In the old days of XenApp, the XenApp servers were TS\RDS servers as well – this has not changed. What has changed is the mechanism for controlling connections to sessions on the server – they are now brokered by the Delivery Controller. Previously, if you wanted to allow users to connect you needed to grant the ‘Citrix Users’ group (or Domain Users if everyone used Citrix) the ‘Allow logon locally’ and ‘Allow logon via terminal services’ rights.
You will find that things have changed in XenApp 7.x and this one simple change is not well documented. In addition to the above rights, you now need to add users to the ‘Direct Access Users’ – a new local group on the XenApp servers. The description explains:
Members in this group are granted the right to logon remotely directly without a brokered connection
When a user attempts to connect via RDP to a XenApp 7.x VDA server, the connection will appear to succeed – then after about 5 seconds, the blue background ‘Welcome’ screen will simply disappear. There will be NOTHING in the event logs, no error pop-up window…nothing.
You may also be tempted to enable the HDX policy for allowing users to launch desktop sessions – but the problem is with plain RDP…looks like the VDA is controlling all remote connections.
Dear Citrix: Please give us some error message stating that the connection is denied.
Thank you very much. Poor Citrix Documentation on this.
Worked perfectly!
UGH!!!!! I've been trying to figure this out for days. THANK YOU, THANK YOU, THANK YOU! I kept getting Event ID 40: Session has been disconnected, reason code 12. No real documentation on this at all.
Thanks for posting!
The problem this causes is that by adding users to the direct access group the RD connection broker gets bypassed for RDP connections and users log straight onto that server.
I need to be able to run both RDS and XenApp 7.6 on the same host while migrating users. Citrix have been no help in finding a solution to this.
Mike-
I can't say I've ever tried RDSessionBroker with XenApp – only seperately…but I don't really understand how the direct access users group would effect brokering connections? So it sounds like the direct access user group overrides RDSBroker redirections?
To be honest, I'm surprised Citrix even supports that configuration.
Where do you make this change at?
Previously, if you wanted to allow users to connect you needed to grant the ‘Citrix Users’ group (or Domain Users if everyone used Citrix) the ‘Allow logon locally’ and ‘Allow logon via terminal services’ rights.
I have updated the Direct Access and still have the issue where I get the Welcome screen and then it closes on me.
Kevin-
The ‘allow logon locally’ and ‘allow logon via TS’ rights are still valid – the new ‘Direct Access Users’ group on the XA VDA allows for non-admin and non-brokered connections to the machine. For example, an RDP connection by a regular user. If you have already added a group to the direct access users security group, then you may be having another issue.