none
External Access to Published Apps via RD Web failed with a Firewall Credentials error message

    Question

  • Goal: Access RD Session Host trough web access and gateway externally
    External name is: ts.domain.com

    Info: Single Domain
    All RDS Roles on same server, Windows Server 2012 Name: srv01.domain.local
    Portforwarding 443 from external IP to Internal IP on Firewall
    Internal DNS Alias for ts.domain.com to srv01.domain.local
    External DNS Service for ts.domain.com to external IP
    Trusted Certificate installed on srv01.domain.local for all roles and Name ts.domain.com
    Two Factor Authentification with Securenvoy in Web Access

    Now I can connect trough WebAccess, authentificate against Securenvoy and enter the Published Apps Website. Then, when I'm trying to connect a Published App like RDP Desktop, RDConnection window appears and I can click connect.
    Now the error message appears " The computer cannot etablish a connection to the remotecomputer, the firewall authentification failed due to missing firewall credentials." No Error Event showed in client Eventviewer.

    So when I connect internal, all is working fine, and in RDP Deskop on the top the name of the internal server (srv01.domain.local) is displayed. I guess this shouldn't be so, and could be the problem.. In my RDP Overview in Server Manager, under deployment servers, all roles are showed with the internal servername (srv01.domain.local). Could this be the problem?

    Best Regards and thanks for help,

    Florian


    Saturday, October 26, 2013 1:33 PM

Answers

  • Just to make sure your not using remote.domain.com. Silly question but just wanted to make sure.

    Have a look at the following TechNet article which shows the same error: http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9d43ad6-ca56-486a-a11e-22b059a3fc60/cant-connect-through-tsgateway?forum=winserverTS

    Have a look at the following article:

    http://ryanmangansitblog.wordpress.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ to check that everything has been configured correctly. 

    Also have a look at :

    http://www.chicagotech.net/netforums/viewtopic.php?f=2&t=16656

    Friday, November 01, 2013 11:21 AM

All replies

  • Hi Florian,

    Have you enable “credential delegation setting” under Group Policy?

    You can check “Allow Delegating Saved Credentials with NTLM-only Server Authentication” setting under GPO, enable it and add the name of terminal server under that. From below path you can enable the setting:

    Computer Configuration \ Administrative Templates \ System \ Credential Delegation

    For more information refer beneath articles:
    1.  Why can’t I connect using Remote Desktop Connection?
    2.  Managing Remote Desktop Connections

    Hope it helps!
    Thanks.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, October 28, 2013 6:53 AM
  • Hi Dharmesh,

    I checked all settings and enabled "Allow Delegating Saved Credentials with NTLM-only Server Authentication”.

    The error is still there, do you have some other suggestions?

    Errormessage

    Best Regards, Florian

    Wednesday, October 30, 2013 7:37 PM
  • Hi Florian,

    As mentioned in my last post, after enabling in GPO do you saved the name of remote computer (Server) in the show content dialog box as displayed below.

    TERMSRV\<FQDN of Server>

    Apart from that you can also enable “Allow delegating default credentials” under same path in GPO as mentioned in my previous comment and here also add name of server as display above. This is necessary as to enable the Web SSO for RemoteApp and Desktop connection. Also you can check “Web SSO with Remote Desktop Gateway” for password authentication. Refer beneath article for more information.


    Remote Desktop Web Access single sign-on now easier to enable in Windows Server 2012

    Hope it helps!
    Thanks.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Thursday, October 31, 2013 7:43 AM
  • Hi Dharmesh,

    The GPO settings are enabled and configured as;
    TERMSRV\ts.domain.com
    TERMSRV\srv01.domain.local
    In "Allow delegating default credentials" and "Allow Delegating Saved Credentials with NTLM-only Server Authentication" settings.
    Web SSO with RD Gateway is configured as in the article mentioned for external dns name.

    Could be the problem, that in the RD Connection Window for Clients the Remotecomputer name to connect is showed as the internal name of the server?
    Link to Screenshot: RD Connection Screenshot

    In Eventlog I have two errors that appears periodically:

    Eventid: 15021 Source: HttpEvent "An error occurred while using SSL configuration for endpoint 10.1.1.28:443. The error status code is contained within the returned data."

    Eventid: 1057 Source: TerminalServices-RemoteConnectionManager "The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was Object ."

    Best Regards and thanks for the support, Florian


    • Edited by Florian JJ Thursday, October 31, 2013 3:24 PM
    Thursday, October 31, 2013 10:13 AM
  • Hi Florian,

    The Error Code 

    Eventid: 15021 Source: HttpEvent "An error occurred while using SSL configuration for endpoint 10.1.1.28:443. The error status code is contained within the returned data."

    sounds like a issue with the SSL bindings in IIS, Can you check your certificate.

    The Second Error code

    The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was Object.

    This is referring to a Self assigned certificate. Are you using Self assigned or one from a trusted CA ? I would recommend looking to see if there is a self signed cert lerking about and delete it, if you are using a cert from a ca. http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df42746-465f-4902-95a6-121ef1f0fd68/the-terminal-server-has-failed-to-create-a-new-self-signed-certificate-to-be-used-for-terminal?forum=winserverTS 

    You mentioned that you are shown the local server as per the screen shot. RD Connection Screenshot

    Please see the PowerShell Cmdlet taken from my blog which changes the RDP properties to match the external domain. http://ryanmangansitblog.wordpress.com/2013/03/10/configuring-rds-2012-certificates-and-sso/ This alows you to use redirection so that all three fields as shown below use the external address. 

    Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”

    Try running the following powershell cmdlet, which will change all the following

    Publisher: remote.domain.com
    Remote computer: remote.domain.com
    Gateway server: remote.domain.com

    Let me Know how you get on

    Best regards,

    Thursday, October 31, 2013 6:22 PM
  • Hi Ryan,
    Thank you for your help and support.
    I am using a external trusted Certificate from Thawte for the dns name remote.domain.com
    Steps for changing the RDP properties I had edited as you mentioned. This was successfully.
    Connection error is now, that the name "remote.domain.com" can't be found.  In Remote Desktop Services Console I see the eventid 304: The user "Domain\User" on client "FirewallIP", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "remote.domain.com". Connection protocol used: "HTTP". The following error ocurred: "23005".

    I think, that internally the RD Gateway can't resolve the dns name remote.domain.com for the RD Session Host. But how could I create a DNS Record for this external name? Maybe with a Hostfile entry?

    Best Regards, Florian



    • Edited by Florian JJ Friday, November 01, 2013 9:47 AM
    Friday, November 01, 2013 9:47 AM
  • Just to make sure your not using remote.domain.com. Silly question but just wanted to make sure.

    Have a look at the following TechNet article which shows the same error: http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9d43ad6-ca56-486a-a11e-22b059a3fc60/cant-connect-through-tsgateway?forum=winserverTS

    Have a look at the following article:

    http://ryanmangansitblog.wordpress.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ to check that everything has been configured correctly. 

    Also have a look at :

    http://www.chicagotech.net/netforums/viewtopic.php?f=2&t=16656

    Friday, November 01, 2013 11:21 AM
  • Hi Ryan
    No, it's just to stay anonymou, that I used remote.domain.com.
    Will check the articels this week and will then give a feedback, Thanks anyway!

    Monday, November 04, 2013 10:58 AM