Windows 2016 RDS event 1306 Connection Broker Client failed to redirect the user... Error: NULL

i'm attempting setup windows 2016 rds standard deployment session hosting.  layout follows:
rds01 - rds connection broker , web access
ts02 - rds session host
ts03 - rds session host

domain these servers part of has (1) windows 2008 server , (2) windows 2016 servers acting dcs.  domain running @ windows 2003 functional level.

servers on single routed network no firewall between them.  dns , ptr records servers exist , resolve on hosts.  servers can pinged each other. in other words, there no network connectivity issues.

i've setup rds deployment several times w/ same results.

the issue
can login via rdweb interface on rds01 win10 desktop , connect published rdp desktop without issue (i.e. no error messages user) , no errors in logs.  when try directly rdp rds01, authenticate user (per event log) error stating user doesn't have access system.  in event log event id 1306 message of "remote desktop connection broker client failed redirect user <domain>\<test user>.  error: null".  

- <event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <system>
  <provider name="microsoft-windows-terminalservices-sessionbroker-client" guid="{2184b5c9-1c83-4304-9c58-a9e76f718993}" />
  <eventid>1306</eventid>
  <version>0</version>
  <level>2</level>
  <task>104</task>
  <opcode>13</opcode>
  <keywords>0x2000000000000000</keywords>
  <timecreated systemtime="2016-12-29t16:47:27.634726700z" />
  <eventrecordid>47</eventrecordid>
  <correlation activityid="{f4209120-29ed-44e4-845a-25a2570f0000}" />
  <execution processid="828" threadid="3668" />
  <channel>microsoft-windows-terminalservices-sessionbroker-client/operational</channel>
  <computer>rds01.[redacted.domain]</computer>
  <security userid="s-1-5-20" />
  </system>
- <userdata>
- <eventxml xmlns="event_ns">
  <param1>[redacted.domain]</param1>
  <param2>[redacted.user]</param2>
  <param3>null</param3>
  </eventxml>
  </userdata>
  </event>

if rdp rds01 administrator, same error message rdp session opens , presents desktop on rds01.

can rdp directly ts02 or ts03 , login user , open rdp session.  redirection degree appears working in can disconnect user session ts02 , rdp ts03 , session redirected ts02.  event logs on rds01 record happening well.

what i've tried already
1. in searching event 1306 issue, found several posts exact same behavior in ws 2012/r2.  "solutions" suggested point fact rds session broker doesn't have sufficient authority users ad group membership via tokengroupsglobalanduniversal attribute or authzinitializecontextfromsid api function leverages tokengroupsglobalanduniversal attribute.  (example: https://social.technet.microsoft.com/forums/windowsserver/en-us/29733a87-dbda-47bc-8b37-6eeac5ab5a0a/2012-rds-nonadministrators-can-not-access-vdi-pool?forum=winserverts#97d883f1-7a64-4d02-9492-309638f92e79 )

service running "network service" have network access via computer object's authority in ad.  following microsoft's instructions (https://support.microsoft.com/en-us/kb/331951), i've added rds01 both windows authorization access group , pre-windows 2000 compatibility access groups , rebooted rds01 same results.  

2. i've verified windows authorization access group has rights read tokengroupsglobalanduniversal property/attribute on test users , computer objects of servers.

3. i've setup ad service account following microsoft's instructions (https://support.microsoft.com/en-us/kb/842423) described access issue.  service account user added windows authorization access group.  unsuccessfully w/ same event 1306 error.

4. ran following powershell commands verify access of connection broker ou (https://technet.microsoft.com/en-us/library/jj215512.aspx#)

test-rdouaccess -domain [redacted.domain] -ou "computers" -connectionbroker rds01.[redacted.domain] -verbose

failed ran following grant access

grant-rdouaccess -domain watsons.local -ou "computers" -connectionbroker rds01.watsons.local -verbose 

test-rdouaccess succeeded.

repeated ous contained users , server computer objects.

i've disabled gpos ensure there's no conflicts have seen no change in behavior or error messages.

that, i've exhausted every option can find resolve error gain expected functionality.  work around moment, i've setup round-robin dns record points ts02 , ts03 w/ short ttl.  gives test users ability login , atleast test desktop functionality.

sorry being long winded thought better put cards on table.

i'm open , suggestions.

thx!

hi,

for problem, have tested on windows server 2016.

for rd connection broker not redirect session rdsh in new rds environment, need configure default collection on rdcb in registry.

you should create registry value defaulttsvurl under path below tsv://ms terminal services plugin.1.<collection alias> on rdcb.

hklm\system\currentcontrolset\control\terminal server\clustersettings

for value, find in event viewer on rdcb below.

note: should make before modifying registry.

here similar thread below reference.

https://social.technet.microsoft.com/forums/en-us/09c884f3-5bad-4a30-b707-99ea02c50c63/rd-session-broker-will-not-work-with-desktop-sessions?forum=winserverts

best regards,

jay

---

please remember mark replies answers if help.
if have feedback technet subscriber support, contact tnmff@microsoft.com.

Windows Server  >  Remote Desktop Services (Terminal Services)