We have 3 servers with Windows 2019
- RDS Broker
- RDS production 1 (RDSPROD1)
- RDS production 2 (RDSPROD2)
When a user logs in I sometimes see 2 events 787 (Session added to Broker's database).
This seems to appear randomly. It seems to work fine, but why is the user logged in on both RDS servers?
Thanks
Eric
Logging of the RDS broker and the RDS production
15:35:40 event id 800
RD Connection Broker received connection request for user Company\Jan_klassen.
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.Farm
Initial Application = rdpinit.exe
Call came from Redirector Server = RDSPROD01.Company.local
Redirector is configured as Farm member
15:35:40 event id 801
RD Connection Broker successfully processed the connection request for user Company\Jan_klassen. Redirection info:
Target Name = RDSPROD02
Target IP Address = 172.18.1.42
Target Netbios = RDSPROD02
Target FQDN = RDSPROD02.Company.local
Disconnected Session Found = 0x0
15:35:42 event id 787
Session for user Company\Jan_klassen successfully added to RD Connection Broker's database.
Target Name = RDSPROD01.Company.local
Session ID = 83
Farm Name = Farm
Logging from RDSPROD01 at 15:35:40 (LOGON)
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-11-04T14:35:40.235764500Z" />
<EventRecordID>275710</EventRecordID>
<Correlation ActivityID="{1988fb79-a670-4c76-a8c0-da5c1d4de9fa}" />
<Execution ProcessID="772" ThreadID="6984" />
<Channel>Security</Channel>
<Computer>RDSPROD01.Company.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">RDSPROD01$</Data>
<Data Name="SubjectDomainName">Company</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-3846798733-3702352576-2825182466-4644</Data>
<Data Name="TargetUserName">Jan_klassen</Data>
<Data Name="TargetDomainName">Company</Data>
<Data Name="TargetLogonId">0xf9acc67</Data>
<Data Name="LogonType">10</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">RDSPROD01</Data>
<Data Name="LogonGuid">{5be63291-ba10-f2ee-50fa-3fb6b978cb9d}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0xaf4</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">172.18.8.44</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">%%1843</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1843</Data>
</EventData>
</Event>
Logging from RDSPROD01 at 15:36:06 (LOGOFF)
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-11-04T14:36:06.183127300Z" />
<EventRecordID>275719</EventRecordID>
<Correlation />
<Execution ProcessID="772" ThreadID="8780" />
<Channel>Security</Channel>
<Computer>RDSPROD01.Company.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3846798733-3702352576-2825182466-4644</Data>
<Data Name="TargetUserName">Jan_klassen</Data>
<Data Name="TargetDomainName">Company</Data>
<Data Name="TargetLogonId">0xf9a6fe6</Data>
<Data Name="LogonType">3</Data>
</EventData>
</Event>
15:35:44 event id 787
Session for user Company\Jan_klassen successfully added to RD Connection Broker's database.
Target Name = RDSPROD02.Company.local
Session ID = 33
Farm Name = Farm
Logging from RDSPROD02 at 15:35:40 (LOGON)
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-11-04T14:35:40.989865800Z" />
<EventRecordID>266908</EventRecordID>
<Correlation ActivityID="{89e56de0-5d37-46e7-8789-9146aef131f8}" />
<Execution ProcessID="796" ThreadID="9740" />
<Channel>Security</Channel>
<Computer>RDSPROD02.Company.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-3846798733-3702352576-2825182466-4644</Data>
<Data Name="TargetUserName">Jan_klassen</Data>
<Data Name="TargetDomainName">Company.LOCAL</Data>
<Data Name="TargetLogonId">0xf07fb08</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="LogonGuid">{d3747de3-5cb2-9e00-896e-c24e1490b56c}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">172.18.1.41</Data>
<Data Name="IpPort">54615</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1843</Data>
</EventData>
</Event>
15:35:44 event id 818
This connection request has resulted in a successful session logon (User successfully logged on to the end point). Remote Desktop Connection Broker will stop monitoring this connection request