- This topic is empty.
May 4, 2015 at 6:17 pm #8538
I have spent the best part of last week trying to figure out a problem that’s just started happening across our environment as well as some of our clients environments. We are running a Windows Server 2012 R2 DC environment along with a single server for a Microsoft RDS connection broker with a 2012 R2 RDS session host environment. For the last 12 months our Wyse devices have been utilising the NTLM logon method and all has been working fine along with users being able to reset their passwords (via the Wyse logon prompt) when they expire.
I’ve noticed that within the last month our Wyse devices no longer prompt the user to change their password when the account’s password is set to expire in Active Directory they just fire back a message stating “RD Session Broker Sign-On Failed”. Since spotting the problem on our infrastructure I have checked out a few clients’ sites and over half have the same issue whereas the other half are working fine. I have spoken with Wyse who have checked over my config file and they say it should work, I have raised a case with Microsoft who were pretty useless and washed their hands as soon as I mentioned Wyse. I have been through each of the environments (Working/non-working) and compared the OS patch levels and made sure they are all running the latest updates, I have one site that works with the latest updates and another site that doesn’t work which also has the latest updates installed, all Wyse devices are running the latest versions. Over the last weekend I have been capturing Wireshark traces and from what I can see it appears that on the sites where the AD password expire doesn’t work the device logs in using KRB5 whereas on a site where the AD password expiring works the device logs in via SMB.
I’m hoping somebody on here has come across my problem before and can shed some light. I have escalated my case with Wyse now to see if I can hold of a developer.Here’s a screenshot of two traces, the top trace shows the device not using SMB to login whereas the second screenshot shows a device using SMB. https://lloydsbusiness-my.sharepoint.com/personal/alex_derbyshire_lloyds-ip_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=fnsiVOq330hRZX9B8A8M%2ffMXdfsFXKfvbldH5OFFqtw%3d&docid=031689ac9ed96488587476b6182a2b0dcMay 5, 2015 at 7:19 am #25521
Is the time set correctly on all devices?
CGMay 5, 2015 at 7:31 am #25524
Thanks for the reply, I have been down the path of making sure the time is set correctly. Originally it was way off but I set it to use the same time server and the problem still exists.May 5, 2015 at 9:12 am #25525
There must be a difference between the clients.
You have verified
– Firmware Version
– BIOS Version
– settings on the client
– settings on the server
– are working and non-working clients in the same subnet?
– are working and non-working clients connect to the same DC?
– does this happen to all user accounts or only some? Is it client or user dependent?
CGMay 5, 2015 at 10:06 am #25526
I have spent the last 5 days comparing one domain another and for the life of me i can’t figure out the difference, in answer to your points:
– Firmware Version – 8.0_510
– BIOS Version – N/A we are using Wyse T10’s
– settings on the client – Wyse have confirmed my config is correct and i have copied the exact config to the site where the function isn’t working
– settings on the server – The core servers DC & RDS are identical
– are working and non-working clients in the same subnet? – The clients are on the same subnet as the server infrastrucure
– are working and non-working clients connect to the same DC? No, i have two separate sites. One site works and the other doesn’t.
– does this happen to all user accounts or only some? Is it client or user dependent? – All user accounts.
I’m pretty certain that the problem is down to the Wyse (on the non working site, as seen in the first wireshark image) not using SMB for authentication. On the site where it works (seen in the second image) the Wyse can be seen logging onto Active Directory via SMB authentication which in turns prompts the user for a new password if expired.
I have been through the domain controller policies and they are exact.May 11, 2015 at 6:40 pm #25534
I have now spent quite a lot of time on this fault and i’m still no where closer to fixing it.
I have setup two test labs of the following:
Test Lab 1 – 1 x WS 2012 R2 Domain Controller, 1 x WS 2012 R2 RDS connection broker / rdweb & 1 x WS 2012 R2 RDS session host
Test Lab 2 – 1 x WS 2008 R2 Domain Controller, 1 x WS 2012 R2 RDS connection broker / rdweb & 1 x WS 2012 R2 RDS session host
In both of the above test labs, without any changes made to the initial setups my Wyse device says RD broker sign on failed when logging on with a user that has the AD account password set to expire.
I don’t suppose you could try the above in a test lab for me?May 13, 2015 at 12:58 pm #25536
I am at Synergy at the moment. Will check when I am back, OK?
CGMay 13, 2015 at 1:47 pm #25540
I’ve now built 4 test labs based on the above designs and each one doesn’t play ball with the password being set to expire in AD. Would be great to see how your lab goes and then working out what differences i have
Thanks for your help in this.
AlexMay 18, 2015 at 2:30 pm #25547
Can you post your wnos.ini?
CGMay 19, 2015 at 8:04 am #25548
Works perfectly fine for me.
CGMay 19, 2015 at 9:46 am #25549
I must be going crazy! Is there any chance you could run me through your lab environment? This might be cheeky but is there any chance of a remote session to your lab environment for me to compare alongside mine?
Here’s a link to my wnos.ini https://lloydsbusiness-my.sharepoint.com/personal/alex_derbyshire_lloyds-ip_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=ssPAZpnqhFb53vRmm%2b0gEohUYugYCAmJ%2b2uorIR%2bwU8%3d&docid=0bec37426a5c049848f95bd0bbabbf8b
AlexMay 19, 2015 at 10:20 am #25550
I cannot open your wnos.ini
CGMay 19, 2015 at 10:40 am #25551May 19, 2015 at 11:53 am #25552
Can you try with Domainlist=testlab4 instead of using the FQDN?
CGMay 19, 2015 at 12:04 pm #25553
Legend! That’s working perfect.
One to remember!
- You must be logged in to reply to this topic.