none
UAG: Your computer does not meet the security policy requirements of this application RRS feed

  • Question

  • Hi There,

    I am facing an issue with the UAG server with RDP application. Whenever i try to access the remote machine it gives me the "Your computer does not meet the security policy requirements of this application" error. I have added the name of the back-end server and i am trying to access it using the name of the machine so that's not the issue here. I have checked the routes and everything seems fine because i can RDP to the same server from the UAG server itself but not from the portal. I have tried setting the client endpoint policies to "Always" but no luck. I am sure this is not an endpoint policy issue.

    One thing I find odd when looking into the Forefront_UAG.bin log file is that on a *working* UAG server it calls WHLTSGCONF service and it returns the host as authenticated or not. But when i check the log file for *non working* UAG machine, it does not show me that it called WHLTSGCONF file anywhere. Immediately After UAGRDPSVC it shows that RDPSIGN.exe was used to sign the RDP connection and then it Fails with a Fatal error.

    Has anyone seen this behavior before?

    Cheers !!

    Tuesday, July 20, 2010 3:50 PM

Answers

  • Hi Inderjeet,

     

    sorry to continue to delve about the SSL certificate but I would recommend you open the Certificates (Local Computer)/Personal store and take a look at the certificate that RDG is configured to use. Check that the certificate is considered valid, check that the UAG box also has the root CA certificate installed and ensure that the root CA certificate is found in the Trusted Root Certification Authorities store (and not in the Personal store).

     

    Regards,

    -Ran

     

     

    • Marked as answer by Erez Benari Monday, July 26, 2010 10:23 PM
    Wednesday, July 21, 2010 10:35 AM

All replies

  • Hi,

    I'd suggest you launch the Remote Desktop Gateway Manager on the UAG box, right-click the machine name in the left-side tree view, then click Properties. Take a look at the SSL Certificate tab, and make sure you do have a valid certificate selected for RDG.

    HTH,

    -Ran

    Tuesday, July 20, 2010 4:35 PM
  • Hi Ran,

    The certificate is selected correctly. Do you have any idea why would WHLTSGCONF not be called? It's not appearing in the logs for some reason.. .. I guess that what is cauing the issue. I tried to re-register the whltsgconf.dll but no luck.

    Regards,
    Inderjeet

    Tuesday, July 20, 2010 4:44 PM
  • Hi Inderjeet,

    No other idea off the top of my head. I once had a similar issue, the UAG trace showed "ERROR:Fatal: Utility rdpsign has not terminated during expected time." and the issue turned out to be with the RDG certificate.

    Regards,

    -Ran

    Tuesday, July 20, 2010 5:06 PM
  • hmm. .. Ran, I am also seeing the error in the log .. it says as below;

    [0]1768.13a4 07/01/2010-12:38:30.132 [whlrdpmng whale::RDPData::sign rdpsign.cpp@300] ERROR:Fatal: Utility rdpsign has not terminated during expected time.
    [0]1768.13a4 07/01/2010-12:38:30.132 [whlrdpmng whale::RDPData::sign rdpsign.cpp@330] ERROR:Error: Cannot remove file "C:\WINDOWS\TEMP\whlrdpsign-5992-5028-4717719.txt" (error: 32).

