Authentication Errors through SBS 2008 Remote Web Workplace
Greetings all.
I hope someone will be able to help with a problem that's making me extract my hair in great chunks! I'm relatively technical, so please do not hold back with offers of a solution - but my experience with IIS and MS Exchange is little. (Please read on to see how these are relevant with the RWW problems..)
Short story - I have recently built a new server (due to go into production tomorrow - hurrah..) with Windows SBS 2008. I have the Remote Web Workplace running, and users can login, check their e-mails, etc.. However, I am having problems with them using the remote-connect menu to remote machines on the network. Upon selecting a computer from the list, an authentication box appears, and I cannot authenticate to the machine. It just returns with authentication failure errors. (I've tried domain\user and all that..)
The machines *can* be accessed on the local network via RDP. No problems whatsoever. It seems to me like there is something missing between IIS > The TS Service > The machine. I have been researching this like crazy, and it would seem that some component of Exchange 2007 can change the RPC authentication options in IIS, and this argues with the way the details get passed back to be authenticated (slap me if this makes no sense).
If this is related or not - Outlook constantly pops up asking for authentication - even *if* you are logged into a machine with a domain account. From some of the links I’ve read, I have a feeling this could be related - but I'm not entirely sure how.
I *think* this is close to my problem, and some have suggested it as a fix - however, I do not seem to be able to download anything other than a Vista x64 hotfix - which will not apply to the SBS system..
http://support.microsoft.com/kb/954034 - Hotfix I tried (doesn’t apply)
http://itknowledgeexchange.techtarget.com/sbs/sbs-2003-to-sbs-2008-migration-part-4/ - This person has the same problems I have, but his fixes do not work
I fear at this stage I am in over my head, and can mess around with IIS authentication settings until the cows come home, but I fear I will just make it worse.
Hope someone can help, and if you need any more information, please let me know
Kind Regards,
T
I hope someone will be able to help with a problem that's making me extract my hair in great chunks! I'm relatively technical, so please do not hold back with offers of a solution - but my experience with IIS and MS Exchange is little. (Please read on to see how these are relevant with the RWW problems..)
Short story - I have recently built a new server (due to go into production tomorrow - hurrah..) with Windows SBS 2008. I have the Remote Web Workplace running, and users can login, check their e-mails, etc.. However, I am having problems with them using the remote-connect menu to remote machines on the network. Upon selecting a computer from the list, an authentication box appears, and I cannot authenticate to the machine. It just returns with authentication failure errors. (I've tried domain\user and all that..)
The machines *can* be accessed on the local network via RDP. No problems whatsoever. It seems to me like there is something missing between IIS > The TS Service > The machine. I have been researching this like crazy, and it would seem that some component of Exchange 2007 can change the RPC authentication options in IIS, and this argues with the way the details get passed back to be authenticated (slap me if this makes no sense).
If this is related or not - Outlook constantly pops up asking for authentication - even *if* you are logged into a machine with a domain account. From some of the links I’ve read, I have a feeling this could be related - but I'm not entirely sure how.
I *think* this is close to my problem, and some have suggested it as a fix - however, I do not seem to be able to download anything other than a Vista x64 hotfix - which will not apply to the SBS system..
http://support.microsoft.com/kb/954034 - Hotfix I tried (doesn’t apply)
http://itknowledgeexchange.techtarget.com/sbs/sbs-2003-to-sbs-2008-migration-part-4/ - This person has the same problems I have, but his fixes do not work
I fear at this stage I am in over my head, and can mess around with IIS authentication settings until the cows come home, but I fear I will just make it worse.
Hope someone can help, and if you need any more information, please let me know
Kind Regards,
T
Have you looked at #3 in the following (would likely not affect OWA but sounds similar to your RWW problem):
http://blogs.technet.com/b/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-computer-issues-in-sbs-2008.aspx
http://blogs.technet.com/b/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-computer-issues-in-sbs-2008.aspx
ASKER
Hi - Thanks for that. The authentication settings on that page are exactly as they should be - i.e the "Client Computer Group Membership" field is blank.
However, I do think the problem could be to do with point no3 on that page. However, the indicated fix does not work.
However, I do think the problem could be to do with point no3 on that page. However, the indicated fix does not work.
What are you using for a certificate, a purchased cert or the self signed one? If the latter have you deployed it to remote machines? It should be automatically installed on domain joined machines.
ASKER
As it's only a small org. I'm using the default SBS self-signed one. I've installed it on the machines that are not joined to the domain, and do not get any certificate errors. :-)
so is this error when attempting to connect to a workstation on the lan from a PC outside the lan. Or when you are trying to do this from the SBS console on the SBS Server?
ASKER
Sorry - I don't think I'm being very clear.
This is when accessing any device on the domain using the "connect to computer" menu from the SBS Remote Web Workplace. I can access the devices just fine from the console on the server, as well as just fine from any device (domain member or not) using RDP.
This is when accessing any device on the domain using the "connect to computer" menu from the SBS Remote Web Workplace. I can access the devices just fine from the console on the server, as well as just fine from any device (domain member or not) using RDP.
