locked
UAG 2010, Windows 7 and RDS RRS feed

  • Question

  • Just starting to use UAG and remote desktop. I've not use either before but i'm making some progress but have run into a few issues. This may just be a simple misunderstanding of how UAG works, although I am finding the documentation a little vague in places (no hints as to the contents of options, missing help pages etc).

    I have UAG installed, I can get into the portal from my internal and external machines. I have published a remote desktop connection (3 in fact with different settings)

    current setup (role and server name):

    RD Broker: zeus

    RD Hosts: TS1, TS2

    UAG: Remote

    Farm: MRDS (Contains TS1, TS2)

    When publishing a farm, do I enter the server details as the dns name for the farm? in this case MRDS, then in the all session hosts part add the fqdn and IPs of the two RD hosts?

    This appears to work when using the portal internally, and after making sure both sessions hosts (*and* their IPs) were entered the client is able to connect to the farm name and is successfully moved between servers by the broker.

    When using this published farm externally is where the problems start. If I connect to the first server (or one my existing session is on) without being moved by the broker it works. If the session is then moved to the second server I get the following error on the UAG server from the RD gateway:

    "The user "domain.name\user", on client computer "127.0.0.1", did not meet resource authorization policy requirements and was therefore not authorized to resource "10.0.6.9". The following error occurred: "23002"."

    UAG itself logs this error: 

    Warning

    04/30/2010 10:26:18

    127

    Remote Desktop Gateway Non-Authorized Resource

    Security

    (S)

    REMOTE

    An authorized Remote Desktop Gateway resource for the user <unknown> was detected on trunk <unknown> (secure=1) for application ID <unknown>. The session ID is <unknown>. The error code is internal error.

    When doing this I have *not* started any VPN connection. If I start the VPN on the client machine then it will succeed in connecting to the second server as directed by the broker. Is this the correct behaviour or not? (considering it works when not moved by the broker) Am I missing something with the publishing settings?

    Friday, April 30, 2010 9:27 AM

Answers

  • Hi,

    We are investigating another similar case that has similar simptomes. If you would open a support call you would be notified on a solution once it is available.

     

    Thanks,

                 Meir :->


    Meir Mendelovich, Sr. Program Manager, Microsoft Forefront - IAG/UAG Product Group
    Team Blog: http://blogs.technet.com/edgeaccessblog/
    Anything you can do, I can do anywhere!
    • Marked as answer by Erez Benari Wednesday, May 12, 2010 6:55 PM
    Tuesday, May 4, 2010 5:14 AM

All replies

  • Hi,

    We are investigating another similar case that has similar simptomes. If you would open a support call you would be notified on a solution once it is available.

     

    Thanks,

                 Meir :->


    Meir Mendelovich, Sr. Program Manager, Microsoft Forefront - IAG/UAG Product Group
    Team Blog: http://blogs.technet.com/edgeaccessblog/
    Anything you can do, I can do anywhere!
    • Marked as answer by Erez Benari Wednesday, May 12, 2010 6:55 PM
    Tuesday, May 4, 2010 5:14 AM
  • Is it possible to expand on the cause of this issue? I've continued to test and try various other arrangments to get something working.

    So far I have had the most success with simply setting the subnet address for all the servers as the only entry in the RDS publishing options (in the additional servers section) in UAG. Some testing with several accounts works around 80% of the time. After a failure the user can reconnect a few seconds later and is logged in. I now have changed the setup to 3 TS, one of which is now the broker.

    I assume it's something to do with the broker or at least a dns/address change.

    It happens with RemoteApp too, and the only errors remain those described above.

     

     

    Wednesday, June 9, 2010 9:01 PM
  • I have seen this as well with both RDS connections and RemoteApp, I have seen it working without a problem and then shortly after giving me a deny.
    I have logged a call and will share anything I find out, similarly if anyone has anything to offer I am all ears.

    Friday, July 9, 2010 12:42 PM
  • This is already escalated to product group for triage.

     

    thanks,


    Faisal :>
    Thursday, August 5, 2010 9:52 AM
  • Any updates regarding this issue already? We experience the same issues now after adding/removing connection broker members. When the broker redirects te user to the new added RDS host on UAG in RD gateway log event 301 is logged and the user is denied access.
    Thursday, September 9, 2010 9:36 AM
  • Its still under investigation with product group I am afriad.


