question

BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 asked BenjaminGrussonLacoste-7862 answered

Another user connected to the remote computer Windows Issue on Remote

Hello,

We are currently in a very strange case where our users (Windows 20H2) connect via FortiClient to our infrastructure to access their PC remotely via RDP. Here some users have disconnections indicating that another user has logged in with their session.

Settings have been done like this:

38342-2020-11-04-09-58-07-sent-items-benjamingrusson-lac.png

Also by regrets we have withdrawn the UDP to be fully.

Even with this we have cuts knowing that these users are the only ones to use their workstation.

Do you have an idea about this ?

Thank you in advance.

Benjamin


windows-group-policyremote-desktop-client
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarlieWeng-MSFT avatar image
0 Votes"
KarlieWeng-MSFT answered

Hello Benjamin @BenjaminGrussonLacoste-7862

1.Does this happen to all the connections or specific user/group?

2.Desktop OS only supports one RDP connection at a time, be in physically local at the machine or remote session protocol. Is it possible there is an old connection still there, that didn't disconnect correctly?

You could check the Event Viewer Security logs (Windows Logs > Security). It should log when someone/something logs into the computer.
Or
Event Viewer - Applications and Services Logs, Microsoft, Windows, TerminalServices-RemoteConnectionManager, Operational

3.Is it possible that two users are using the same username? or another person is mistakenly logging in.

4.Are they connecting to a VPN first? If so, it maybe be a timeout policy there.



If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards
Karlie




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 answered KarlieWeng-MSFT edited

Hello Karlie,

Thank you for your answer.

  1. Only to a specific group actually. 5/6 out of 30 in remote. Strange things actually is that we have same setup for all PCs, Users, VPN configuration. So last impact might due to the internet connection of the user but here you might just get a message saying that RDP drop and attempting to reconnect. Unfortunately, you directly get something that make no sense for me where user has been disconnected by themselves.

  2. Good transition actually where user are only in remote. So that where it's hard to understand.

  3. Login are unique and known also by user.

  4. VPN looks fine from what we have. Moreover timeout disconnection are not occuring at all because VPN stay on the whole time + this situation is not generalized.

Here the Event of the security log. We have indeed a logoff but I'm not sure if it helps. Maybe you have a better picture on this than me.
[38688-event.xml][1]
Thank you in advance for your help.

Best,
Benjamin

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 answered

Karlie,

I managed to find something that could help on this but in the event log we have like 3 events that correspond to the disconnection and it happens always in the following:
- Event 4624: Logon of the PC it self (Ex: PC105 account name) with logon type = 5 with C:\Windows\System32\services.exe
- Event 4672: Special logon of the System account
- Event 4634: Logon off of the user with logon type = 3

From this link: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634, logon type 3 correspond to a Network title where "A user or computer logged on to this computer from the network." And to me the important element is computer where the computer connects to "itself" and disconnect the user. But still I'm not sure to get why the PC itself need to connect.

Hope I have something relevant that could help you.

Best,
Benjamin










5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarlieWeng-MSFT avatar image
0 Votes"
KarlieWeng-MSFT answered

Hi Benjamin@BenjaminGrussonLacoste-7862

  1. Is the disconnection occurred when the user try to log on or during the remote session ?

  2. Is it possible that affected users have installed some third party software cause this problem , like this thread suggest.

  3. Under event 4624, can you identify who is logging (Windows user ID) in around the time users are being kicked out.

Administrator can run Enter-PSSession cmd from any pc from worksations to query the issued PC if there's still old connection.

Enter-PSSession

You could also try make below setting:

38879-image.png


Keep me posted how it goes.

Thank you and have a great day!



If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards
Karlie



image.png (320.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 answered KarlieWeng-MSFT commented

Hello Karlie,

Thank you for your feedback.