What is the OS of the machines you are connecting to?
ASKER
Both XP Pro SP3.
Have you also installed the latest remote desktop client? This is built into Vista and Win7 but you need to download from Microsoft for XP
In addition to Robs comments also insure Active X is working properly http://msmvps.com/blogs/bradley/archive/2008/05/06/xp-sp3-rww-and-active-x-messages.aspx
ASKER
Thanks both of you. Mstsc version shows that I'm currently running v6.0. Let me download the latest one. I think Active-X is ok, but I'll check that too :-)
Please hold!
Please hold!
May as well go all the way and add the site as a trusted site to the connecting PC. That has been known to be an issue in a few cases as well.
ASKER
Ok. That made no difference whatsoever unfortunately. Still getting authentication errors. Active X is working properly, the clients have the most recent version of RDC, and the domain is forced as a trusted site to the PC.
Any other thoughts, perhaps, kind people?
Any other thoughts, perhaps, kind people?
My suggestion is to run the "Fix My Network" wizard on the SBS console.
Have you also run the SBS BPA (www.sbsbpa.com)
Have you also run the SBS BPA (www.sbsbpa.com)
ASKER
Ok - so. I've run the "fix my network wizard" before - and it comes up with a misconfigured DHCP scope ( it's not misconfigured, I'm just giving out a special option..) However, this time it said that a networking component (Component 4) was misconfigured. I've let it fix the problem, but it's had no effect.
Interestingly - the SBS BPA reports 2 things
1. An incorrect A record for the server?!?!
"The host (A) resource record points to the incorrect IP address 10.1.0.1169.254.183.29. The record should point to 10.1.0.1"
For some reason, it seems to think that a windows autoconfig IP Address has mashed with the IP Address of the server, but all the A Records in DNS look fine to me? All pointing straight back to the correct IP address - I see no sign of the 169.254 address.
2. Hyper-V role is not supported. (Running a proxy in a VM) - A red herring perhaps?
Thanks all.
Interestingly - the SBS BPA reports 2 things
1. An incorrect A record for the server?!?!
"The host (A) resource record points to the incorrect IP address 10.1.0.1169.254.183.29. The record should point to 10.1.0.1"
For some reason, it seems to think that a windows autoconfig IP Address has mashed with the IP Address of the server, but all the A Records in DNS look fine to me? All pointing straight back to the correct IP address - I see no sign of the 169.254 address.
2. Hyper-V role is not supported. (Running a proxy in a VM) - A red herring perhaps?
Thanks all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you running Hype V ON the SBS Box with SBS as the Host...or is SBS the guest?
ps- are there multiple NIC's present on the SBS? Physical or virtual? All but 1 must be disabled, not just connected.
You mention a "special" DHCP scope option, may we ask what.
Perhaps the output of IPConfig /all from the server and 1 client would be beneficial.
You mention a "special" DHCP scope option, may we ask what.
Perhaps the output of IPConfig /all from the server and 1 client would be beneficial.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The physical box is a Dell Poweredge with 2 physical NICs. SBS 2008 is installed on the host, so Hyper-V is running as a service (I have only just realised this isn't "offically" supported on SBS!) :-o
The secondary NIC is disabled. I am, however running the Hyper-V service, with the primary NIC bridged to the VMs. So - yes, there is a virtual NIC. Lemme run and get an ipconfig/all....
The secondary NIC is disabled. I am, however running the Hyper-V service, with the primary NIC bridged to the VMs. So - yes, there is a virtual NIC. Lemme run and get an ipconfig/all....
Not only "not officialy supported" it will break your SBS.
Ipconfig results are likely not needed. With hyper-v installed DHCP will not work properly as pointed out by Cris's article, and client <=> server communications is affected. I am surprised you haven't had more issues.
I really question why Hyper-V is present in the roles on SBS, or at least there isn't a big popup warning you when you try to install, as it is definitely not supported and it's easy to make the mistake of installing it.
I really question why Hyper-V is present in the roles on SBS, or at least there isn't a big popup warning you when you try to install, as it is definitely not supported and it's easy to make the mistake of installing it.
yup..agree with Rob...you are going to have to take HyperV off there..RWW is just one of the issues you will have going forward.
ASKER
Ok. This is slightly worryingn now :-(
I accept that I've (apparently) utterly missed that Hyper-V does not work properly on SBS (frigging heck, why doesn't it warn you when you install the role, as you do on any other S2k8 install!)
I should imagine that DHCP is working, because I've set the binding in the DHCP console to the correct interface already.. I guess this could explain some of the problems I've been having with the repeated requests for authentication in Outlook as well :-(
I was planning to run a couple of virtual workstations on the server, so that people could access them via the RWW portal. How nice an "all in one" package that would be.
I prepare to be shot-down here, But before I dedicate another machine to running VMs :'-( :'-( Has anyone successfully got this working? The only "major" problem I am having is the ability to connect to the machines via RWW. What else can I expect? Or is this just now wasting everyone's time, as it's not supported?
