RD Connection Broker Integration

Overview

RDSWeb Custom queries the RD Connection Broker to retrieve published RemoteApps and desktops for authenticated users. This is done via PowerShell and WMI (Windows Management Instrumentation).

How It Works

When a user logs in, the backend:

Authenticates the user against Active Directory
Executes a PowerShell script to query the RD Connection Broker
Retrieves published applications using the Win32_TSPublishedApplication WMI class
Returns the application list to the frontend

Configuration

Set the RD Connection Broker server in your .env file:

RDCB_SERVER=SRV-APPS.LAB-MH.LOCAL

RDCB_SERVER

string

required

Fully qualified domain name (FQDN) of the RD Connection Broker server.Example: rdcb.contoso.local

PowerShell Query

The backend executes this PowerShell command (see backend/src/services/rdcbService.js:84-90):

$apps = Get-WmiObject -Namespace "root\cimv2\TerminalServices" `
  -Class Win32_TSPublishedApplication `
  -ComputerName "SRV-APPS.LAB-MH.LOCAL" |
  Select-Object -Property Name, Alias, VPath, IconPath, FolderName

$apps | ConvertTo-Json -Compress

WMI Class: `Win32_TSPublishedApplication`

This WMI class exposes published RemoteApps with the following properties:

Property	Description	Example
`Name`	Application display name	`Microsoft Word 2019`
`Alias`	Internal application alias	`MSWORD`
`VPath`	Virtual path (launch path)	`\|\|MSWORD`
`IconPath`	Path to the application icon	`C:\Program Files\...`
`FolderName`	Organizational folder	`Microsoft Office`

Required Permissions

The Node.js backend service account (the Windows user running the Node process) needs these permissions:

1. WMI Namespace Permissions

Grant Read access to the root\cimv2\TerminalServices namespace:

Open Computer Management on the RD Connection Broker server
Navigate to Services and Applications > WMI Control
Right-click WMI Control > Properties
Go to the Security tab
Expand Root > CIMV2 > TerminalServices
Click Security
Add the service account and grant:
- Enable Account
- Remote Enable
- Read Security

2. DCOM Permissions

Enable remote DCOM access:

Run dcomcnfg.exe on the RD Connection Broker
Navigate to Component Services > Computers > My Computer
Right-click My Computer > Properties
Go to the COM Security tab
Under Access Permissions, click Edit Limits
Add the service account and grant Remote Access
Under Launch and Activation Permissions, click Edit Limits
Add the service account and grant Remote Launch and Remote Activation

3. Firewall Rules

Allow WMI through Windows Firewall:

# On the RD Connection Broker server
Enable-NetFirewallRule -DisplayGroup "Windows Management Instrumentation (WMI)"

Or manually enable these rules:

WMI (DCOM-In)
WMI (WMI-In)

4. Local Security Policy

Ensure the service account is in one of these groups on the RDCB server:

Distributed COM Users
Remote Management Users

Application Mapping

The service maps WMI data to the frontend format (see backend/src/services/rdcbService.js:98-105):

const apps = appsArray.map((a) => ({
    alias: a.Alias,                  // Internal identifier
    name: a.Name,                    // Display name
    rdpPath: `||${a.Alias}`,         // RDP launch path
    iconIndex: 0,                    // Icon index (future use)
    remoteServer: config.rdcb.server, // RDCB FQDN
    folderName: a.FolderName || 'Aplicaciones', // Category
}));

Testing the Integration

Test PowerShell WMI access from the Node.js server:

# Run this on the Node.js backend server
$apps = Get-WmiObject -Namespace "root\cimv2\TerminalServices" `
  -Class Win32_TSPublishedApplication `
  -ComputerName "SRV-APPS.LAB-MH.LOCAL"

$apps | Select-Object Name, Alias, FolderName | Format-Table

If successful, you should see a list of published RemoteApps.

