locked
RD Gateway Server Credentials. RRS feed

  • Question

  • Hi,

    Having a difficult time setting up the gateway service.

    We are running 2k8R2 with just(all) the rd services on it.  It is a member of our 2003 domain.

    I was having certificate issues but I believe they're behind us.

    From our internal network we can access the remoteapps and use remote desktop to connect to any of our machines by name or ip.

    Externally however we cannot. 

    using the apps.xxx.xxx we connect right to the box and see the published apps.  After clicking on any of the displayed apps we get prompted for the RD Gateway Server Credentials.  After entering anyone of many very valid userids, it reports that "The logon attempt failed." If I use an invalid username like blah it just reprompts for the username with no error.

    I've checked every log in town and all I see is the I was sucessfully logged on and then immediately thereafter logged off, with no error.

    Perhaps more telling is when I use the remote desktop connection, from the web access and to try and connect to any computer on the network by name, I get the following error- "Remote Desktop can't find the computer "xxxx". This might mean that "xxxx" does not belong to the specified network.  Verify the computer name and domain that you are trying connect to.  If I use the ip address instead, I get "Remote Desktop can't connect to the remote computer for one of these reasons: 1) Remote access to the server is not enabled 2)The remote computer is turned off 3)the remote computer is not available on the network - Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.

    I can from the RD server when logged on to it locally or remotely via rdp, rdp to any other machine in our network via name or IP.

    I have nothing defined for the rap and the cap clearly should allow me access.  If it was a rap or cap issue, I would expect to see that in the logs, which I don't.

    Any insight you may have will be immensly appreciated. 

    Thank you,
    Jim

    Thursday, November 12, 2009 1:35 AM

All replies

  • Please check the following and get back.

    1. Do you have published the Gateway/Web Access server behind and ISA?
    2. Have you corectly specified the external name of the Gateway server on the Remote App Manager --> Gateway settings Tab?
    3. Have you correctly specified the external name of the Gateway server on the IIS Manager --> Application Settings --> DefaultTSGateway on the Web Access Server?
    4. Are you using any HTTP redirection on the IIS --> "Default Web site"?
    5. Have you checked the Gateway event logs? Do you see any informational/error messages related to CAP/RAP?
    6. From your client machine, can you check if you can browse to https://<GatewayExternalName>/rpc. It should prompt your for credentials, and upon specifying the credentials it should lead you to a blank page.


    Thanks, Vikash
    Thursday, November 12, 2009 4:15 AM
  • Thank you Vikash,

    1.  We do not have ISA
    2.  Yes, apps.xxx.xxx is correct, it is the same as listed for cn on the verisign ssl cert

    3. I am unsure, but I tend to think No
    In IIS manager, for the default website, there is nothing listed under application settings.  Is that where it should be listed?
    Under the RDWeb application--->application settings 
    DefaultCentralPublishingPort   5504
    RDWebAccessConfigPath %WINDIR%\web\...

    4.  The redirection was setup automatically from the install.
    /RDWeb/Pages/default.aspx


    5.  There are no events in the gateway logs, save starting and stopping due to reboots.

    6.  If I stop the redirection, and enter  https://<GatewayExternalName>/rpc., yes it works fine.  After authentication I get a blank page.



    Sounds like number three is my issue, would you agree?

    Jim
    Thursday, November 12, 2009 2:43 PM
  • This is what I meant in step (3) above.

    To configure Remote Desktop Web Connection behavior
    1. On the TS Web Access server, start Internet Information Services (IIS) Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

    2. In the left pane, expand the server name, expand Sites, expand Default Web Site, and then click RDWeb/Pages.

    3. In the middle pane, under ASP.NET, double-click Application Settings.

    4. To change Remote Desktop Web Connection settings, modify the values in the Application Settings pane.

      • To configure a default TS Gateway server, double-click DefaultTSGateway, enter the fully qualified domain name of the server in the Value box (for example, server1.contoso.com), and then click OK.
      • To specify the TS Gateway authentication method, double-click GatewayCredentialsSource, type the number that corresponds to the desired authentication method in the Value box, and then click OK. The possible values include:
        0 = Ask for password (NTLM)
        1 = Smart card
        4 = Allow user to select later
      • To configure whether the Remote Desktop tab appears on the TS Web Access page, double-click ShowDesktops. In the Value box, type true to show the Remote Desktop tab, or type false to hide the Remote Desktop tab. When you are finished, click OK.
      • To configure default device and resource redirection settings, double-click the setting that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection, xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable the redirection setting by default, or type false to disable the redirection setting by default, and then click OK.
    5. When you are finished, close IIS Manager.

