Remote Desktop users may be connected to a different session than expected if the session is initiated using the same logon credentials


Symptoms


Consider the following scenario:

·         Server1 is running the Windows Server 2008 Remote Desktop Services role and is configured to allow each user to have more than one concurrent remote desktop session

·         Contoso\User1 connects to a Windows Server 2008 Remote Desktop Services session on Server1 from Contoso\Workstation1

·         Contoso\User1 closes the Remote Desktop Services session window, leaving the session in a disconnected state

·         Contoso\User1 connects to a Remote Desktop Services session on Server1 from Contoso\Workstation2

Rather than receiving a new session, User1 is connected to their previous session that had been initiated from Workstation1.  If two people share the same Windows user logon account, then this may result in a person being reconnected to another person’s disconnected session.

Cause


This behavior is by design.  Windows uses the logon account name to determine which session or sessions belong to a specific person.  In the case of a shared user account, the security identifier (SID) presented at each logon would be the same, and no indication would be available that the logons came from two different persons.   Sharing the same security accounts is not recommended, as it does not allow for effective auditing or assignment of granular resource permissions.

Resolution


To ensure a consistent one to one mapping of a user logon to the desired remote desktop services session, assign each person a unique Windows user logon ID.  The use of shared user IDs is not recommended.

More Information


The behavior described in this article also applies to Citrix ICA sessions that authenticate using Windows logon credentials.