Hi,
Having a difficult time setting up the gateway service.
We are running 2k8R2 with just(all) the rd services on it. It is a member of our 2003 domain.
I was having certificate issues but I believe they're behind us.
From our internal network we can access the remoteapps and useremote desktop to connect to any of our machines by name or ip.
Externally however we cannot.
using the apps.xxx.xxx we connect right to the box and see the published apps. After clicking on any of the displayed apps we get prompted for the RD Gateway Server Credentials. After entering anyone of many very valid userids, it reports that "The logon attempt failed." If I use an invalid username like blah it just reprompts for the username with no error.
I've checked every log in town and all I see is the I was sucessfully logged on and then immediately thereafter logged off, with no error.
Perhaps more telling is when I use the remote desktop connection, from the web access andto try and connect to any computer on the network by name, I get the following error- "Remote Desktop can't find the computer "xxxx". This might mean that "xxxx" does not belong to the specified network. Verify the computer name and domain that you are trying connect to. If I use the ip address instead, I get "Remote Desktop can't connect to the remote computer for one of these reasons:1) Remote access to the server is not enabled 2)The remote computer is turned off 3)the remote computer is not available on the network - Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.
I can from the RD server when logged on to it locally or remotely via rdp, rdp to any other machine in our network via name or IP.
I have nothing defined for the rap and the cap clearly should allow me access. If it was a rap or cap issue, I would expect to see that in the logs, which I don't.
Any insight you may have will be immensly appreciated.
Thank you,
Jim
1. Do you have published the Gateway/Web Access server behind and ISA?
2. Have you corectly specified the external name of the Gateway server on the Remote App Manager --> Gateway settings Tab?
3. Have you correctly specified the external name of the Gateway server on the IIS Manager --> Application Settings --> DefaultTSGateway on the Web Access Server?
4. Are you using any HTTP redirection on the IIS --> "Default Web site"?
5. Have you checked the Gateway event logs? Do you see any informational/error messages related to CAP/RAP?
6. From your client machine, can you check if you can browse to https://<GatewayExternalName>/rpc. It should prompt your for credentials, and upon specifying the credentials it should lead you to a blank page.
1. We do not have ISA 2. Yes, apps.xxx.xxx is correct, it is the same as listed for cn on the verisign ssl cert
3. I am unsure, but I tend to think No In IIS manager, for the default website, there is nothing listed under application settings. Is that where it should be listed? Under the RDWeb application--->application settings DefaultCentralPublishingPort 5504 RDWebAccessConfigPath %WINDIR%\web\...
4. The redirection was setupautomaticallyfrom the install.
/RDWeb/Pages/default.aspx
5. There are no events in the gateway logs, save starting and stopping due to reboots.
6. If I stop the redirection, and enterhttps://<GatewayExternalName>/rpc., yes it works fine. After authentication I get a blank page.
Sounds like number three is my issue, would you agree?
Jim
To configure Remote Desktop Web Connection behavior
-
On the TSWeb Access server, start Internet Information Services (IIS) Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
-
In the left pane, expand the server name, expand Sites, expand Default Web Site, and then click RDWeb/Pages.
-
In the middle pane, under ASP.NET, double-click Application Settings.
-
To change Remote Desktop Web Connection settings, modify the values in the Application Settings pane.
- To configure a default TSGateway server, double-click DefaultTSGateway, enter the fully qualified domain name of the server in the Value box (for example, server1.contoso.com), and then click OK.
- To specify the TSGateway authentication method, double-click GatewayCredentialsSource, type the number that corresponds to the desired authentication method in the Value box, and then click OK. The possible values include:
0 = Ask for password (NTLM)
1 = Smart card
4 = Allow user to select later - To configure whether the Remote Desktop tab appears on the TSWeb Access page, double-click ShowDesktops. In the Value box, type true to show the Remote Desktop tab, or type false to hide the Remote Desktop tab. When you are finished, click OK.
- To configure default device and resource redirection settings, double-click the setting that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection, xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable the redirection setting by default, or type false to disable the redirection setting by default, and then click OK.
-
When you are finished, close IIS Manager.
Please let me know if it resolves your issue
That was definitly a problem but not the whole problem.
The remote desktop now works perfect, I can connect to any machine on our network where before I couldn't connect to any.
Now however, the remoteapps just dissapeared. They are still configured to be available but just aren't, any ideas?
Thank you,
Jim
Not sure what that was about, in regards to my last post.
I now have the same issue for both remote desktop and RemoteApp programs.