Error Handling

Error: “No se pudo contactar al RD Connection Broker”

This error occurs when the WMI query fails. Common causes:

Network Connectivity: Verify the RDCB server is reachable
```
ping SRV-APPS.LAB-MH.LOCAL
```
WMI Permissions: Check the service account has WMI access (see Required Permissions)
Firewall Rules: Ensure WMI traffic is allowed
PowerShell Execution Policy: Verify the backend server allows script execution
```
Get-ExecutionPolicy
# Should be RemoteSigned or Unrestricted
```

Timeout Issues

The WMI query has a 10-second timeout (see backend/src/services/rdcbService.js:93):

execSync(`powershell -NonInteractive -Command "..."`, {
    encoding: 'utf8',
    timeout: 10000  // 10 seconds
});

If queries consistently timeout:

Check network latency to the RDCB server
Reduce the number of published apps
Consider caching the application list

RD Gateway Configuration

If users connect through an RD Gateway, configure it in .env:

RDGATEWAY_HOSTNAME=rdgateway.lab-mh.local

This hostname is included in the RDP file generation (see frontend implementation).

Advanced: Remote Desktop Collections

For querying Remote Desktop collections (session-based desktops), use:

$collections = Get-WmiObject -Namespace "root\cimv2\TerminalServices" `
  -Class Win32_RDSHCollection `
  -ComputerName "SRV-APPS.LAB-MH.LOCAL"

$collections | Select-Object Name, Description | Format-Table

The current implementation in rdcbService.js:56-64 includes a SIMULATED_DESKTOPS array for desktop resources. You can extend the getAppsForUser function to query real desktop collections.

Security Considerations

Least Privilege Principle: The backend service account should have read-only access to WMI. Do not grant administrative privileges.

Recommendations

Dedicated Service Account: Use a separate account for WMI queries (not the AD service account)
Audit Logging: Enable WMI access logging on the RDCB server
Network Segmentation: Restrict WMI access to specific source IPs
Regular Review: Audit the service account permissions quarterly

Deployment Checklist

Create Service Account

Create a dedicated Windows user for the Node.js backend service

Grant WMI Permissions

Configure WMI namespace and DCOM permissions (see above)

Configure Firewall

Allow WMI traffic from the Node.js server to the RDCB server

Test Connectivity

Run the PowerShell test query from the Node.js server

Update .env

Set RDCB_SERVER to the Connection Broker FQDN

Restart Backend

Restart the Node.js service and check logs

Active Directory Setup - User authentication configuration
Security Best Practices - Secure your deployment
Simulation Mode - Test without a real RDCB

Get Started

Deployment

Features

Administration

RD Connection Broker Integration

Overview

How It Works

Configuration

PowerShell Query

WMI Class: `Win32_TSPublishedApplication`

Required Permissions

1. WMI Namespace Permissions

2. DCOM Permissions

3. Firewall Rules

4. Local Security Policy

Application Mapping

Testing the Integration

Error Handling

Error: “No se pudo contactar al RD Connection Broker”

Timeout Issues

RD Gateway Configuration

Advanced: Remote Desktop Collections

Security Considerations

Recommendations

Deployment Checklist

Build docs developers (and LLMs) love

Get Started

Deployment

Features

Administration

​Overview

​How It Works

​Configuration

​PowerShell Query

​WMI Class: Win32_TSPublishedApplication

​Required Permissions

​1. WMI Namespace Permissions

​2. DCOM Permissions

​3. Firewall Rules

​4. Local Security Policy

​Application Mapping

​Testing the Integration

​Error Handling

​Error: “No se pudo contactar al RD Connection Broker”

​Timeout Issues

​RD Gateway Configuration

​Advanced: Remote Desktop Collections

​Security Considerations

​Recommendations

​Deployment Checklist

​Related Pages

Build docs developers (and LLMs) love

Overview

How It Works

Configuration

PowerShell Query

WMI Class: `Win32_TSPublishedApplication`

Required Permissions

1. WMI Namespace Permissions

2. DCOM Permissions

3. Firewall Rules

4. Local Security Policy

Application Mapping

Testing the Integration

Error Handling

Error: “No se pudo contactar al RD Connection Broker”

Timeout Issues

RD Gateway Configuration

Advanced: Remote Desktop Collections

Security Considerations

Recommendations

Deployment Checklist

Related Pages