none
RDWeb Access and RemoteApp keep asking for logon only outside of network

    Question

  • Hello,

    I have installed a brand new 2008 R2 SP1 enterprise 64bit edition and did all the windows update. My AD is managed by 2003 servers.

    This server is setup to be a terminal server with RD Web Access, Gateway, Licensing and Session Host. Also, it has Print Server and LDP Service installed. I have also Remote Network Policy setup. I left all the default options.

    I did generate my own certificate from that server and if I install it on my client computer under the trusted section, it does say anything about having a certificate issue.

    From my network, I can RDP, RD Web Access and RemoteApp to it without any issue at all.

    From outside my network without using a VPN, I can see and login to the RD Web Access page and see the RemoteApp icons. When I click on the RemoteApp (any of them) I get prompt with a logon window and I under the same credential I used to enter RD Web Access. After a while it will prompt again the same logon window, I try again and again after a while it will ask for credential.

    I have the exact same behavior from a Windows XP Pro (setup as a workgroup only) machine and a Windows 7 Home Premium.

    I have looked all over the Internet and it's similar to http://social.technet.microsoft.com/Forums/en/winserverTS/thread/1da9cd90-80f4-4087-9edf-2d9cfa1d312f but I don't have exchange setup on it, so the solution is not applicable... it's not the exact same problem but it's the same behavior.

    I also modified the js file for RD Web Access, but that didn't help.

    When I look at the events, I can see under security that the user is being logged on when clicking on teh REmoteApp and providing credential, but gets logged off right after that:

    An account was logged off.
    
    Subject:
    	Security ID:		MYDOMAIN\test
    	Account Name:		test
    	Account Domain:		MYDOMAIN
    	Logon ID:		0x12964b5
    
    Logon Type:			3
    
    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.


    I also got that warning after I installed the roles:

    Installation succeeded with warnings. 
    
    Roles:
    
    Network Policy and Access Services
       The following role services were installed:
       Network Policy Server
       Informational: You can use a wizard in the NPS console to configure Network Access Protection (NAP). To open the NPS console after installation, go to Server Manager or click Start, Administrative Tools, Network Policy Server.
    
    Remote Desktop Services
       Warning: This license server is not registered as a service connection point (SCP) in Active Directory Domain Services (AD DS). The license server will not appear in the list of known license servers in the Remote Desktop Session Host Configuration tool. To register the license server as an SCP in AD DS, use Review Configuration in the Remote Desktop Licensing Manager tool.
       Warning: RD Web Access requires additional configuration. On the Configuration page of the RD Web Access Web site, you need to specify the source that will provide the RemoteApp programs and desktops that will be displayed to users. For more information, see <a href="ts_remoteprograms.chm::/html/e1e047ce-d080-4568-b987-378fef46bea2.htm">Configuring the RD Web Access Server</a>.  
       The following role services were installed:
       Remote Desktop Session Host
       Remote Desktop Licensing
       Remote Desktop Gateway
       Remote Desktop Web Access
       Warning: Ensure that your RD Session Host servers are correctly configured to use this license server. For more information, see <a href="ts_license.chm::/html/7cd57119-808e-4777-ab21-1f75a718c1ad.htm">Configure License Settings on an RD Session Host Server.</a>
       Informational: <a href="ts_admin.chm::/html/21ea97a1-a75d-4ff6-87b1-faab342050a4.htm">Enable Windows 7 features on this RD Session Host server by using Desktop Experience.</a>
       Warning: Use the Remote Desktop Session Host Configuration tool to specify a Remote Desktop license server for this RD Session Host server to use. For more information, see <a href="tscc.chm::/html/fed1c160-dde3-49d5-a54f-a4e7a39f1695.htm">Configure License Settings for an RD Session Host Server</a>.
    