First I get the warning that I should trust the publisher of the program and when I click connect Iget the Windows Security box for the RD Gateway Server Credentials. It shows the proper public name of the terminal server. I've used both local and domain admin accounts, as well as regular user accounts and I get the same message "The logon attempt failed"
What's odd is that no logon failures show in any logs.
Thank you,
Jim
Hello Jim,
Thanks for your feedback.
Firstly, as the RemoteApp environment is working correctly in your internal network, it indicates that the configurations on RemoteApp and Web Access publishing are right. Therefore, we need to troubleshoot the problem via the extranet side:
1. When you said I can from the RD server when logged on to it locally or remotely via rdp, do you mean that from the extranet side, you can start a remote desktop connection to the target session host server without any problem? If not, please test the RDC to the target server by the RD Gateway.
2. Please upgrade the client remote desktop software to Remote Desktop Protocol 7.0 supported.
3. You must obtain an externally trusted SSL certificate for the TS Gateway server. Please refer to the Are there any special considerations? section of the following article:
Terminal Services Gateway (TS Gateway)
http://technet.microsoft.com/en-us/library/cc731264(WS.10).aspx
4. Please temporarily disable the Windows Firewall on both the session host and the gateway, check if the issue persists.
Thanks.
Regards,
Lionel Chen
Hi Lionel,
It seems that I get two different results depending on where I'm connecting from.
From inside the network using https://apps.xxx.xxx or the RD Gateway
-The RemoteApp Programs tab is being displayed, but the apps themselves are not.
-The Remote Desktop works beutifully
Inside we use WinXpSP3 with rd 6.0.6001.
In the RemoteApp Deployment Settings I have "Bypass RD Gateway server for local addresses" Unchecked.
My understanding of this setting is that it forces the internal clients to use the external gateway.
Fromhome connecting to https://apps.xxx.xxx or the RD Gateway
- The RemoteApp Programs tab and programs are being displayed but I get the logon failure
- The Remote Desktop when connecting to any resource, I also get a logon failure.
At home I use Win7 with rd 7.?
I am using a externally trusted SSL certificate for the TS Gateway server, I purchased it from Verisign.
I have the firewall disabled on both ends, the TS and the hosts intenrally and at home.
I will upgrade one of the winxp machines interally to 7 and report back.
Thank you,
Jim
Now the RemoteApp Programs are being displayed but when I try to run one I get "Your computer can't connect to the remote computer because an error occured on the remote computer that you want to connect to. Contact your network admin for assistance."
The Remote Desktop still works beutifully.
I'll try it from my Win7 computer from home tonight and report.
Thank you,
Jim
This is what I meant in step (3) above.
To configure Remote Desktop Web Connection behavior
On the TSWeb Access server, start Internet Information Services (IIS) Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the left pane, expand the server name, expand Sites, expand Default Web Site, and then click RDWeb/Pages.
In the middle pane, under ASP.NET, double-click Application Settings.
To change Remote Desktop Web Connection settings, modify the values in the Application Settings pane.
- To configure a default TSGateway server, double-click DefaultTSGateway, enter the fully qualified domain name of the server in the Value box (for example, server1.contoso.com), and then click OK.
- To specify the TSGateway authentication method, double-click GatewayCredentialsSource, type the number that corresponds to the desired authentication method in the Value box, and then click OK. The possible values include:
0 = Ask for password (NTLM)
1 = Smart card
4 = Allow user to select later- To configure whether the Remote Desktop tab appears on the TSWeb Access page, double-click ShowDesktops. In the Value box, type true to show the Remote Desktop tab, or type false to hide the Remote Desktop tab. When you are finished, click OK.
- To configure default device and resource redirection settings, double-click the setting that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection, xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable the redirection setting by default, or type false to disable the redirection setting by default, and then click OK.
When you are finished, close IIS Manager.
Please let me know if it resolves your issue
Rishidshah,
Our of curiosity, what do you get when you connect internally but with the "Bypass RD Gateway server for local addresses" unchecked?
I still get the same exact problem as you while connecting externally with Windows 7, just prompts and prompts and prompts. I see prompts in my sleep.
Jim
Please answer the below to help me understand your configuration better.
1. Do you have any ISA server in the front?
2. Have you setup any HTTP redirection on your IIS server?
3. Can you browse to https://<GatewayServerName>/rpc from your client machines? It should prompt you for credentials and upon successful authentication should display a blank page.
