Why login on both RDS servers

Question

We have 3 servers with Windows 2019

• RDS Broker
• RDS production 1 (RDSPROD1)
• RDS production 2 (RDSPROD2)

When a user logs in I sometimes see 2 events 787 (Session added to Broker's database).
This seems to appear randomly. It seems to work fine, but why is the user logged in on both RDS servers?

Thanks
Eric

Logging of the RDS broker and the RDS production

15:35:40 event id 800
RD Connection Broker received connection request for user Company\Jan_klassen.
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.Farm
Initial Application = rdpinit.exe
Call came from Redirector Server = RDSPROD01.Company.local
Redirector is configured as Farm member

15:35:40 event id 801
RD Connection Broker successfully processed the connection request for user Company\Jan_klassen. Redirection info:
Target Name = RDSPROD02
Target IP Address = 172.18.1.42
Target Netbios = RDSPROD02
Target FQDN = RDSPROD02.Company.local
Disconnected Session Found = 0x0

15:35:42 event id 787
Session for user Company\Jan_klassen successfully added to RD Connection Broker's database.
Target Name = RDSPROD01.Company.local
Session ID = 83
Farm Name = Farm

Logging from RDSPROD01 at 15:35:40 (LOGON)

• <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
• <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4624</EventID>
  <Version>2</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2020-11-04T14:35:40.235764500Z" />
  <EventRecordID>275710</EventRecordID>
  <Correlation ActivityID="{1988fb79-a670-4c76-a8c0-da5c1d4de9fa}" />
  <Execution ProcessID="772" ThreadID="6984" />
  <Channel>Security</Channel>
  <Computer>RDSPROD01.Company.local</Computer>
  <Security />
  </System>
• <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  <Data Name="SubjectUserName">RDSPROD01$</Data>
  <Data Name="SubjectDomainName">Company</Data>
  <Data Name="SubjectLogonId">0x3e7</Data>
  <Data Name="TargetUserSid">S-1-5-21-3846798733-3702352576-2825182466-4644</Data>
  <Data Name="TargetUserName">Jan_klassen</Data>
  <Data Name="TargetDomainName">Company</Data>
  <Data Name="TargetLogonId">0xf9acc67</Data>
  <Data Name="LogonType">10</Data>
  <Data Name="LogonProcessName">User32</Data>
  <Data Name="AuthenticationPackageName">Negotiate</Data>
  <Data Name="WorkstationName">RDSPROD01</Data>
  <Data Name="LogonGuid">{5be63291-ba10-f2ee-50fa-3fb6b978cb9d}</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0xaf4</Data>
  <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
  <Data Name="IpAddress">172.18.8.44</Data>
  <Data Name="IpPort">0</Data>
  <Data Name="ImpersonationLevel">%%1833</Data>
  <Data Name="RestrictedAdminMode">%%1843</Data>
  <Data Name="TargetOutboundUserName">-</Data>
  <Data Name="TargetOutboundDomainName">-</Data>
  <Data Name="VirtualAccount">%%1843</Data>
  <Data Name="TargetLinkedLogonId">0x0</Data>
  <Data Name="ElevatedToken">%%1843</Data>
  </EventData>
  </Event>

Logging from RDSPROD01 at 15:36:06 (LOGOFF)

• <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
• <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4634</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>12545</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2020-11-04T14:36:06.183127300Z" />
  <EventRecordID>275719</EventRecordID>
  <Correlation />
  <Execution ProcessID="772" ThreadID="8780" />
  <Channel>Security</Channel>
  <Computer>RDSPROD01.Company.local</Computer>
  <Security />
  </System>
• <EventData>
  <Data Name="TargetUserSid">S-1-5-21-3846798733-3702352576-2825182466-4644</Data>
  <Data Name="TargetUserName">Jan_klassen</Data>
  <Data Name="TargetDomainName">Company</Data>
  <Data Name="TargetLogonId">0xf9a6fe6</Data>
  <Data Name="LogonType">3</Data>
  </EventData>
  </Event>

15:35:44 event id 787
Session for user Company\Jan_klassen successfully added to RD Connection Broker's database.
Target Name = RDSPROD02.Company.local
Session ID = 33
Farm Name = Farm

Logging from RDSPROD02 at 15:35:40 (LOGON)

• <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
• <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4624</EventID>
  <Version>2</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2020-11-04T14:35:40.989865800Z" />
  <EventRecordID>266908</EventRecordID>
  <Correlation ActivityID="{89e56de0-5d37-46e7-8789-9146aef131f8}" />
  <Execution ProcessID="796" ThreadID="9740" />
  <Channel>Security</Channel>
  <Computer>RDSPROD02.Company.local</Computer>
  <Security />
  </System>
• <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data>
  <Data Name="SubjectUserName">-</Data>
  <Data Name="SubjectDomainName">-</Data>
  <Data Name="SubjectLogonId">0x0</Data>
  <Data Name="TargetUserSid">S-1-5-21-3846798733-3702352576-2825182466-4644</Data>
  <Data Name="TargetUserName">Jan_klassen</Data>
  <Data Name="TargetDomainName">Company.LOCAL</Data>
  <Data Name="TargetLogonId">0xf07fb08</Data>
  <Data Name="LogonType">3</Data>
  <Data Name="LogonProcessName">Kerberos</Data>
  <Data Name="AuthenticationPackageName">Kerberos</Data>
  <Data Name="WorkstationName">-</Data>
  <Data Name="LogonGuid">{d3747de3-5cb2-9e00-896e-c24e1490b56c}</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x0</Data>
  <Data Name="ProcessName">-</Data>
  <Data Name="IpAddress">172.18.1.41</Data>
  <Data Name="IpPort">54615</Data>
  <Data Name="ImpersonationLevel">%%1833</Data>
  <Data Name="RestrictedAdminMode">-</Data>
  <Data Name="TargetOutboundUserName">-</Data>
  <Data Name="TargetOutboundDomainName">-</Data>
  <Data Name="VirtualAccount">%%1843</Data>
  <Data Name="TargetLinkedLogonId">0x0</Data>
  <Data Name="ElevatedToken">%%1843</Data>
  </EventData>
  </Event>

15:35:44 event id 818
This connection request has resulted in a successful session logon (User successfully logged on to the end point). Remote Desktop Connection Broker will stop monitoring this connection request

Answer 1

Hey @Ontsnapt

If the user login on both servers, do they need to enter credentials twice?

When a user has an existing session, connection broker redirects the client to the session host. If the user without an existing session connects to an RD session host in farm, the user will be redirected to the RD session host server with the fewest sessions.

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards
Karlie

Answer 2

Hello @Ontsnapt

Does this happen to all the connections, or only specific user /group?

Can restrict the RDS users to a single session solve this problem ?

policy path: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections

Hope this helps!

Best regards
Karlie