Yubikey's have been been rolled out to our end users and reports of 'not being able to run more than one published remote app' have started to flood in.
Windows username/password authentication works fine, users without force 'smart card' login can authenticate with the RDweb resources (or even via work resources in their start menu) and run multiple remote apps with no issues.

Current setup is one RD Broker server hosting RD Collections, multiple RDH servers bolted on.

What I have found so far:
Smart card user loads up a remote app, a credential box is presented and the pin is presented, the 1st remote app loads up.
Smart card user loads up a 2nd remote app, a credential box appears, under more options, we note that the second connection is using 'the following credential to connect: Password for @@B5YrCiy********' as per below. Selecting OK passes these credentials to the broker and the connection fails. These seems be some kind of user hash? relating to the smartcard? but either way this is presented (not a pin)

then you kill the 'RemoteApp and Desktop Connection Runtime' application:

then close down this second remote app connection, then reload the remote app connection again. You notice the credentials are cleared and the user can re-present their smart card pin and successfully load up 2 remote apps:

So here is my thinking... Smart Card credentials are supplied to the broker and the 'RemoteApp and Desktop Connection Runtime' application holds/cashes these? Killing this application forces 'NEW' remote app connects to re-authenticate with the broker, allowing the next remote app session.

Im sure other org's must be using smart card authentication with their RD broker with multiple RD session hosts? for some reason, connecting to our Rd Farm with smart card/pin does not allow a seamless experience when wanting multiple remote apps......

Password auth is seemless.