    Complete Log
    =============

    [2]1768.13a4 07/01/2010-12:38:10.131 [uagrdpsvc UAG::RDP::RDPRequest::RequestRDP rdprequest.cpp@217] Info:Evaluated policies: access="true", drivemap="true", printermap="true", clipboardmap="true", sso="true".
    [2]1768.13a4 07/01/2010-12:38:10.131 [uagrdpsvc UAG::RDP::RDPRequest::RequestRDP rdprequest.cpp@355] Info:Signing the RDP data; cert name="*.kcpl.com", hash="A7 6B C3 45 3C 22 12 6C 0C 54 F1 45 2C 13 35 60 0C B5 09 A8 ".
    [2]1768.13a4 07/01/2010-12:38:10.132 [whlgenlib whale::runcmdlproc::run_with_cur_dir cmdprocess.cpp@111] Info:run_with_cur_dir cmd : [ C:\WINDOWS\system32\rdpsign.exe ] , args : [/sha1 "A76BC3453C22126C0C54F1452C1335600CB509A8" "C:\WINDOWS\TEMP\whlrdpsign-5992-5028-4717719.txt"] , cur_dir [<NULL>]
    [0]12f4.e2c 07/01/2010-12:38:11.629 [whlfilter CSessionContext::KillTimedOutSessions SessionObjects.cpp@465] Info:Iterating 2 sessions in list
    [0]12f4.e2c 07/01/2010-12:38:11.629 [whlfilter CSessionContext::ShouldDelete SessionObjects.cpp@924] Info:ShouldDelete: m_eIgnoreSessionTimeout [2] m_lConnections [1l]
    [0]12f4.e2c 07/01/2010-12:38:11.629 [whlfilter CSessionContext::ShouldDelete SessionObjects.cpp@924] Info:ShouldDelete: m_eIgnoreSessionTimeout [2] m_lConnections [0l]
    [0]938.990 07/01/2010-12:38:11.732 [uagqessvc NpsMonitorThread config.cpp@210] Info:Monitoring NPS servers
    [0]9c0.9d0 07/01/2010-12:38:18.448 [whlfirewallinfra CConfigurationIsa::CConfigurationIsa Isa.cpp@780] Info:CConfigurationIsa::CIsa()
    [0]9c0.9d0 07/01/2010-12:38:18.448 [whlfirewallinfra ___MANAGEMENT_INFRA_WHLFIREWALLINFRA_ISA_CPP_isaarch::init IsaArch.cpp@27] Info:Reading ISA binding options.
    [0]9c0.9d0 07/01/2010-12:38:18.448 [whlfirewallinfra ___MANAGEMENT_INFRA_WHLFIREWALLINFRA_ISA_CPP_isaarch::init IsaArch.cpp@74] Info:ISA binding options are missing or empty.
    [0]9c0.9d0 07/01/2010-12:38:18.448 [whlfirewallinfra ___MANAGEMENT_INFRA_WHLFIREWALLINFRA_ISA_CPP_isaarch::init IsaArch.cpp@86] Info:Done reading ISA binding options.
    [0]9c0.9d0 07/01/2010-12:38:18.448 [whlfirewallinfra CConfigurationIsa::InternalConnectWithParams Isa.cpp@2318] Info:Connecting to TMG: server: [<NULL>] username "[<NULL>]" domain "[<NULL>]"
    [0]9c0.9d0 07/01/2010-12:38:18.448 [whlfirewallinfra CConfigurationIsa::InternalConnectWithParams Isa.cpp@2319] Info:Connecting to TMG(Monitor): server: "[<NULL>]" username "[<NULL>]" domain "[<NULL>]"
    [0]9c0.9d0 07/01/2010-12:38:18.449 [whlfirewallinfra CBaseIsa::CreateCentralFpc Isa.cpp@450] Info:Disconnecting from local storage...
    [0]9c0.9d0 07/01/2010-12:38:18.462 [whlfirewallinfra CBaseIsa::CreateCentralFpc Isa.cpp@459] Info:Connecting to local CSS...
    [0]9c0.9d0 07/01/2010-12:38:18.462 [whlfirewallinfra CBaseIsa::CreateCentralFpc Isa.cpp@462] Info:Get CSS name
    [0]9c0.9d0 07/01/2010-12:38:18.462 [whlfirewallinfra CBaseIsa::CreateCentralFpc Isa.cpp@465] Info:get_ConfigurationStorageServer() result code = [S_OK]