    Web Server (IIS)
       The following role services were installed:
       Web Server
          Common HTTP Features
             Static Content
             Default Document
             Directory Browsing
             HTTP Errors
             HTTP Redirection
          Application Development
             ASP.NET
             .NET Extensibility
             ISAPI Extensions
             ISAPI Filters
          Health and Diagnostics
             HTTP Logging
             Logging Tools
             Request Monitor
             Tracing
          Security
             Basic Authentication
             Windows Authentication
             Client Certificate Mapping Authentication
             Request Filtering
          Performance
             Static Content Compression
       Management Tools
          IIS Management Console
          IIS 6 Management Compatibility
             IIS 6 Metabase Compatibility
    
    Features:
    
    Remote Server Administration Tools
       The following features were installed:
       Role Administration Tools
          Web Server (IIS) Tools
    
    RPC over HTTP Proxy
    

    My license server has been setup after the installation of the roles, it's working and seen my the Session Host. Also I setup RemoteApp and I can see them when I login to RD Web Acccess.

    Can you help me figure out how to fix my login from outside my network?

    Regards,

    Yael

    Monday, October 22, 2012 3:02 PM

All replies

  • I also have this regarding my certificate and the gateway:

    Title:
    RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority
    
    Severity:
    Warning
    
    Date:
    10/22/2012 9:15:34 AM
    
    Category:
    Configuration
    
    Issue:
    The Remote Desktop Gateway (RD Gateway) server is configured to use a self-signed certificate. By default, a self-signed certificate is not trusted by client computers.
    
    Impact:
    If the RD Gateway server is configured to use a Secure Sockets Layer (SSL) certificate that is not signed by a trusted certification authority, users might be unable to connect to internal network resources (computers) through the RD Gateway server.
    
    Resolution:
    Use the RD Gateway Manager tool to configure the RD Gateway server to use an SSL certificate that is signed by a trusted certification authority. Using a self-signed certificate is not recommended.
    
    More information about this best practice and detailed resolution procedures:  http://go.microsoft.com/fwlink/?LinkId=128176 

    But, if I install the certificate on each user's computer under the trusted folder, it should work, right?

    Monday, October 22, 2012 3:17 PM
  • I have Troubleshooting TSWeb and RDWeb Internet access issues - case collections. I am copying here:

    Case 1: Do all users have the same issue? If it is only one user, maybe the user profile is just corrupted and  try a different user.

    Case 2: Since it works internally, we may check the firewall and security software. Make sure it allows access form the Internet. Please check this post for more details: Question regarding event 4634 and 4624

    Case 3: Make sure defaultTSgateway is the Internet DNS name, not the internal one. Please check this post for more details: RDWeb: can access internally but cannot access externally

    Case 4: make sure certificate matches the FQDN. Please check this post:  Cannot connect to ts gateway outside my network

    Case 5: Make sure listing the internal server name in the remote app setup. Please check this post: Remote Desktop cannot find the remote computer type the name

    Case 6: The problem could be that RD Gateway certificate is not trusted on the client machine. Please check this post for more details:

    Case 7: the TS Gateway server must be resolved from the public network. Please check this post for more details: Unable to connect to ts gateway from outside


    Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

    http://www.ChicagoTech.net

    How to Setup Windows, Network, VPN & Remote Access on

    http://www.howtonetworking.com

    Monday, October 22, 2012 5:05 PM
  • Case 1: Yes all users have the same issue.

    Case 2: Port 443 is open from the outside on my router/firewall and that's it. The server does the webaccess, gateway and terminal server. The local firewall is disabled.

    Case 3: my FQDN locally and from the Internet is the same and yes it is setup. I have uninstalled my anti-virus just in case. Also, I have done what is suggested in that link regarding the web server: http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/e91af0b9-19af-40e8-87b7-bea127111bc0/ and did a computer restart. Still same issue.

    Case 4: yes, my certificate is matching it.

    Case 5: that's correct.

    Case 6: it seems good, but there is no link for more details.

    Case 7: that's working too.

    What else do I need to look at?

    Monday, October 22, 2012 5:50 PM
  • When I try to login I get the following under the security events:

    An account was successfully logged on.
    
