none
Change published FQDN for 2012 R2 RDS

    Question

  • I have Windows Server 2012 R2 (single server hosting all the roles for RDS). I'm using RDS for publishing RemoteApps for both internal and external users. External users connect to remote.company.com and I have certificate from public ca (issued to remote.company.com). Active Directory is company.local. 

    When external users connect through the rds gateway and run remoteapp they receive this warning message that is caused by fqdn mismatch 

    I tried to use this script to change fqdn to match remote.company.com and it does that but after that external users cannot open remoteapps anymore. Internally they work.

    https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

    I get this error in eventlog:

    The user "COMPANY\username", on client computer "xx.xx.xx.xx", did not meet resource authorization policy requirements and was therefore not authorized to resource "remote.company.com". The following error occurred: "23002".

    If I change the published fqdn back to rds.company.local remoteapps starts to work again but with certificate error.

    How can I fix this?

    Saturday, February 21, 2015 1:14 PM

Answers

  • Hi,

    In RD Gateway Manager, please edit the properties of the RD RAP.   On the Network Resource tab, please select Allow users to connect to any network resource.  After modifying the RD RAP please use Set-RDPublishedName cmdlet to change the published name to the correct FQDN as you did before.

    Once you verify it is working you could go back in (if you want to) and create a RDG-managed group with all of the required names.

    Thanks.

    -TP

    • Marked as answer by jqx12 Saturday, February 21, 2015 3:29 PM
    Saturday, February 21, 2015 1:29 PM
    Moderator
  • Hi BScholl,

    This means that the users that the RD RAP is applicable to are allowed to use the RD Gateway to connect to any host, provided it is reachable and they have permission to log on via RDP on that server.  For example, a regular user could attempt to connect to a domain controller, however, if they do not have permission to log on to the DC via Remote Desktop then it will not work regardless of the RD RAP setting.

    You can create and use a RDG-local group instead, which would allow you to control the target names a user is allowed to connect to.  You do this by opening RD Gateway Manager, in the left pane select Resource Authorization Policies, then in the action pane click Manage Local Computer Groups.

    Once you have all of the required names listed in the group please select it in properties of the RD RAP, Network Resource tab.

    Thanks.

    -TP

    Monday, May 18, 2015 11:58 PM
    Moderator

All replies

  • Hi,

    In RD Gateway Manager, please edit the properties of the RD RAP.   On the Network Resource tab, please select Allow users to connect to any network resource.  After modifying the RD RAP please use Set-RDPublishedName cmdlet to change the published name to the correct FQDN as you did before.

    Once you verify it is working you could go back in (if you want to) and create a RDG-managed group with all of the required names.

    Thanks.

    -TP

    • Marked as answer by jqx12 Saturday, February 21, 2015 3:29 PM
    Saturday, February 21, 2015 1:29 PM
    Moderator
  • Thanks TP! I got it working now. It's little confusing when there is many places where you can configure settings for rds. In server manager this was named "Terminal Services" and under that I found the gateway manager.

    It seems that I can use this single name remote.company.com for everything.

    Saturday, February 21, 2015 3:29 PM
  • I've been looking for this answer for way too long.  What are the security implications for making this change to "Allow user to connect to any network resource" ?  I noticed before I made this change we could not connect to Domain Controllers through the RDGateway, now we can. 
    Monday, May 18, 2015 3:07 PM
  • Hi BScholl,

    This means that the users that the RD RAP is applicable to are allowed to use the RD Gateway to connect to any host, provided it is reachable and they have permission to log on via RDP on that server.  For example, a regular user could attempt to connect to a domain controller, however, if they do not have permission to log on to the DC via Remote Desktop then it will not work regardless of the RD RAP setting.

    You can create and use a RDG-local group instead, which would allow you to control the target names a user is allowed to connect to.  You do this by opening RD Gateway Manager, in the left pane select Resource Authorization Policies, then in the action pane click Manage Local Computer Groups.

    Once you have all of the required names listed in the group please select it in properties of the RD RAP, Network Resource tab.

    Thanks.

    -TP

    Monday, May 18, 2015 11:58 PM
    Moderator