Enterprise Mobility and Security Blog



This article discusses some significant improvements achieved in Windows Server® 2008 related to redirecting connections in a TS Farm.

Understanding the terminologies:

Terminal Services Session Broker (TS Session Broker) is a role service in Windows Server® 2008 that allows a user to reconnect to an existing session in a load-balanced terminal server farm. TS Session Broker stores session state information that includes session IDs and their associated user names, and the name of the server where each session resides.

Credential Security Service Provider (CredSSP) is a new security service provider introduced in Windows Vista that enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (via the server-side SSP). Terminal Services client uses this feature to authenticate the user before further negotiation is done with the terminal server to start the session.

Behavior before Windows Server® 2008:

Before Windows Server® 2008, when a terminal server in a farm received a connection request, it created a temporary session to authenticate the user and load user policies. If no local disconnected session was present, it queried the TS Session Broker to see if there was a disconnected session for the user on another machine in the SB farm. If a disconnected session was found, a redirection request was sent to the client to connect to the other server instead. The temporary session was then discarded.

The temporary session creation resulted in significant delay in completing the connection because a full logon occurs in the session. Also, the user experience was unpleasant because the user saw two welcome screens, first for the temporary session and then again for the redirected session. The new technique addresses these drawbacks when a connection is made using the new Terminal Services client with CredSSP.

What changed in Windows Server® 2008:

In Windows Server® 2008, a new load balancing algorithm has been introduced to distribute the load amongst all the servers in the farm. This can increase the number of redirected connections in a Windows Server® 2008 TS farm, hence making it more important to address the drawbacks with redirection.

A new technique was introduced to improve the redirection scenario in Windows Server® 2008. When CredSSP is used, the user credential is available even before temporary session is created. The new technique uses the credentials (user name and domain name) provided by CredSSP and the initial program available at that point, to load the user profile. It then uses the same credential to query for a disconnected session in the SB farm, if the machine is in a farm. If a disconnected session is found on another machine in the farm, it immediately sends a redirect packet to the client and the client subsequently connects to the redirected server. Hence no temporary session is created before the connection is redirected.

Benefits of the changes in Windows Server® 2008:

Security improvements The use of CredSSP provides enhanced security for terminal servers against rogue clients. With this feature, clients need to authenticate even before the connection sequence is completed and a session is created for the user.

Performance optimization – The new technique removes the expensive process of creating a temporary session if a disconnected session is already available in a farm. This helps improve the redirection performance significantly in terms of time to connect and CPU utilization on the server.

Experiments performed in our lab shows significant performance improvements in terms of CPU utilization.

Fig 1 CPU utilization for a single redirected connection

Figure 1(a) Before Optimization

Figure 1(b) After Optimization

Fig 2 CPU utilization for a burst of redirected connections

Figure 2(a) Before Optimization

Figure 2(b) After Optimization

Improved customer experience – In addition to providing performance improvement, the new technique also helps deliver a better user experience for a redirection scenario. This is primarily because the user no longer sees two sessions, one for the first server (temporary session) and one on the redirected server. Instead they see only the final session after redirection occurs.