Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Magroll Absent Member.
Absent Member.
1696 views

Double Login with DLU and Windows 2012 R2 RDS Farm

Hi,
following szenario:

Server01: Windows 2012 R2 Server mit Remote Desktop Broker Service with OES Client (V2 IM3) and Zenworksagent (11.4.2)
Server02: Windows 2012 R2 Server mit Remote Desktop Session Service with OES Client (V2 IM3) and Zenworksagent (11.4.2)
Users in this szenario are coming from eDirectory.

If I login to Server01 or Server02 directly, DLU works fine. If I try to login to the Farmname (Login to the Broker and then gets forwarded to the least loaded Sessionhost) I have to login twice.
The first Login is for the Broker, the second one for the used Sessionhost.

Is there any configuration / solution to avoid the double login?
Without ZEN/DLU and Standard Windows Domain Accounts all works fine.

ThX and Regards,
Ramon
Labels (2)
0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

Re: Double Login with DLU and Windows 2012 R2 RDS Farm

Magroll;2431756 wrote:
Hi,
following szenario:

Server01: Windows 2012 R2 Server mit Remote Desktop Broker Service with OES Client (V2 IM3) and Zenworksagent (11.4.2)
Server02: Windows 2012 R2 Server mit Remote Desktop Session Service with OES Client (V2 IM3) and Zenworksagent (11.4.2)
Users in this szenario are coming from eDirectory.

If I login to Server01 or Server02 directly, DLU works fine. If I try to login to the Farmname (Login to the Broker and then gets forwarded to the least loaded Sessionhost) I have to login twice.
The first Login is for the Broker, the second one for the used Sessionhost.

Is there any configuration / solution to avoid the double login?
Without ZEN/DLU and Standard Windows Domain Accounts all works fine.

ThX and Regards,
Ramon


I'm not 100% sure how the Broker to RDP Session info is forwarded, but I suspect this is simply a limitation of how the Broker Service Works.
To actually work, The Broker would actually need to send the actual UserID and Password to allow for ZCM LDAP Authentication, which it likely does not even have access.
It is probably passing some type of AD Security Tokens, which is why it requires all of the servers to be in AD to work.


It "MIGHT" be possible to get this to work if the ZCM User Source was configured to use "Kerberos" this may bypass the issue.
I would strongly recommend AGAINST just enabling this in your production zone.
It is often a little tricky to get working and it is best not to play with this in prod until you get it working in the lab.

With Kerberos, AD Security Tokens are used for auth vs LDAP auth.
I have no clue if this will help but it MIGHT.
If you have a lab setup and this helps, then you can consider doing it in prod.

Kerberos does work well with ZCM, it is jus tricky getting all of the details setup correct the 1st time out.
If you get your lab working, putting into prod should not be an issue.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Double Login with DLU and Windows 2012 R2 RDS Farm

Note: There is a fix coming around for an issue with RDP and Double Logins if the ZCM Credential Provider is Disabled. Wonder if that could impact this? My guess is a fix would still require Kerberos, but not sure since I don't have this setup for testing.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.