      Please let me know if it resolves your issue


    Thanks, Vikash
    Thursday, November 12, 2009 4:14 PM
  • Hi Vikash,

    That was definitly a problem but not the whole problem.

    The remote desktop now works perfect, I can connect to any machine on our network where before I couldn't connect to any.

    Now however, the remoteapps just dissapeared.  They are still configured to be available but just aren't, any ideas?

    Thank you,
    Jim
    Thursday, November 12, 2009 7:24 PM
  • What do you mean by Remote App just disappeared? What error excatly you see on the client after you launch remote apps?
    Thanks, Vikash
    Friday, November 13, 2009 3:30 AM
  • Hi Vikash,

    Not sure what that was about, in regards to my last post.

    I now have the same issue for both remote desktop and RemoteApp programs. 

    First I get the warning that I should trust the publisher of the program and when I click connect Iget the Windows Security box for the RD Gateway Server Credentials.  It shows the proper public name of the terminal server.    I've used both local and domain admin accounts, as well as regular user accounts and I get the same message "The logon attempt failed"

    What's odd is that no logon failures show in any logs.

    Thank you,
    Jim
    Saturday, November 14, 2009 12:26 AM
  • Hello Jim,

     

    Thanks for your feedback.

     

    Firstly, as the RemoteApp environment is working correctly in your internal network, it indicates that the configurations on RemoteApp and Web Access publishing are right. Therefore, we need to troubleshoot the problem via the extranet side:

     

    1.     When you said “I can from the RD server when logged on to it locally or remotely via rdp”, do you mean that from the extranet side, you can start a remote desktop connection to the target session host server without any problem? If not, please test the RDC to the target server by the RD Gateway.

    2.     Please upgrade the client remote desktop software to Remote Desktop Protocol 7.0 supported.

    3.     You must obtain an externally trusted SSL certificate for the TS Gateway server. Please refer to the Are there any special considerations? section of the following article:

    Terminal Services Gateway (TS Gateway)
    http://technet.microsoft.com/en-us/library/cc731264(WS.10).aspx

    4.     Please temporarily disable the Windows Firewall on both the session host and the gateway, check if the issue persists.

     

    Thanks.

     

    Regards,

    ·         Lionel Chen

    Tuesday, November 17, 2009 8:08 AM
  • Hi Lionel,

    It seems that I get two different results depending on where I'm connecting from.

    From inside the network using https://apps.xxx.xxx or the RD Gateway
    -The RemoteApp Programs  tab is being displayed, but the apps themselves are not.
    -The Remote Desktop works beutifully

    Inside we use WinXpSP3 with rd 6.0.6001.

    In the RemoteApp Deployment Settings I have "Bypass RD Gateway server for local addresses" Unchecked.
    My understanding of this setting is that it forces the internal clients to use the external gateway.

    From home connecting to https://apps.xxx.xxx or the RD Gateway
    - The RemoteApp Programs tab and programs are being displayed but I get the logon failure
    - The Remote Desktop when connecting to any resource, I also get a logon failure.

    At home I use Win7 with rd 7.?

    I am using a externally trusted  SSL certificate for the TS Gateway server, I purchased it from Verisign. 

    I have the firewall disabled on both ends, the TS and the hosts intenrally and at home.

    I will upgrade one of the winxp machines interally to 7 and report back.

    Thank you,
    Jim

    Tuesday, November 17, 2009 8:00 PM
  • I upgraded the rdc on a winxpsp3 mahine to 6.1.7600 on the lan and I still have "Bypass RD Gateway server for local addresses" Unchecked.

    Now the RemoteApp Programs are being displayed but when I try to run one I get "Your computer can't connect to the remote computer because an error occured on the remote computer that you want to connect to.  Contact your network admin for assistance."

    The Remote Desktop still works beutifully. 

    I'll try it from my Win7 computer from home tonight and report.

    Thank you,
    Jim
    Tuesday, November 17, 2009 8:34 PM
  • For your issue on XP SP3 with RDC 7.0, you would have to enable credSSP on the XP SP3 machine to get it working. Please refer this KB article http://support.microsoft.com/default.aspx/kb/969084 which describes this as a known issue with RDC 7.0 on XP SP3
    Thanks, Vikash
    Wednesday, November 18, 2009 4:57 AM
  • This is what I meant in step (3) above.