1. We do not have ISA
2. The redirection was setupautomaticallyfrom the install. /RDWeb/Pages/default.aspx
3. If I stop the redirection, and enterhttps://<GatewayExternalName>/rpc., yes it works fine. After authentication I get a blank page.
You asked me these questions about a week ago, the answers are still the same.
Do you think I should just blow away this server and start over?
Jim
Thank you,
Jim
This thread was very helpful to me. I was getting the same error and turned out the problem was someone set the default web site to redirect to /rdweb. This somehow broke the launching of RemoteApps. Turning off redirection fixed it, but now I need to figure out how to safely redirect users from http://fqdn/ to https://fqdn/rdweb ...
You can make the redirect work with a little piece of JavaScript;
- Create a file 'Default.htm' in you webroot on port 80 and configure Anonymous Access (also give the IIS_IUSRS NTFS-read/execute on the file).
- Make sure 'Default.htm' is set as the first default document.
- Edit 'Default.htm' and insert the following code:
<script language="JavaScript">
<!-- begin hide
function goElseWhere()
{
var oldURL = window.location.hostname + window.location.pathname;
var newURL = "https://" + oldURL + '/RDWeb';
window.location = newURL;
}
goElseWhere();
// end hide -->
</script>
Hi,
I'm experiencing the same issue. Can you expand on your answer?
"what I didn't have was the two self signed certs for the RemoteApp and RemoteDesktop installed in the root cert store. They were present in the personal store but that was it"
- What do you mean by self signed certs for RemoteApp?
- Where is that configured?
- Which servers root cert store?
- Where else do they need to be?
thx!
I finally got the default web site redirected to /RDWEB as well as maintaine the functionality of RD Gateway.
Any attempt to modify the HTTP Redirect under IIS in the default web site caused the RD Gateway to break; resulting in users continually getting prompted to login to the RD Gateway server. This occurs from the RDWeb site as well as from the RCP client.
So, my fix included the scrpt specified about from Jeroenimus with all the security settings, but had to make the following additional configurations:
Created a text file called default.htm, which Windows sees as default.htm.txt in the RD Gateway servers c:\inetpub\wwwroot folder. Assigned the necessary anonomous and IIS_USR rights(read and execute). Then had to edit the default document list under the default web sites IIS with default.htm.txt, and made it first in the list. I initially had just default.htm and that did not work.
So now, I can access all my apps from a browser through the RD Gateway by specifying the web sites default web site with no virtual directory specified.
Hi all- It's been several weeks and for the most part this is what I've been working on. I finally got everything to work and the funny thing is it turned out to be what I first thought it was, a cert issue. To recap, the issue I had was that I was repeatedly being prompted for the gateway server authentiation. I had and still have a valid Verisign cert for our external address. What I didn't have was the two self signed certs for the RemoteApp and RemoteDesktop installed in the root cert store. They were present in the personal store but that was it. I didn't even realize that they were being used. That leads to this question- Our implementation will only be used for external access, so to rid the users of the cert warning, is it normal to purchase a second cert for the internal server(s) names as well? I belive this would resolve this, but was hoping for some input. We have about 600 users that would have access to this implementation when done, so there is no way we could feasable install an internal cert for everybody. Thank you again, Jim
Hi JKyriazis,
I realize this is a long time ago, but maybe you remember this anyway.. My issues are very similar to yours, even the detour after suspecting cert issues.. My environment consists of a session host farm on a .local domain. The web access and gateway are exposed to the external net.
You state that "What I didn't have was the two self signed certs for the RemoteApp and RemoteDesktop installed in the root cert store.". Could you elaborate a little on this? I'm not sure where and how this certificate should be created, imported and selected.
Thanks!
Hi all, i have read through hundres of these and they all point to the same thing. i have tried all the solutions and i cant seem to get it to work it still keeps asking for credentials. Im certain its a certificate issue. we have a san_unc certificate issued in the name of the external name but still have no joy...
starting to believe its a unc cert problem... internal works fine external not...
Hi!
Know this is very old but just for future ref. I had the same issues as posted here and sure enough turned out to be the HTTP Redirect used in IIS on the Default Web Site. Simple solution was to tick both:
-Redirect all requests to exact destination
AND
-Only redirect requests to content in this directory
I had the same issue.
I resolved wtih the next steps:
1) At the RD gateway console uncheck "request client to send a statement"
2) At the RD gateway and RDweb server IIS console enable anonymous authentication default site and RPC site
3) at the RD gateway console use HTTPS-HTTP SSL bridging