    Faisal :>
    Tuesday, October 5, 2010 10:49 AM
  • Its still under investigation with product group I am afriad.


    Faisal :>


    Any new word? I'm having the same issue.

     

    Thanks,

    Robert

    Tuesday, October 12, 2010 6:56 PM
  • Issue is resolved with UAG 2010 SP1. Go ahead and plan upgrading to SP1.
    Faisal :>
    Tuesday, December 14, 2010 2:16 PM
  • Issue is resolved with UAG 2010 SP1. Go ahead and plan upgrading to SP1.
    Faisal :>

    Can confirm this works nicely now ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, December 14, 2010 11:33 PM
  • I am still looking forward to feedback though :)
    Faisal :>
    Wednesday, December 15, 2010 11:44 AM
  • If only we had SSO for Remote Desktop as well as RemoteApp, I would be truly happy ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, December 15, 2010 12:15 PM
  • Since SP1 we did not experience this issue anymore. Would also be very happy with SSO for Remote Desktop ;-)!

    Regards,

    Alfred


    Regards, Alfred
    Thursday, December 16, 2010 3:40 PM
  • We still have the same problem with SP1 installed on UAG.

    Regards

    Fredrik

    Wednesday, January 19, 2011 3:13 PM
  • Hi,

    like Fredrik I'm also still having the problem with SP1?

    Any news or workarounds?

    Thanks.

    Regards,

    Christian

     

    Sunday, March 13, 2011 2:21 PM
  • no ideas?

    Please help!

    Still exactly the same problem as described in the first post.

     

    Many thanks.

    Regards,

    ckuever

    Tuesday, April 19, 2011 3:20 PM
  • The final build works excellent:

     

    https://sites.google.com/site/skatterbrainz/downloads/wwa.zip?attredirects=0&d=1

     

    For me, this is an excellent free Web-Portal for both AD and SCCM.

     

    Regards,

     

    ckuever

    Wednesday, April 20, 2011 9:27 AM
  • You will get error code 23002 followed by event id 301 in windows system event logs and UAG RD connectivity will not work if session broker is distirbuting the traffic. without session broker everything works fine.

    Took some time for me but after debugging I found out that its RAP (Remote Access Policy) that fails through UAG. The problem is in UAG configuration when you publish RemoteApp or RemoteDesktop , you need to provide the IP address along with FQDN of the session host under appliction server settings tab. RAP only works with IP address.

    thanks,

    //Faisal


    Faisal :>
    Monday, August 15, 2011 3:22 PM
  • Hi Faisal,

     

    Along means IP followed by FQDN?

    Sorry, please clarify and provide an example.

    Thanks.

    Regards,

    ckuever

    Monday, August 15, 2011 8:25 PM
  • yes please, you need to add Session Host FQDN and then also add the IP address of that session Host in next line, then next session host and IP in next line so on... under appliction server settings tab UAG.

    hth,

     

    //Faisal


    Faisal :>
    • Proposed as answer by berglez Thursday, November 17, 2011 1:15 PM
    Tuesday, August 16, 2011 3:49 PM
  • Hi Faisal!!
    Read this forum, I found the same problem that I have on the platform of the company, which is composed of:

    A domain controller server

    Two servers with the roles of session Host and Web Access

    A server and session Broker and Gateway

    A server with UAG 2010 SP1

    I have a farm set and it works very well, but access from the Internet I had the same problem described in this forum.

    Perform the procedure indicated by Faisal and it worked!

    Hopefully the product development team to deliver a solution....

    Thanks Faisal for the procedure!

    Cordially,

    Carlos Avendaño
    Monday, August 29, 2011 8:35 PM
  • Hi Faisal,

    I'm following your blog post here; 

    http://blogs.technet.com/b/fsl/archive/2011/09/13/uag-2010-sp1-remote-desktop-break-when-session-broker-is-behind-uag.aspx

    In your image where you have got Oxford.woodgrovebank.com - is that one of your session brokers?

    Then I take it farm.woodgrovebank.com is your connection broker, then denver.woodgrovebank.com is a session broker FQDN followed by IP, and so on and so forth?

    I've tried these combinations but still struggling to get this to work.

    Probably worth adding - running 2010 SP1 Update 1, and this is for a virtual desktop rather than a RemoteApp. 

    Cheers,


    • Edited by StevenWH Tuesday, January 24, 2012 6:41 PM
    Tuesday, January 24, 2012 6:34 PM