none
RDS 2016 - HTML5 Client certificate error

    Question

  • Hi,

    Ive recently deployed the HTML5 Web Client, at an existing RDS 2016 setup, using this guide:

    https://custominterfacesolutions.com/html5-web-client-microsoft-remote-desktop-services-2016-steps-install-rd-web-client/

    The setup contains 1 x RDWeb server, 2 x RDGW and 2 x Connection brokers.

    A single public trusted wildcard certificate is used, for the entire RDS setup, containing the domain name, that the servers is belonging to.

    Im able to login to the Web Client, and see all the published applications, that is available.

    But when trying to connect, i then get an certificate error, containing the name of the Remote Desktop Session host...

    Ive managed to find the certificate at the Session Host, containing the same thumbprint as the one on the picture.

    Added the certificate to the trusted root cert auth, across all the frontend RDS servers (Web,GW,CB) - but that didnt help.

    What seems to be the problem, since i cant find any solution to this error?

    Friday, July 6, 2018 5:39 AM

All replies

  • Hi,

    Please make sure that:
    1. The RD Web Access role is configured with a publicly trusted certificate.
    2. Your URL uses the FQDN of the server hosting the RD Web role.

    Set up the Remote Desktop web client for your users:
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 9, 2018 5:57 AM
    Moderator
  • Hi,

    All the frontend servers (Web, GW, CB) are using, the same wildcard certificate, containing the domain name, for both the local and external domain (its the same domain).

    All the clients, are accessing it through the external FQDN, that targets the Web Role server.

    Tuesday, July 10, 2018 5:35 AM
  • Hi,

    1. Do you have the published FQDN (ClientAccessName) for your RDS deployment pointing to the private ip addresses (via DNS RR or load balancer) of your brokers?  You can test from the client by clicking on a RemoteApp using the "legacy" non-HTML5 RDWeb site.  A prompt should come up when you click on a RemoteApp.  The ClientAccessName is the FQDN next to Remote computer: 

    2. Please confirm that you exported your certificate as .cer file and then ran Import-RDWebClientBrokerCert on your RDWeb server.  I believe you did but I thought I would ask since you didn't specifically mention it along with the other cert tasks you mentioned.

    Thanks.

    -TP

    Tuesday, July 10, 2018 7:27 AM
    Moderator
  • Hi,

    Thanks for the reply.

    1:

    We are accessing the enviroment, from an external IP address.

    The clients connect to the webpage on https://remote.domain.dk, pointing to an external IP address, where an NAT rule is pointed to an HA Proxy using SNI inpection.

    The clients then connect to rdsgw.domain.dk, and the connection brokers have a DNS RR using TSCBHA01.domain.dk (this record isnt public).

    2: 

    Ive ran the commands as the described in the guide, so yes ive ran the Import-RDWebClientBrokerCert on the WebAccess server.

    Ive just tested in the "legacy" web client, and i cant open up any remoteapps now...

    Your computer can’t connect to the remote computer because an error occured on the remote computer that you want to connect to. Contact your network administrator for assistance

    Tuesday, July 10, 2018 10:39 AM
  • Hi,

    1. Is ClientAccessName set to TSCBHA01.domain.dk ?  I think that is part of what you were saying, but I want to be certain.

    2. For your two RD Gateway servers, do you have a load balancer in front of them?  If yes, do you have it configured for source ip affinity?  Please verify your load balancer (if you are using one) supports/allows Websockets.  I'm guessing it does since you got the cert error with the new client, but it is something to double-check.

    3. Do you have TCP 443 and UDP 3391 forwarded to your RD Gateway servers?  Or just TCP 443?  Both are preferred.

    I recommend first troubleshooting using Windows PC as the client, legacy RDWeb, and at least RDP 8.1 client (mstsc 6.3.9600) installed in the case of Windows 7.  Once that is working fine you can move on to test the HTML5 client.

    Try to follow the connection each step of the way.  Look at RD Gateway logs, RDCB logs, RDSH logs, one step at a time, to see how far things get before some sort of failure occurs.

    -TP

    Tuesday, July 10, 2018 12:28 PM
    Moderator
  • Hi,

    1. 

    In the RDS Deployment Properties, it is set to TSCBHA01.domain.dk.

    This resolves to 2 DNS records, pointing to each connection broker (DNS RR).

    2. 

    There is an HA Proxy infront, that redirects to an internal backend, that contains both RD Gateway servers.

