none
WHS 2011 - remote desktop gateway

    Question

  • I have remote web access working, and clicking computers from the web based dashboard allows me to establish an remote desktop connection to computers on my internal network, it's great.

    however, i want to try and establish a connection to WHS and awake machines on my LAN using mstsc directly from a remote machine. on the advanced dialog box I see these options. i fill them in as shown and try to connect. 

    When i press connect i get this:


    However after putting in my whs administrator username and password i get this error.

    "Your computer can't connect to the remote computer because the Remote Desktop Gateway server is expecting an authentication method different from the one attempted. Contact your network administrator for assistance."

    Anyone know how to get this working?


    Tim

    Wednesday, September 12, 2012 5:39 AM

Answers

All replies

  • Untick "Use my RD Gateway credentials for the remote computer" and try to connect.

    Wednesday, September 12, 2012 7:49 AM
  • and you might be better posting in a forum for WHS, not SBS :-)

    Jim

    Wednesday, September 12, 2012 8:45 AM
  • Did you ever get this working?  I am having the same issue.  Works fine when I connect via the remote site but not when connecting directly to the rd gateway using a rdc.
    Friday, October 12, 2012 3:05 PM
  • nah i wish i did. i'm using the website .... perhaps it's something to do with certificates?? 

    Tim

    Friday, October 12, 2012 8:54 PM
  • I'm hitting upon this issue now myself for a client who's going to be having surgery and wants to use an iPad while recovering in the hosptial bed unable to move around.  The iPad is lightweight and easily moved without straining the sensitive tissues that will be healing.  So I've been researching this and if I discover the solution(s) I'll post back.  Based solely on the message it would seem that the RD Gateway is expected something other than the password for authentication ...which is odd as it is happily passing along the Dashboard initiated remote connections via that method.

    Dale Unroe


    • Edited by Dale DU-IT Friday, October 26, 2012 11:47 AM
    Tuesday, October 23, 2012 11:27 AM
  • You don't need a RDP gateway (this is meant for accessing Windows Remote Desktop Servers in Server farms from outside your office and not for Remote Desktop for Administration of a single server) - simply port forward the RDP port 3389 in your router to the WHS and use the servers webname myservername.homeserver.com as RDP target machine.

    If it is a WHS v1 machine, you have also to configure the Firewall exception for RDP to allow access from public networks.

    Best greetings from Germany
    Olaf

    Tuesday, October 23, 2012 3:02 PM
  • @Olaf - she's trying to get through the server to her Desktop


    Dale Unroe

    RD Gateway's usage is not limited to Server farms and it works quite well in single RD Gateway environments (such as SBS 2008 or 2011) to enable safe passage via often the only common port publicly open via public acess areas (like a hospital) - HTTPS aka port 443.  Many businesses are using iTap and Wyse PocketCloud to do just that with their iPads and Android tablets and mobile devices.

    Using RDP over HTTPS (and RPC over HTTPS for Outlook aka Outlook Anywhere) is in my business world a very commonly needed application of this transport methodology.  The targeted server aka the ' RD Gateway' is fully capable of not only handling the initial authentication but also of passing on that authenticated session to a different destination albeit one that fulfills the security requirements of SSL certificates.  In an AD domain this is comparitivly simple to pull off, in a workgroup it's not so much.  Even so this used to work but now its not.  A little google-fu will show the evidence of people succeeding in the past albeit struggling with the extra cert issues that have to be overcome.

    BTW - that RDG to Windows Desktop methodology does require a Remote Desktop CAL - its not covered by the OS as it had been in the past




    • Edited by Dale DU-IT Thursday, October 25, 2012 2:15 PM
    Thursday, October 25, 2012 2:01 PM
  • Besides the required Remote Desktop CAL: Enabling any roles on Windows Home Server, which are not already enabled, is not allowed according to the EULA.

    Also AFAIK the  RD Gateway will do nothing to wake any computers.

    So the workaround would be to find a way to send a wake on LAN package, either (if supported) by the router or by an application on the server (in later case make an administrative session to the servers desktop and start the WOL package from there).

    From here you could start an RDP session to the client, or you could forward ports in the router for each of your client PCs (i.e. port 3390 of the router to port 3389 of the client) and then connect with your RDP client via domainname.homeserver.com:3390.

    You may have to change RDP settings on the client as well to allow this connection.

    Best greetings from Germany
    Olaf

    Thursday, October 25, 2012 5:17 PM
  • again those ports are NOT OPEN to use in public access areas such as this critical case  ...a hospital - port 443 works every time; no one blocks it ...3389 or nonstandard ports absolutely get blocked in such places

    no where did I advocate breaking the EULA - WHS 2011 uses the RD Gateway out of the box albeit within the confines of the special way its been coded

    no where did I advocate to turn her PC off such that it would require being sent a WOL signal for it to be accessible - its a neat idea that just has never worked well enough to fully rely upon - clients just leave the PC running in as low a power state as possible 24/7

    thanks for ?

    greetings from Cincinnati, Ohio ...home to a nearbye (which after today is sounding really good)

    Hofbräuhaus


    Dale Unroe

    Thursday, October 25, 2012 10:58 PM
  • and if you do facility from WHS you might look at http://www.wegotserved.com/tag/wake-on-lan/
    Friday, October 26, 2012 2:46 AM
  • there is more information here on the way it works:

    http://blogs.technet.com/b/askperf/archive/2008/02/23/ws2008-terminal-server-web-access-architecture.aspx

    basically it seems to create a temporary .rdp file that is passed as a parameter to mstc to establish the connection. after the connection is done it's removed.  I tried clicking the button, then launching task manager to view the process, then i looked on the file system but couldn't see the .rdp file. I was hoping i could open it up and view the contents.....

    someone more knowledgeable than myself might find a way.