    To configure Remote Desktop Web Connection behavior
    1. On the TS Web Access server, start Internet Information Services (IIS) Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

    2. In the left pane, expand the server name, expand Sites, expand Default Web Site, and then click RDWeb/Pages.

    3. In the middle pane, under ASP.NET, double-click Application Settings.

    4. To change Remote Desktop Web Connection settings, modify the values in the Application Settings pane.

      • To configure a default TS Gateway server, double-click DefaultTSGateway, enter the fully qualified domain name of the server in the Value box (for example, server1.contoso.com), and then click OK.
      • To specify the TS Gateway authentication method, double-click GatewayCredentialsSource, type the number that corresponds to the desired authentication method in the Value box, and then click OK. The possible values include:
        0 = Ask for password (NTLM)
        1 = Smart card
        4 = Allow user to select later
      • To configure whether the Remote Desktop tab appears on the TS Web Access page, double-click ShowDesktops. In the Value box, type true to show the Remote Desktop tab, or type false to hide the Remote Desktop tab. When you are finished, click OK.
      • To configure default device and resource redirection settings, double-click the setting that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection, xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable the redirection setting by default, or type false to disable the redirection setting by default, and then click OK.
    5. When you are finished, close IIS Manager.

      Please let me know if it resolves your issue


    Thanks, Vikash
    I am having the exact same problem and my setup is as follows:

    TS Web Access TS Gateway and RDP Server on the same single member server. I have bound IIS to port 8443 as this is what i wish to use. I have a certificate issued by my internal CA which corresponds to the external name of RD Gateway Server.

    When i connect to the TS Web Access website from within the LAN i can get the App. As soon as i do this from the internet i get to the TS Website on port 8443, i can click on the app, but at the next credential prompt, it just keeps asking agains and again for the credentials.

    I have carried out the above IIS changes but nothing as such.

    The external name of my RD Gateway server is server.abcdef.co.uk while the remote computer name (actual domain name of the server) is server.adc.co.uk. The certificate issued to IIS is server.abcdef.co.uk that the client does trust and has no errors with it. the TS Website is https://server.abcdef.co.uk:8443/TS

    What else should i be looking at, as this is driving me crazy now.

    The client is Windows 7
    Wednesday, November 18, 2009 10:00 AM
  • Rishidshah,

    Our of curiosity, what do you get when you connect internally but with the "Bypass RD Gateway server for local addresses" unchecked?

    I still get the same exact problem as you while connecting externally with Windows 7, just prompts and prompts and prompts.  I see prompts in my sleep.

    Jim

    Wednesday, November 18, 2009 3:55 PM
  • Hi Jim,
    Please answer the below to help me understand your configuration better.

    1. Do you have any ISA server in the front?
    2. Have you setup any HTTP redirection on your IIS server?
    3. Can you browse to https://<GatewayServerName>/rpc from your client machines? It should prompt you for credentials and upon successful authentication should display a blank page.


    Thanks, Vikash
    Thursday, November 19, 2009 4:34 AM
  • Thank you Vikash,

    1.  We do not have ISA

    2.  The redirection was setup automatically from the install.
    /RDWeb/Pages/default.aspx

    3.  If I stop the redirection, and enter  https://<GatewayExternalName>/rpc., yes it works fine.  After authentication I get a blank page.

    You asked me these questions about a week ago, the answers are still the same.

    Do you think I should just blow away this server and start over?

    Jim
    Thursday, November 19, 2009 3:22 PM
  • I take it from the lack of response and previous circular question that the problem we're having is not "normal."  I'll start over and see how far we get.

    Thank you,
    Jim
    Saturday, November 21, 2009 1:07 AM
  • Hi all- It's been several weeks and for the most part this is what I've been working on. I finally got everything to work and the funny thing is it turned out to be what I first thought it was, a cert issue. To recap, the issue I had was that I was repeatedly being prompted for the gateway server authentiation. I had and still have a valid Verisign cert for our external address. What I didn't have was the two self signed certs for the RemoteApp and RemoteDesktop installed in the root cert store. They were present in the personal store but that was it. I didn't even realize that they were being used. That leads to this question- Our implementation will only be used for external access, so to rid the users of the cert warning, is it normal to purchase a second cert for the internal server(s) names as well? I belive this would resolve this, but was hoping for some input. We have about 600 users that would have access to this implementation when done, so there is no way we could feasable install an internal cert for everybody. Thank you again, Jim
    Monday, December 7, 2009 11:31 PM
  • This thread was very helpful to me.  I was getting the same error and turned out the problem was someone set the default web site to redirect to /rdweb.  This somehow broke the launching of RemoteApps.  Turning off redirection fixed it, but now I need to figure out how to safely redirect users from http://fqdn/ to https://fqdn/rdweb ...