Thanks guys :-(
I accept that I've (apparently) utterly missed that Hyper-V does not work properly on SBS (frigging heck, why doesn't it warn you when you install the role, as you do on any other S2k8 install!)
I should imagine that DHCP is working, because I've set the binding in the DHCP console to the correct interface already.. I guess this could explain some of the problems I've been having with the repeated requests for authentication in Outlook as well :-(
I was planning to run a couple of virtual workstations on the server, so that people could access them via the RWW portal. How nice an "all in one" package that would be.
I prepare to be shot-down here, But before I dedicate another machine to running VMs :'-( :'-( Has anyone successfully got this working? The only "major" problem I am having is the ability to connect to the machines via RWW. What else can I expect? Or is this just now wasting everyone's time, as it's not supported?
Thanks guys :-(
You will simply have a box in a totally unsupported state...sorry.
If you install Hyper V first..the SBS as a Guest with workstations as a guest...supported..lots of folks doing it..works well.
Lots of folks have tried and failed to get this to work...as noted by the KB article.
Sorry for the bad news. And the Outlook issue is not related...Install Exchange 2007 SP3 on the SBS server and that will go away
If you install Hyper V first..the SBS as a Guest with workstations as a guest...supported..lots of folks doing it..works well.
Lots of folks have tried and failed to get this to work...as noted by the KB article.
Sorry for the bad news. And the Outlook issue is not related...Install Exchange 2007 SP3 on the SBS server and that will go away
Agree, it is not possible.
The ideal configuration is SBS premium which comes with licensing to have:
a Server 2008 Hyper-v host
SBS 2008 VM
Server 2008 VM
and SQL.
You can also add additional VM's, assuming you have the horsepower.
The ideal configuration is SBS premium which comes with licensing to have:
a Server 2008 Hyper-v host
SBS 2008 VM
Server 2008 VM
and SQL.
You can also add additional VM's, assuming you have the horsepower.
ASKER
Ok. So I guess my options are..
1. Cry.
2. Dedicated network machine to run VMs - uninstall the Hyper-V role, re-run the "fix my network" wizards, and hope it irons itself out. (Thanks for the Exchange SP3 tip by the way! Ironically I haven't done that because I was scared of breaking the "standard" SBS install..)
3. Run rather un-supported, and get users to access the virtual workstations via RDP from the LAN, or a p2p VPN product like Hamachi to connect from the wider world. Hope I have no on-going problems.
4. Run SBS alongside the Virtual workstations in Hyper-v with Server 2008 as a Host. Does anyone know if Hyper-V has the ability to convert a physical OS to a virtual one? This might save me setting up the whole damn thing again. Might struggle with the BHP at that stage, however.
1. Cry.
2. Dedicated network machine to run VMs - uninstall the Hyper-V role, re-run the "fix my network" wizards, and hope it irons itself out. (Thanks for the Exchange SP3 tip by the way! Ironically I haven't done that because I was scared of breaking the "standard" SBS install..)
3. Run rather un-supported, and get users to access the virtual workstations via RDP from the LAN, or a p2p VPN product like Hamachi to connect from the wider world. Hope I have no on-going problems.
4. Run SBS alongside the Virtual workstations in Hyper-v with Server 2008 as a Host. Does anyone know if Hyper-V has the ability to convert a physical OS to a virtual one? This might save me setting up the whole damn thing again. Might struggle with the BHP at that stage, however.
The following may be of some help outlining virtualization scenarios:
http://blogs.technet.com/b/sbs/archive/2008/09/15/sbs-2008-and-virtualization.aspx
http://blogs.technet.com/b/sbs/archive/2008/09/15/sbs-2008-and-virtualization.aspx
1 always a good option :-)
2 good option
3 not an option, this will come back to haunt you over and over with wizards, patches, and services
4 you can convert physical to virtual with disk2vhd http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx
2 good option
3 not an option, this will come back to haunt you over and over with wizards, patches, and services
4 you can convert physical to virtual with disk2vhd http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx
What Rob said...LOL he just got there faster...
You absolutely do not want to be in an unsupported condition......as soon as you post stuff here or if you contacted MS for support...and they find out you're running Hyper V Role with SBS...the first thing you will be told is to get rid of the Hyper V role because it's not supported
You absolutely do not want to be in an unsupported condition......as soon as you post stuff here or if you contacted MS for support...and they find out you're running Hyper V Role with SBS...the first thing you will be told is to get rid of the Hyper V role because it's not supported
RobWill and I have both posted essentially the same and correct resolution. The author must remove the Hyper V role from the SBS server to get back to a configuration which will work and is supported
I definitely agree. Not only is it unsupported, but guaranteed to have issues for eternity.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
ASKER
Update - I have narrowed down why I think this is happening. when logging into the computer through RWW fails, if I check IIS's permissions, it would seem that "Windows Authentication" in OWA is set to disabled. If I turn it on, and run "iisreset" then I can authenticate fine - for a small period of time. After this, it looks like something decides to disables it - and nothing will work until I reset it again.
Another point of interest - the "fix my network" wizard sees no problems - accept with a DCHP scope, which I know is correct.