  1. This happens during remote at a random time.

  2. User can't install third party software
    Here is the software installed

7-Zip 18.05 (x64)
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Acrobat Reader DC
Belarc Advisor 8.5a
Citrix Receiver 4.12
Dell Command | Update
DesktopControl
ESET Endpoint Antivirus
ESET Management Agent
Google Chrome
Greenshot 1.2.10.6
Intel(R) Management Engine Components
Intel(R) Network Connections Drivers
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
Intel(R) Wireless Bluetooth(R)
Intel® PROSet/Wireless Software
Java 8 Update 181
Java 8 Update 181 (64-bit)
Java SE Development Kit 8 Update 181
KeePass Password Safe 2.40
LGT Class E-Banking CH
Logitech Options
MariaDB ODBC Driver
Microsoft 365 Apps for business - en-us
Microsoft Edge
Microsoft Edge Update
Microsoft OneDrive
Microsoft OneDrive
Microsoft Silverlight
Microsoft Teams
Microsoft Teams
Microsoft Update Health Tools
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
Mozilla Firefox 63.0.3 (x64 en-US)
MySQL Connector/ODBC 5.3
MySQL Workbench 6.3 CE
Notepad++ (32-bit x86)
PuTTY release 0.70 (64-bit)
Realtek Audio COM Components
Realtek High Definition Audio Driver
Rocket.Chat 3.0.2
Skype version 8.63
Teams Machine-Wide Installer
Update for Windows 10 for x64-based Systems (KB4023057)
VLC media player
Windows 10 Update Assistant
WinSCP 5.17.7
Zoom

  1. Here on the Users Account, only the user assigned to the PC can loggin

Thank you for your help.

Best,
Benjamin



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

hi Benjamin

Here are some related workarounds you may try:

https://theitbros.com/win-server-2008-multiple-rdp-sessions/
https://serverfault.com/questions/847624/suppress-message-your-remote-desktop-services-session-has-ended

I hope this will help!

(Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.)

Best Regards
Karlie

0 Votes 0 ·
BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 answered KarlieWeng-MSFT commented

Hi Karlie,

Currently one of the user is on the PC105. Regarding your links, the first fSingleSessionClient registry key is at 1 and the rest of the Local Group Policy was already set like the link.
So as a test, we switched this user to another PC (PC128 and no issue, smooth rdp session) and strange fact, registry key fSingleSessionPerUser is at 1 too and Policy are not even set. So I'm not sure if these are the key to this.

Another thing is that when we saw logoff event from the viewer in PC105 (c.f attached here), we see that logon from PC105 is done with several services launched (services.exe or svchost.exe) which directly cause the logoff of the user. Here these type of event never appears on PC128 (where the user is not disconnected). Is there a way to disable these event to occur because it looks like it might be our solution.

[40058-failevent.xml][1]
[40065-failevent2.xml][2]
Thank you for your help.

Best,
Benjamin

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey Benjamin,

I think you may need to use process monitor to confirm which program or services caused this logoff.

Note not to leave private information here.

Keep me posted how it goes. Thank you and have a great day!


Thank you
Karlie

0 Votes 0 ·
BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 answered KarlieWeng-MSFT commented

Hello Karlie,

Thank you for this tools actually. It looks fantastic.
Actually at this point, how to know which process might cause the logoff and for what reason ? Can you please give me more details on how to use this tool ?

Thank you for your help.

Best,
Benjamin

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


a.Open Process Monitor, Press “Ctrl+E”, then press “Ctrl+X” to clean the current data. 
b. Press “Ctrl+E” to start process monitor
c. Reproduce the issue
d. After entering “command” in search box without search result, press “Ctrl+E”  to stop tracing, and press “Ctrl+S” to save the log.
e. Select “All Events” and in PML format when saving.
f. please note the detail time of clicking on startmenu


Then you need to read from PML file, there will be a lot of process recorded (thousands), and this take quite long time to find out which one caused this problem.

0 Votes 0 ·
BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 answered

Hello Karlie,

I managed to get a user disconnection message but to be frank, I don't where and what to search for. Can I give you the saved log so you can take a look ?
Maybe actually do you what is the process that initiate the logoff of the user ?

Thank you in advance for your help.

Best,
Benjamin

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 answered

Hello Karlie,

Do you have any update for me ?

Thank you in advance for your help.

Best,
Benjamin

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenjaminGrussonLacoste-7862 avatar image
0 Votes"
BenjaminGrussonLacoste-7862 answered

Hello Karlie,

I'm getting back to you where I'm not finding anything relevant to me at this point.

Do you have any input for me ?

Thank you in advance for your help.

Best,
Benjamin

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.