I have an environment that is exploding into about 3000+ virtual Windows 7 PCs across 14 Windows 2008R2 and Windows 2012R2 clusters and users sitting at Wyse thin clients running Win7e. We were using the connection broker in Windows 2008R2 but that was a pain and when we started upgrading to Windows 2012R2 server to host the virtual PCs the broker changed and in general Microsoft's brokers didn't work too well especially if a cluster member crashed (Win2008R2) and all the VMs abandoned ship, the broker did not know how was hosting the VMs now and you'd get errors trying to connect.....
We designed our own broker, a simple webpage that asks the user their username, looks it up in the tsMSPrimaryDesktop field like Windows 2008R2's connection broker used to. This is also the field under the Personal Virtual Desktop tab in AD Users and Computers. Since we just use the Hostname of the virtual PC it works across all the clusters no matter the version. The webpage does some other stuff like ping your virtual to make sure it's online, see if the user account is locked, etc but in general it then simply generates an .RDP file (with our preset settings), sticks the PC name in the "full address" line and also drops in the username supplied previously to "username" line (why ask the user twice).
Problem is the "Publisher of this remote connection can't be identified" popup. This entire environment is a closed network, NO internet access whatsoever.
I've seen articles talking about using certificats to sign the RDP files and such but I have ONE .RDP that is "generated" on the fly called GOTOMYPC.RDP. This .RDP actually contains simple ASP code and the IIS server is told to run *.RDP files through the ASP compiler so when the users thin client sees it it knows the default app for an .RDP file is MSTSC.
Can't I just set a setting on the thin clients in the registry that we don't care don't check for certificates or whatever? Similarly the way you can tell IE "Don't do certificate revocation checks" etc... Making 3000 RDP files that are signed does not seem like a logical solution.
-------------------- Joe O'Bremski