    [2]9c0.9d0 07/01/2010-12:38:18.504 [whlfirewallinfra FpcOp<FPCLib::IFPCSubnet,FPCLib::IFPCSubnets>::FindLastIndexBySubStringCallback Isa.cpp@282] Info:Found match: [PublishingRule::Server#001]==[PublishingRule::Server#]
    [2]9c0.9d0 07/01/2010-12:38:18.504 [whlfirewallinfra FpcOp<FPCLib::IFPCSubnet,FPCLib::IFPCSubnets>::FindLastIndexBySubStringCallback Isa.cpp@282] Info:Found match: [PublishingRule::Server#002]==[PublishingRule::Server#]
    [2]9c0.9d0 07/01/2010-12:38:18.504 [whlfirewallinfra FpcOp<FPCLib::IFPCSubnet,FPCLib::IFPCSubnets>::FindLastIndexBySubStringCallback Isa.cpp@282] Info:Found match: [PublishingRule::Server#003]==[PublishingRule::Server#]
    [2]9c0.9d0 07/01/2010-12:38:18.504 [whlfirewallinfra FpcOp<FPCLib::IFPCSubnet,FPCLib::IFPCSubnets>::FindLastIndexBySubStringCallback Isa.cpp@282] Info:Found match: [PublishingRule::Server#004]==[PublishingRule::Server#]
    [2]9c0.9d0 07/01/2010-12:38:18.504 [whlfirewallinfra FpcOp<FPCLib::IFPCSubnet,FPCLib::IFPCSubnets>::FindLastIndexBySubStringCallback Isa.cpp@282] Info:Found match: [PublishingRule::Server#005]==[PublishingRule::Server#]
    [3]9c0.9d0 07/01/2010-12:38:18.517 [whlfirewallinfra FpcOp<FPCLib::IFPCSubnet,FPCLib::IFPCSubnets>::FindLastIndexBySubStringCallback Isa.cpp@282] Info:Found match: [PublishingRule::Servers#001]==[PublishingRule::Servers#]
    [2]9c0.9d0 07/01/2010-12:38:18.533 [nlbcore whale::nlb::CIPAddress::CIPAddress IPAddress.cpp@27] Info:Empty IP address.
    [2]9c0.9d0 07/01/2010-12:38:18.533 [nlbcore whale::nlb::CIPAddress::CIPAddress IPAddress.cpp@27] Info:Empty IP address.
    [1]9c0.9d0 07/01/2010-12:38:18.537 [nlbcore whale::nlb::CIPAddress::CIPAddress IPAddress.cpp@27] Info:Empty IP address.
    [1]9c0.9d0 07/01/2010-12:38:18.537 [nlbcore whale::nlb::CIPAddress::CIPAddress IPAddress.cpp@27] Info:Empty IP address.
    [1]9c0.9d0 07/01/2010-12:38:18.537 [whlfirewallinfra CConfigurationIsa::~CConfigurationIsa Isa.cpp@786] Info:CConfigurationIsa::~CIsa()
    [1]9c0.9d0 07/01/2010-12:38:18.537 [configmgrcore whale::configmgr::CAsyncNLBActivator::EnforceNLBAutoStop NLBProvisioning.cpp@1110] Info:NLB is not enabled.
    [3]9c0.9f0 07/01/2010-12:38:18.537 [configmgrcore whale::configmgr::CAsyncNLBActivator::AutoStopThreadProcedure NLBProvisioning.cpp@2108] Info:Successfully enforced NLB AutoStop.
    [0]938.990 07/01/2010-12:38:21.733 [uagqessvc NpsMonitorThread config.cpp@210] Info:Monitoring NPS servers
    [0]1768.13a4 07/01/2010-12:38:30.132 [whlrdpmng whale::RDPData::sign rdpsign.cpp@300] ERROR:Fatal: Utility rdpsign has not terminated during expected time.
    [0]1768.13a4 07/01/2010-12:38:30.132 [whlrdpmng whale::RDPData::sign
    rdpsign.cpp@330] ERROR:Error: Cannot remove file "C:\WINDOWS\TEMP\whlrdpsign-5992-5028-4717719.txt" (error: 32).
    [0]1768.13a4 07/01/2010-12:38:30.132 [uagrdpsvc UAG::RDP::RDPRequest::RequestRDP
    rdprequest.cpp@365] ERROR:Fatal: Cannot generate signed RDP data for RemoteApp "remote_desktop", global id "test__RD__remote_desktop", trunk "test".
    [0]1768.13a4 07/01/2010-12:38:30.132 [uagrdpsvc UAG::RDP::RDPRequest::RequestRDP
    rdprequest.cpp@370] Info:Leaving RDPRequest::RequestRDP because of the error.