    Tim

    Friday, November 02, 2012 6:07 AM
  • that's the generic of the pre-R2 architecture; however, this is WHS 2011.  Retracing through doing, I've re-reviewed the connect-to-desktop process wherein I've noticed, akin to SBS 2003 & SBS 2008, an Active-X component is required.  That isn't the case in SBS 2011 where the RD Gateway is leveraged instead.  The added benefit is that the connection isn't limit solely to IE as it had been with the Active-X proprietary object.  In other words, I'm confused as to what is truly going on in respect to the RD Gateway; perhaps it isn't used whatsoever in WHS 2011.

    Dale Unroe

    Friday, November 02, 2012 1:21 PM
  • RDGateway is used and the 'connection profile' (.rdp file) would look similar to a standard RDP file configured for RDG.

    WOL facility is a separate item where the user browses a page on the server and that page has a control that gets executed on the server to generate the WOL (magic) packet on the LAN.

    SBS03 used a different mechanism, the RDPProxy (on port 4125).

    SBS08 and SBS11 both used RDGateway and an ActiveX RDP client.

    'Colorado' (WHSv1, WHS 2011, SBS 2011 Essentials, and now WS12E) products also use RDGateway, and have a development intent to improve 'functionality in other browsers'. It's this one I haven't being paying a lot of attention to the state of (my remote users use IE).

    In any of the products using RDG you can create a manual .rdp file, with the RDG settings in it, and use such to connect to PC's on the network. This 'avoids' browsing to RWW/RWA though and voids the 'concession' granted to RWW/RWA users concerning not requiring a TS CAL. If you use a direct RDP connection a TS CAL is required.

    TTBOMK there is no way to 'incorporate' WOL instructions to the .rdp file. So that page on the server, that generates an instruction for the server to send the WOL packet across the LAN will still be needed.

    Friday, November 02, 2012 7:20 PM
  • "RDGateway is used and the 'connection profile' (.rdp file) would look similar to a standard RDP file configured for RDG."

    "In any of the products using RDG you can create a manual .rdp file, with the RDG settings in it, and use such to connect to PC's on the network. "

    this is what i'd like to do. do you have an example .rdp file, what settings are required? i just want to rdp directly to a box on my LAN from outside via the RDGateway aka over port 443. the box is awake so no consideration for wake on lan is necessary, anyone?


    Tim

    Sunday, November 04, 2012 3:36 AM
  • SBS 2008 in Chrome you will not see the Connect item on the RWA page due to use of ActiveX limiting the RWA Connect function solely to IE.  In the case of SBS 2011 and with Chrome when you complete the RWA process to "connect' and a custom RDP/RDG file is downloaded prior to running it in order to make the destination connection. That simple file can be saved and with it you will have your easy to use file for future click to go connections.  As such you can also create from scratch an RDP with RDG file to do the same thing.  I've likewise been able to successfully verify the use of a custom RDP/RWA connections with SBS 2008.

    With WHS 2011 this doesn't happen in Chrome instead you will see the message below.  Users must use IE for the browser.  This is why this is confusing as to why the ActiveX control is being implemented in WHS 2011 that is not in SBS 2011.  The point of this difference is that it would seem logical to suspect this as being a factor why custom RDP with RDG connection do not work in instances I'm attempting to implement with WHS 2011.  

    ?related?
    http://blogs.technet.com/b/sbs/archive/2012/11/03/multiple-authentication-prompts-after-applying-kb-2574819-and-2592687.aspx


    Dale Unroe


    • Edited by Dale DU-IT Sunday, November 04, 2012 8:18 PM
    Sunday, November 04, 2012 8:17 PM
  • Tim,

    I'll either post screen shots and/or upload such an .rdp file with generic information for the destination host and the RG server to Skydrive and post a list.

    off to preside over the polls so I'll try to post back today if things ever get slow - you never know how busy an election will be during a Presidential election and I may be overun most of the day as it was the case four years ago


    Dale Unroe

    Tuesday, November 06, 2012 10:18 AM
  • Looking through the server logs it appears that WHS uses custom authentication.

    when a logon is attempted through MSTSC the server logs the folowing:

    but when you log in through the website you get:

    looking up RD Gateway Cookie Authentication lead to:

    http://blogs.msdn.com/b/rds/archive/2010/01/06/customizing-rd-gateway-authentication-and-authorization-schemes.aspx

    Still looking into this to see if an MSTSC connection can work...

    Saturday, December 01, 2012 8:51 AM
  • Standard has a different RWA than Home Server does.  SBS Standard does not behave the same as Essentials/Home Server's RWA.

    I'm really confused folks, are you having issues with Home Server or SBS standard?

    Saturday, December 01, 2012 3:05 PM
    Moderator