    Wednesday, April 7, 2010 8:58 PM
  • You can make the redirect work with a little piece of JavaScript;

    - Create a file 'Default.htm' in you webroot on port 80 and configure Anonymous Access (also give the IIS_IUSRS NTFS-read/execute on the file).

    - Make sure 'Default.htm' is set as the first default document.

    - Edit 'Default.htm' and insert the following code:

    <script language="JavaScript">
    <!-- begin hide
    
    function goElseWhere()
    {
    var oldURL = window.location.hostname + window.location.pathname;
    var newURL = "https://" + oldURL + '/RDWeb';
    window.location = newURL;
    }
    goElseWhere(); 
    
    // end hide -->
    </script>
    
    Monday, April 19, 2010 9:34 AM
  • Hi,

    I'm experiencing the same issue. Can you expand on your answer?

    "what I didn't have was the two self signed certs for the RemoteApp and RemoteDesktop installed in the root cert store. They were present in the personal store but that was it"

    - What do you mean by self signed certs for RemoteApp?

          - Where is that configured?

    - Which servers root cert store?

    - Where else do they need to be?

    thx!

    Monday, April 19, 2010 5:44 PM
  • It was the HTTP redirect. I removed the HTTP redirect from the default website and all was well.
    Monday, April 19, 2010 6:14 PM
  • I finally got the default web site redirected to /RDWEB as well as maintaine the functionality of RD Gateway.

    Any attempt to modify the HTTP Redirect under IIS in the default web site caused the RD Gateway to break; resulting in users continually getting prompted to login to the RD Gateway server.  This occurs from the RDWeb site as well as from the RCP client.

    So, my fix included the scrpt specified about from Jeroenimus with all the security settings, but had to make the following additional configurations:

    Created a text file called default.htm, which Windows sees as default.htm.txt in the RD Gateway servers c:\inetpub\wwwroot folder.  Assigned the necessary anonomous and IIS_USR rights(read and execute). Then had to edit the default document list under the default web sites IIS with default.htm.txt, and made it first in the list. I initially had just default.htm and that did not work.

    So now, I can access all my apps from a browser through the RD Gateway by specifying the web sites default web site with no virtual directory specified.

     

    Saturday, June 26, 2010 8:54 PM
  • Hi all- It's been several weeks and for the most part this is what I've been working on. I finally got everything to work and the funny thing is it turned out to be what I first thought it was, a cert issue. To recap, the issue I had was that I was repeatedly being prompted for the gateway server authentiation. I had and still have a valid Verisign cert for our external address. What I didn't have was the two self signed certs for the RemoteApp and RemoteDesktop installed in the root cert store. They were present in the personal store but that was it. I didn't even realize that they were being used. That leads to this question- Our implementation will only be used for external access, so to rid the users of the cert warning, is it normal to purchase a second cert for the internal server(s) names as well? I belive this would resolve this, but was hoping for some input. We have about 600 users that would have access to this implementation when done, so there is no way we could feasable install an internal cert for everybody. Thank you again, Jim

    Hi JKyriazis,

    I realize this is a long time ago, but maybe you remember this anyway.. My issues are very similar to yours, even the detour after suspecting cert issues.. My environment consists of a session host farm on a .local domain. The web access and gateway are exposed to the external net.

    You state that "What I didn't have was the two self signed certs for the RemoteApp and RemoteDesktop installed in the root cert store.". Could you elaborate a little on this? I'm not sure where and how this certificate should be created, imported and selected.

    Thanks!

    Wednesday, July 27, 2011 11:37 AM
  • Hi all, i have read through hundres of these and they all point to the same thing. i have tried all the solutions and i cant seem to get it to work it still keeps asking for credentials. Im certain its a certificate issue. we have a san_unc certificate issued in the name of the external name but still have no joy...

    starting to believe its a unc cert problem... internal works fine external not...

    Thursday, August 25, 2011 9:18 PM
  • Hi!

    Know this is very old but just for future ref. I had the same issues as posted here and sure enough turned out to be the HTTP Redirect used in IIS on the Default Web Site.  Simple solution was to tick both:

    -Redirect all requests to exact destination

    AND

    -Only redirect requests to content in this directory

    Tuesday, May 13, 2014 3:50 PM
  • I had the same issue.

    I resolved wtih the next steps:

    1) At the RD gateway console uncheck "request client to send a statement"

    2) At the RD gateway and RDweb server IIS console enable anonymous authentication default site and RPC site

    3) at the RD gateway console use HTTPS-HTTP SSL bridging


    Have a nice day !!!
    DPM 2012 R2: Remove Recovery Points
    DPM blog

    Tuesday, July 21, 2015 6:46 AM