    [0]1768.13a4 07/01/2010-12:38:30.132 [sessionmgrlayer whale::sessionmgr::CSessionMgrLayer::ReleaseInstance SessionMgrLayer.cpp@108] Info:of SESSIONMGRCOMLib::SessionMgr
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlasynccomm CACPManager::IOCompWorking acpmanager.cpp@1208] Info:GetQueuedCompletionStatus(): returned 1
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlasynccomm CACPManager::AnalyzeOverlappedResult acpmanager.cpp@1390] Info:calling DoReadState
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlasynccomm CSocketDevice::OnRead socketdevice.cpp@464] Info:OnRead(4396, localhost:6001): Send OnRead() message
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlfilter CExtECB::LockMe WhlExt2IWS.cpp@476] Info:Trying to LockMe (ExtECB=0000000003BF4E10)
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlfilter CExtECB::LockMe WhlExt2IWS.cpp@485] Info:LockMe succeeded (ExtECB=0000000003BF4E10)
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlfilter CExtECB::OnRead WhlExt2IWS.cpp@5833] Info:OnRead(localhost:6001, 0000000003953730): called. 242 bytes read (m_nPendingIORef = 1) (ExtECB=0000000003BF4E10), (PFC=0000000002898098)
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlfilter CExtECB::OnRead WhlExt2IWS.cpp@5840] Info:--m_nPendingIORef [0]. (ExtECB=0000000003BF4E10), (PFC=0000000002898098)
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlfilter CExtECB::OnRecvSrvrDataCompleted WhlExt2IWS.cpp@3171] Info:OnRecvSrvrDataCompleted(242): called. (ExtECB=0000000003BF4E10), (PFC=0000000002898098)
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlhttpparser whlHttpParser::CHttpBaseParser::ParseHttpHdr HttpBaseParser.cpp@487] Info:ParseHttpHdr(parser Id: 4): strstr(pTmpWorkBuff, "\r\n\r\n") != NULL and g_bEndOfHeadersByLFLF == TRUE
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlhttpparser whlHttpParser::CBuffer::Concat Buffer.cpp@212] Info:Have enough memory allocated: m_nBuffMaxLen [4096], m_nBuffLength [0], nLen [242]
    [0]12f4.1360 07/01/2010-12:38:30.133 [whlhttpparser whlHttpParser::CHttpBaseHeader::SetHeaderStr HttpBaseHeader.cpp@116] Info:<parser id: 4> Header chunk length: 242Header:[HTTP/1.1 200 OK

    Tuesday, July 20, 2010 5:49 PM
  • Hi Inderjeet,

     

    sorry to continue to delve about the SSL certificate but I would recommend you open the Certificates (Local Computer)/Personal store and take a look at the certificate that RDG is configured to use. Check that the certificate is considered valid, check that the UAG box also has the root CA certificate installed and ensure that the root CA certificate is found in the Trusted Root Certification Authorities store (and not in the Personal store).

     

    Regards,

    -Ran

     

     

    • Marked as answer by Erez Benari Monday, July 26, 2010 10:23 PM
    Wednesday, July 21, 2010 10:35 AM
  • Hi Ran,

    the customer was out of office and will be back tomorrow. I will resume working on his machine and will try what you have suggested.

    Regards,
    Id

    Tuesday, July 27, 2010 12:21 AM