    Subject:
    	Security ID:		NULL SID
    	Account Name:		-
    	Account Domain:		-
    	Logon ID:		0x0
    
    Logon Type:			3
    
    New Logon:
    	Security ID:		MYDOMAIN\user
    	Account Name:		user
    	Account Domain:		MYDOMAIN
    	Logon ID:		0x17a7bc
    	Logon GUID:		{00000000-0000-0000-0000-000000000000}
    
    Process Information:
    	Process ID:		0x0
    	Process Name:		-
    
    Network Information:
    	Workstation Name:	RGHTABLET
    	Source Network Address:	xxx.xxx.xxx.xxx
    	Source Port:		13449
    
    Detailed Authentication Information:
    	Logon Process:		NtLmSsp 
    	Authentication Package:	NTLM
    	Transited Services:	-
    	Package Name (NTLM only):	NTLM V1
    	Key Length:		0
    
    This event is generated when a logon session is created. It is generated on the computer that was accessed.
    
    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    
    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
    
    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
    
    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    
    The authentication information fields provide detailed information about this specific logon request.
    	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    	- Transited services indicate which intermediate services have participated in this logon request.
    	- Package name indicates which sub-protocol was used among the NTLM protocols.
    	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


    So I know the authentication goes through, though I also get that message right afterward:

    An account was logged off.
    
    Subject:
    	Security ID:		MYDOMAIN\user
    	Account Name:		user
    	Account Domain:		MYDOMAIN
    	Logon ID:		0x17a7b2
    
    Logon Type:			3
    
    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
    

    I can that for all users trying to login. RD Web Access login works but when I want to login to an application this is where I get the problem.

    Also I tried to Web access the server and then RDP to a secondary server, that secondary server never gets any login request. 

    Hope that helps you guys a bit helping me.

    Monday, October 22, 2012 7:48 PM
  • Please refer this blog http://blogs.msdn.com/rds/archive/2008/ ... cates.aspx to know how to trust the certificate on the client machine.

    Since all users have the same issue and it works fine internally, I would focus on RD Gateway


    Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

    http://www.ChicagoTech.net

    How to Setup Windows, Network, VPN & Remote Access on

    http://www.howtonetworking.com

    Monday, October 22, 2012 8:23 PM
  • That's what I'm thinking too but cannot get anywhere with this. Don't even have good logs.

    I have checked my FQDN and my certification and it's equal to SERVER.DOMAIN.COM which it the external address I type to get in the RD Web Access and it's also the FQDN of that server inside the network.

    Where can I look to figure out what is going on?

    Monday, October 22, 2012 8:52 PM
  • I disabled the RD Gateway service and I have the same issue, so I guess that's not the problem.
    Monday, October 22, 2012 8:58 PM
  • Do I need a RD Connection Broker with only one terminal server?
    Monday, October 22, 2012 9:10 PM
  • I did install the Broker but still same issue even after a reboot.

    Though I have this error showing on my system:

    Log Name:      Application
    Source:        Microsoft-Windows-WMI
    Date:          10/22/2012 3:42:39 PM
    Event ID:      10
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      TS-01.riograndehospital.net
    Description:
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    Does have anything to do with it?
    Monday, October 22, 2012 9:48 PM
  • Forget that last error, it's not link to that issue
    Monday, October 22, 2012 10:28 PM
  • Last night I try to connect from home using my windows 7 home premium and when I logged in to the RD Web and I tried to login to my terminal server that logon prompt kept coming back though it was giving me failed login (I'm sure of what I was typing).

    My question is, is there something that needs to be done between my 2003 Domain Controller and my 2008 Terminal Server?

    Tuesday, October 23, 2012 1:24 PM
  • I have checked the logs on one of my DC and I get 2 of those messages every time I enter my credential in the login prompt:

    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: test
    Source Workstation: TABLET
    Error Code: 0x0

    So my DC said I'm good, so why am I not login in?

    Tuesday, October 23, 2012 1:56 PM
  • OK, I managed to make it work if I open the port 3389 on my firewall.

    This is not what I want to do but it helps figuring out where the problem is.

    How do I make RD Web Access talk to the gateway without having to open that port on my firewall?

    Tuesday, October 23, 2012 3:11 PM