    There is no source ip affinity configured - its open from all source IPs.

    I strongly believe that HAProxy supports Websockets, since RemoteApps normally works.

    3.

    I believe only TCP 443 is forwarded.

    From what source, should i allow port 3391 UDP to the RD Gateway servers?

    Ive managed to get the "legacy" client to work again, and are now able to open up the RemoteApps - but the HTML5 client still isnt working.

    I will take a look in the eventviewer of each server, but thought you should know the above, if you had any suggestions.

    Tuesday, July 10, 2018 12:49 PM
  • Hi,

    Ive been debugging for a while now, and believe ive found the "root error".

    First of all - the "legacy" web interface, works perfectly with the current setup, and im able to open RemoteApps accross several collections.

    When connecting to the RemoteApps, from the HTML5 client, i get several acknowledgements in the RD Gateway eventlog.

    Source: TerminalServices-Gateway

    Event ID: 200, 300, 302, 303.

    Then right after, i get an event ID 308 with the following text:

    The user "Domain\user" (changed), on client computer "192.168.2.62", met RD resource authorization policy (RD RAP) requirements but the network resource "192.168.60.93;192.168.60.93" did not meet the requirements, so the connection was not authorized. Try connection to another network resource or possibly lower RD Gateway security by modifying the RD RAP requirements for the connection to be authorized.

    192.168.60.93 is an session host, that works perfectly with the legacy interface.

    i

    i

    On the Connection broker, i get the following statement:

    Remote Desktop Services: User authentication succeeded:

    User: 
    Domain: 
    Source Network Address: 192.168.62.90

    192.168.62.90 is an RD Gateway, that works perfectly with the legacy interface.

    i

    i

    On the Session host handling the request, i get an eventlog entry:

    Source: TerminalServices-SessionBroker-Client

    Event ID: 1300

    Remote Desktop Connection Broker Client rejected a call from an unauthorized ip address 192.168.60.98.
    HRESULT = 0x0

    192.168.60.98 is an RD Connection Broker, that works perfectly with the legacy interface.

    i

    i

    I cant seem to find any real root causes here, since the legacy interface is working.

    I believe that the entire RDS frontend, is configured correctly then.

    Since the error message on the RD Gateway server appears 1 second before, the error on the RD Gateway server, i then thought the session host were the issue.

    Ive then deployed an completely empty session host, and left it at the default Computers OU in the Active Directory, so that any GPOs wouldnt be applied.

    That didnt change anything, since i saw the samme error message.

    One last thing... Ive forgotten to mention, that im running DUO security on the RD Web server, but yet again - works perfectly with the legacy website.




    Tuesday, July 10, 2018 5:36 PM
  • Hi,

    As a test, please open RD Gateway Manager, edit your RD RAP, and on Network Resource tab select Allow users to connect to any network resource.  This needs to be done for both RDG servers since the RAPs are stored locally on each.

    After making the change, please test again with the HTML5 client and reply back with the results.

    Thanks.

    -TP

    Thursday, July 12, 2018 2:51 PM
    Moderator
  • Hi,

    Thx for the tip, but that didnt solve the issue.

    Also im able to open RemoteApps from the legacy interface, so the different network policies, should be correct.

    Got any other thoughts?

    Friday, July 13, 2018 6:34 AM
  • Hi,

    Thx for the tip, but that didnt solve the issue.

    Also im able to open RemoteApps from the legacy interface, so the different network policies, should be correct.

    Got any other thoughts?

    1. Okay, after making the change to the RAP that I suggested above, what entries were logged on the RD Gateway when you tested the html5 client, and what precise error message(s) were displayed in the client browser?  If you can translate the error to English for me in addition to providing the original text that would be helpful.

    2. Have you tested the configuration without HA Proxy?  It is possible it isn't configured properly to allow websockets to work properly.  I know HA Proxy has support for websocket, I just am unsure if it is configured correctly. 

    If you can provide more details on how your network configuration that may be helpful.  Think network diagram showing where each piece (HA Proxy, RDGs, RDWeb, etc.) fit and their local ip.  I'm not asking for nice visual diagram just if you could fill in details a little more so I know I have clear understanding of how you have it set up.

    Would like to get to the bottom of this so that if this is a bug in the new web client I can get it reported ASAP while it is still in preview.

    -TP

    Friday, July 13, 2018 7:24 AM
    Moderator