and shuts down. As a domain
admin I can connect to the virtual without issue.

Why can't the user authenticate to the farm name when the same user can
authenticate without incident on each of the nodes in the farm?? Is there
permissions I can set on the virtual??
 
OK, I found the answer. Not only do you have to add the users, as usual, to
the local Remote Desktop Users but you ALSO have to manually add the local
Remote Desktop Users group to the actual Terminal Services RDP Listener
permissions as users on all nodes for the farm to respond normally.



"Jeff" wrote:

> I have a NLB cluster name like tsfarm.domain.com with ip of 192.168.1.5 (not
> real ip's hehe) that has 4 nodes that are tsfarmA, tsfarmB, etc. A user can
> login to each of the nodes without issue since the group the user is in
> resides in the Remote Desktop Users in the local group of each node. When
> the user tries to log into the tsfarm.domain.com virtual it says that the
> user has to be granted remote terminal access and shuts down. As a domain
> admin I can connect to the virtual without issue.
>
> Why can't the user authenticate to the farm name when the same user can
> authenticate without incident on each of the nodes in the farm?? Is there
> permissions I can set on the virtual??
 
In normal cases, this isn't necessary, because the Remote Desktop
Users group has this permission by default.
But I'm glad that you have solved your problem!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SmVmZg==?= <Jeff@discussions.microsoft.com> wrote on 19
jul 2007 in microsoft.public.windows.terminal_services:

> OK, I found the answer. Not only do you have to add the users,
> as usual, to the local Remote Desktop Users but you ALSO have to
> manually add the local Remote Desktop Users group to the actual
> Terminal Services RDP Listener permissions as users on all nodes
> for the farm to respond normally.
>
>
>
> "Jeff" wrote:
>
>> I have a NLB cluster name like tsfarm.domain.com with ip of
>> 192.168.1.5 (not real ip's hehe) that has 4 nodes that are
>> tsfarmA, tsfarmB, etc. A user can login to each of the nodes
>> without issue since the group the user is in resides in the
>> Remote Desktop Users in the local group of each node. When
>> the user tries to log into the tsfarm.domain.com virtual it
>> says that the user has to be granted remote terminal access and
>> shuts down. As a domain admin I can connect to the virtual
>> without issue.
>>
>> Why can't the user authenticate to the farm name when the same
>> user can authenticate without incident on each of the nodes in
>> the farm?? Is there permissions I can set on the virtual??
 
Vera,
You are correct on this. What is odd is that this wasn't necessary when
users were using RDP 5.1 or 5.2 but when I implemented RDP 6 all stopped
working until I made this change. It was quite odd I thought.

I noticed my listener on my nodes is 5.2, is there a version 6 listener? or
if there is could this possibly be an issue?

"Vera Noest [MVP]" wrote:

> In normal cases, this isn't necessary, because the Remote Desktop
> Users group has this permission by default.
> But I'm glad that you have solved your problem!
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?SmVmZg==?= <Jeff@discussions.microsoft.com> wrote on 19
> jul 2007 in microsoft.public.windows.terminal_services:
>
> > OK, I found the answer. Not only do you have to add the users,
> > as usual, to the local Remote Desktop Users but you ALSO have to
> > manually add the local Remote Desktop Users group to the actual
> > Terminal Services RDP Listener permissions as users on all nodes
> > for the farm to respond normally.
> >
> >
> >
> > "Jeff" wrote:
> >
> >> I have a NLB cluster name like tsfarm.domain.com with ip of
> >> 192.168.1.5 (not real ip's hehe) that has 4 nodes that are
> >> tsfarmA, tsfarmB, etc. A user can login to each of the nodes
> >> without issue since the group the user is in resides in the
> >> Remote Desktop Users in the local group of each node. When
> >> the user tries to log into the tsfarm.domain.com virtual it
> >> says that the user has to be granted remote terminal access and
> >> shuts down. As a domain admin I can connect to the virtual
> >> without issue.
> >>
> >> Why can't the user authenticate to the farm name when the same
> >> user can authenticate without incident on each of the nodes in
> >> the farm?? Is there permissions I can set on the virtual??
>
 
No, you can't update Terminal Services on a Windows 2003 server to
use rdp version 6. You'll have to wait for Server 2008 (aka
Longhorn).

It's beyond me how using an rdp 6 client can remove the "Remote
Desktop Users" group from the rdp-tcp permissions on the server,
but I guess that stranger things have happened... :-)

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SmVmZg==?= <Jeff@discussions.microsoft.com> wrote on 20
jul 2007 in microsoft.public.windows.terminal_services:

> Vera,
> You are correct on this. What is odd is that this wasn't
> necessary when users were using RDP 5.1 or 5.2 but when I
> implemented RDP 6 all stopped working until I made this change.
> It was quite odd I thought.
>
> I noticed my listener on my nodes is 5.2, is there a version 6
> listener? or if there is could this possibly be an issue?
>
> "Vera Noest [MVP]" wrote:
>
>> In normal cases, this isn't necessary, because the Remote
>> Desktop Users group has this permission by default.
>> But I'm glad that you have solved your problem!
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?SmVmZg==?= <Jeff@discussions.microsoft.com> wrote on
>> 19 jul 2007 in microsoft.public.windows.terminal_services:
>>
>> > OK, I found the answer. Not only do you have to add the
>> > users, as usual, to the local Remote Desktop Users but you
>> > ALSO have to manually add the local Remote Desktop Users
>> > group to the actual Terminal Services RDP Listener
>> > permissions as users on all nodes for the farm to respond
>> > normally.
>> >
>> >
>> >
>> > "Jeff" wrote:
>> >
>> >> I have a NLB cluster name like tsfarm.domain.com with ip of
>> >> 192.168.1.5 (not real ip's hehe) that has 4 nodes that are
>> >> tsfarmA, tsfarmB, etc. A user can login to each of the
>> >> nodes without issue since the group the user is in resides
>> >> in the Remote Desktop Users in the local group of each node.
>> >> When the user tries to log into the tsfarm.domain.com
>> >> virtual it says that the user has to be granted remote
>> >> terminal access and shuts down. As a domain admin I can
>> >> connect to the virtual without issue.
>> >>
>> >> Why can't the user authenticate to the farm name when the
>> >> same user can authenticate without incident on each of the
>> >> nodes in the farm?? Is there permissions I can set on the
>> >> virtual??
 
Back
Top