locked
UAG RemoteApp breaks after enabling cross-site SSO RRS feed

  • Question

  • Hi,

    My UAG published RemoteApps were working 100%. Then we enabled the cross-site SSO (to enable SSO between trunks). The SSO works between trunks...but everytime I try to run a RemoteApp, the following error message appears:

    "Your computer cant connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go to the firewall website that your network administrator recommends, and then try the connection again; or contact your network administrator for assistance"

    I have verified the Firewall settings on the RD Server, and there is a RDP rule that allows inbound access from anywhere (it worked before cross-site SSO was enabled as I mentioned).

    The Sharepoint site was reloaded, and now the following erro occurs:

    "your computer cant connect to the remote computer because the cookie was rejected by the Remote Desktop Gateway server"

    Any ideas?

     

    Friday, April 30, 2010 1:20 PM

Answers

  • You may be hitting a known issue with the MSTSC.exe client and long cookies (like the cookie used when enabling cross-site SSO in UAG), although the error message you are receiving seems to be different that the one I am aware of.

     

    The issue I am talking about is mentioned in the UAG RDS publishing guide:

    • If an endpoint running the RDC client is issued a session cookie that is longer than 840 characters, the remote desktop connection fails. This usually occurs if customized code adds cookies, or if you have enabled single sign-on across multiple Forefront Unified Access Gateway (UAG) sites.

    If that is the case, you may be able to solve this issue by installing the hotfix mentioned here: http://support.microsoft.com/default.aspx/kb/977627?p=1

     

    -Ran

    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:10 AM
    Sunday, May 2, 2010 11:33 AM

All replies

  • I found this statement...is it true?

    "Cookie based authentication is not supported for other RDS roles like RDSH or Remote App"

    http://blogs.msdn.com/rds/archive/2010/01/06/customizing-rd-gateway-authentication-and-authorization-schemes.aspx

    Friday, April 30, 2010 1:40 PM
  • You may be hitting a known issue with the MSTSC.exe client and long cookies (like the cookie used when enabling cross-site SSO in UAG), although the error message you are receiving seems to be different that the one I am aware of.

     

    The issue I am talking about is mentioned in the UAG RDS publishing guide:

    • If an endpoint running the RDC client is issued a session cookie that is longer than 840 characters, the remote desktop connection fails. This usually occurs if customized code adds cookies, or if you have enabled single sign-on across multiple Forefront Unified Access Gateway (UAG) sites.

    If that is the case, you may be able to solve this issue by installing the hotfix mentioned here: http://support.microsoft.com/default.aspx/kb/977627?p=1

     

    -Ran

    • Marked as answer by Erez Benari Tuesday, May 4, 2010 12:10 AM
    Sunday, May 2, 2010 11:33 AM
  • Thanks Ran, but it turns out that after the customer initially asked for SSO between trunks, and finally saw what it does, they changed their minds...and I have removed it :-)

    Lesson learned nevertheless.

     

     

    Sunday, May 2, 2010 4:19 PM
  • Ran,

    Will this hot fix be available for XP SP3 machines that have the RDP 7.0 version client installed?

    Thanks,
    Ken

    Thursday, June 10, 2010 3:59 PM
  • Hi Ken,

    I'll try to find out and get back to you.

    -Ran

    Thursday, June 10, 2010 5:13 PM
  • Thanks.  Vista would be good as well.  We had both Vista and XP SP3 clients working with RD Gateway until we enabled SSO on the trun.

    Ken

    Thursday, June 10, 2010 6:00 PM
  • Hi Ken,

    To answer your question, AFAIK there are no plans to release a hotfix similar to this one, for XP SP3 and/or Vista clients. Note that this fix was issued by the RDS team, not the UAG team.

    However, there are plans to change the UAG behavior in an upcoming Update or Service Pack for UAG, in order to work around this limitation of the mstsc.exe client. Currently these plans are not yet confirmed, so they might change, and I cannot provide you an ETA for such a fix.

    Regards,

    -Ran

     

    Sunday, June 13, 2010 1:55 PM