locked
SBS 2008 - Is Network Level Authentication (NLA) supported through Remote Web Workplace (RWW)?? RRS feed

  • Question

  • Environment: Microsoft SBS 2008 with Windows 7 SP1 Clients.

    Since enabling Network Level Authentication on all our servers and desktops none of our staff can connect from outside the network using Remote Web Workplace to our Windows 2008 Terminal Server or desktops on the internal network (using RDP).

    If they create a VPN tunnel to the network (and don't use RWW) they can connect to any machine without a problem using NLA.

    Also if I turn Network Level Authentication off they can again connect through Remote Web Workplace without a problem.

    Lastly if I configure an RDP client outside the network to connect via the TS Gateway on the SBS 2008 server it allows me to connect to any machine on the network using NLA. So the problem is only occurring when going through Remote Web Workplace.

    The error they get is: VBScript: Remote Desktop Disconnected An internal error has occurred (error 2825). For more information, please contact your network administrator or Microsoft Product Support.

    A similar question has been posted previously:http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/512e8f84-07cb-4e88-ab52-551d650cce63

    and the general response seems to be to turn NLA off.

    Has anyone got Network Level Authentication running through Remote Web Workplace? Is it supported?

    Thursday, May 3, 2012 10:09 PM

Answers

  • Hi,

    1. On your SBS 2008 server, please make a backup copy of the tsweb.aspx file, by default located here:

    C:\Program Files\Windows Small Business Server\Bin\webapp\Remote\tsweb.aspx

    2. Please grant your user full control to tsweb.aspx or run Notepad as an administrator so that you may edit the file using Notepad.

    3. Using Notepad, please open the tsweb.aspx file and add the following line to the configRdp61OnlySettings sub:

    MsRdpClient.AdvancedSettings6.EnableCredSspSupport = TRUE

    4. When you are finished the configRdp61OnlySettings sub should look similar to this:

    sub configRdp61OnlySettings
    	' If GatewayCredSharing is not set, customer will see two logon prompts - for TSG and TS server, but we should continue
    	On Error Resume Next
    	if (<%=UseTsGatewayFlag%>) then 
    		' Pass the credentials used for the gateway to the remote computer
    		MsRdpClient.TransportSettings2.GatewayCredSharing = 1
    		MsRdpClient.TransportSettings2.GatewayDomain = "<%=RWWUtilities.QuoteVbscriptString(strQualifiedDomainName)%>"
    	end if
    	MsRdpClient.AdvancedSettings6.EnableCredSspSupport = TRUE
    end sub

    5. Optionally you may want to also add the following line to the configRdp61OnlySettings sub (you will want your ssl certificates to be correct before adding this):

    MsRdpClient.AdvancedSettings4.AuthenticationLevel = 2

    6. After making the above change(s) please test to see that you are able to connect to a NLA-only host using RWW.

    Thanks.

    -TP

    • Marked as answer by RossJAS Tuesday, May 8, 2012 11:20 PM
    Tuesday, May 8, 2012 6:16 AM

All replies

  • Hi,

    It is supported as i know. Pls check the certificate or the client RDC verison. you must have a 6.1+ client ( at least XP SP3).


    Regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, May 7, 2012 7:21 AM
  • I don't think it is a RDC issue because I can connect using NLA using a VPN connection or connecting through the Remote Desktop Gateway. The issue only occurs through RWW.
    Monday, May 7, 2012 10:47 PM
  • Hi,

    1. On your SBS 2008 server, please make a backup copy of the tsweb.aspx file, by default located here:

    C:\Program Files\Windows Small Business Server\Bin\webapp\Remote\tsweb.aspx

    2. Please grant your user full control to tsweb.aspx or run Notepad as an administrator so that you may edit the file using Notepad.

    3. Using Notepad, please open the tsweb.aspx file and add the following line to the configRdp61OnlySettings sub:

    MsRdpClient.AdvancedSettings6.EnableCredSspSupport = TRUE

    4. When you are finished the configRdp61OnlySettings sub should look similar to this:

    sub configRdp61OnlySettings
    	' If GatewayCredSharing is not set, customer will see two logon prompts - for TSG and TS server, but we should continue
    	On Error Resume Next
    	if (<%=UseTsGatewayFlag%>) then 
    		' Pass the credentials used for the gateway to the remote computer
    		MsRdpClient.TransportSettings2.GatewayCredSharing = 1
    		MsRdpClient.TransportSettings2.GatewayDomain = "<%=RWWUtilities.QuoteVbscriptString(strQualifiedDomainName)%>"
    	end if
    	MsRdpClient.AdvancedSettings6.EnableCredSspSupport = TRUE
    end sub

    5. Optionally you may want to also add the following line to the configRdp61OnlySettings sub (you will want your ssl certificates to be correct before adding this):

    MsRdpClient.AdvancedSettings4.AuthenticationLevel = 2

    6. After making the above change(s) please test to see that you are able to connect to a NLA-only host using RWW.

    Thanks.

    -TP

    • Marked as answer by RossJAS Tuesday, May 8, 2012 11:20 PM
    Tuesday, May 8, 2012 6:16 AM
  • TP,

    Your a genius. I have been searching on and off for about a month for a solution to this problem. Your solution worked perfectly.

    Very much appreciated.

    Tuesday, May 8, 2012 11:20 PM
  • I second Ross' emotion.

    Thank you so much for this, been pulling my hair on this issue for some time now, you really saved my day! =)

    Monday, July 2, 2012 12:28 PM