Thursday, March 20, 2008

SBS2003 Remote Web Workplace, Console Access and That Awful /admin Change

OK, those of us that have worked with SBS2003 for quite some time tend to put Remote Web Workplace (RWW) right up there on our list of favourite SBS features.
The best feature I like is the pre-authenticated access to enable RDP proxy to the servers in the SBS network (although the use of port 4125 can be a pain behind some firewalls). The "Log on to or resume the console session of the remote computer" allows me to effectively remotely manage the server as though I was on site.

This is particularly useful when dealing with programs that require Session 0 - commonly known as console - access (for a concise description of terminal services history and session 0, see the Terminal Services Sessions: Then and Now article or the Wikipedia Terminal Services entry).
Over the last few months, I'd been finding that the Patch Tuesday reboots on the boxes I'd been RWW'ing to had resulted in hung systems, similar to what Susan Bradley's September 2006 blog entry records. Today, I saw the Ask the Performance Team's blog entry on The Reboot that Wasn't. This seemed to detail exactly what was going on with me, but I'd been enabling the "Log on to or resume the console session of the remote computer" option. So surely this wasn't my problem - or was it?
So I did some digging. I picked a Windows Vista RTM box, a Windows Vista SP1 box, a Windows Server 2003 SP2 box and a Windows Server 2008 box. I tried RWW'ing to my SBS 2003 box on each of them with the "Log on to or resume the console session of the remote computer" option set.
The results were as follows:
Windows Server 2003 Session 0
Windows Vista RTM Session 0
Windows Vista SP1 Session 1
Windows Server 2008 Session 1

What's going on here? Shouldn't that be Session 0 for all those RWW clients?
No, not exactly. The problem we're seeing here is that the Remote Desktop Client (version 6.1) found in Windows Vista SP1 and Windows Server 2008 has dropped the /console switch and replaced it with /admin. The description of this change can be found in MSKB 947723 and also at the following Terminal Services Team Blog entry (same entry as the KB article, but with user comments). This change also extends to the programmatic interfaces that RWW uses.
As I commented in the Terminal Services Team Blog entry, this change was unwarranted, as the /console switch could have been left alone and have the code handle graceful fallback from the security-enhanced console access in Vista SP1 and Windows Server 2008 to the Session 0 access in Windows XP and Windows Server 2003.
So, the Terminal Services team has broken console access from RWW. Doesn't say much for the QA process when an entire product feature that relies on the Remote Desktop Client isn't tested for regression.
So what can be done to mitigate this? Well, you can use something like CopSSH on the SBS box and ssh to it, then use an ssh tunnel to connect to the SBS box using RDP (a how-to guide can be found on this Remote Desktop and SSH page). Or you can allow direct RDP access to the SBS 2003 box, which is very useful if you're running the Premium Edition and using ISA Server as you can leverage the ISA Server lockdown mode - which means you get RDP access when ISA's in lockdown and you can also tighten up RDP access to a restricted set of computers when ISA's running normally. For Standard Edition, or non-ISA Premium Editions, RDP restriction should be done by your firewall device.
For a hardware solution, something like an iBoot remote power management device might be useful to help with those hang on shutdown problems.
Anyway, patching over RWW can be problematic - see the Repeat after me.... you don't patch over RWW blog entry and the Some months you can't patch over RWW blog entry for some reasons why patch over RWW is bad.

4 comments:

Gary Searle said...

Here is how to Fix.

Edit the file C:\InetPub\Remote\tsweb.aspx

find the line
MsRdpClient.AdvancedSettings2.ConnectToServerConsole = console

Add the 3 lines after it
if MsRdpClient.Version >= "6.0.6001" Then
MsRdpClient.AdvancedSettings6.ConnectToAdministerServer = console
end if

Now try it again from scratch & you will be able to logon.

Chris Knight said...

Hi Gary,

Thanks for this. Similar to what I posted on http://blog.chrisara.com.au/2008/08/fixing-sbs-2003-rww-for-console-access.html

Gary Searle said...

Hi Chris,

I wanted the solution to be easy to find. This page comes up 2nd in the list when you google "log on to or resume the console session of the remote computer". Since Microsoft released KB956744 on auto update, XP RDP clients now have this problem as well, so people will be looking for a solution.

Chris Knight said...

Hi Gary,

Thanks for the feedback. I wasn't sure if you'd seen my subsequent post.

Thanks for helping out!