RDS 2012 R2 – RDWeb Access Private vs Public Computer option…

Hello World,

Today, again, we will be speaking about RDS 2012 R2 technology.  We will focus a little bit on the RDWeb Access server.  Some users were complaining (again) that their remotapp sessions were disconnected on a regular interval.

In our previous post, we already talked about the inactivity gpo that would lock the users based on the specified amount of time defined.  We quickly checked this setting and we could note that this feature was not enabled either at the domain level nor at the machine level.  So, we were quite sure that this setting was not causing the issue…

Step 1 – Identify the Problem

The first step in identifying the issue was the description of the problem.  Some users are complaining that they are disconnected (and not lockout) from the remoteapp server.  So, we know (and have already checked) that the inactivity gpo is not causing the issue.

So, we had to check the configuration of the RDS infrastructure and ensure that disconnection time settings were set accordingly to the customer request.   So, we open the RDMS (remote Desktop Manager Services), go to the collections to investigate and check the deployment settings (see screenshot below)

Click on Picture for better Resolution

Click on Picture for better Resolution

We can see that the default settings are still in place and that disconnection time is set to never… Again, these settings are not causing the issues

After some more investigations, we noticed that the disconnection time was around 20 minutes…. This rang a bell.  This is a RDS Setting.   We asked to some users encountering the issue to show us how they would log into the RemoteApp Web interface.

Step 2 – Fix the issue by educating users…

Issue Identified

If you are using the form based authentication in your RDS infrastructure, when a user want to access the remoteapp web page, he will be presented with a login page (see screenshot below)

Click on Picture for better Resolution

In this login page, a user can specify the security settings level by choosing between

  • this is a public computer or
  • this is a private computer

A lot of users does not pay attention to these settings or do not understand them even if there is a link that invite the user to understand what the settings are used for

Click on Picture for better Resolution

Reading the explanation, you can see that if you are choosing the Private option, this offer a longer period of inactivity for the user (4 hours actually).

So, the problem in our case was that the user was login into the form-based authentication selecting the default option (Public Option selected by default) which give them a period of inactivity of 20 minutes.  When selecting the Public option, if the user is not performing any actions, the session to the web page will be cleared after 20 min which will in turn disconnect the RemoteApp session.

Possible Solutions

Option 1 – Educate users

To fix this issue, we have actually multiple possibilities. The first option would be to educcate your users and ask them to use the private option if they are working in a secure environnement.  This can be sometimes challenging.

Option 2 – Modifying timeout settings

The other option would be to modify the disconnection time for the web page.  If you go to the RD Web Access Server (or Servers if you have multiple ones), open the IIS manager console and go to Web Sites > RDWeb>Pages.    In the right pane, locate the application settings and click on it

Click on Picture for better Resolution

You will see the settings you can modify to control the RDWeb access interface.  Locate the options private mode session and public mode sessions. On the screenshot below, you can see the default values

  • Private mode : 240 minutes
  • Public mode : 20 minutes

Click on Picture for better Resolution

You could decide to modify these settings to please the most difficult users and increase the timeout time when the public option is selected (which is the default).

Option 3 – set private option as default…

We are also thinking to a third option which would consist of modifying the code of the login web page and have the private option selected by default instead of the public option.  In our case this would be a valid option as all the users are working on computers located in the customer premises.  We think that this would be a better approach to please the most difficult users and we are not modifying the recommended settings used when public session are needed.

We will investigate if this is a valid option and if this is easy to implement…..

Final Notes

And voila ! With this post, you will be able to explain the difference between public and private option and have your users selecting the most appropriate option when needed and based on the context.

If your users are not willing to choose between these settings, you can always either change the timeout values and increase authorized period of inactivity.  We think that a better option (when working in a secure location) would be to modify the login page code in order to set the “This is a private computer” as default, so users do not have to bother about that feature and they will not complain about disconnection time.

Note also that even if we simplify the process for the users by modifying the login page code, educating them is extremely important as well.  Once they understand the difference between public and private options and the risks associated to these settings, they will become more aware users and will ease the work of everybody

Till next time

See ya

 

Leave a Reply