Remote Desktop Services logon issues
Hello,
I will preface this question by saying this is my first foray into Terminal Server/Remote Desktop Server configuration, so I may have done something obvious wrong that is causing my issues.
I am attempting to configure a Remote Desktop Serivces server for our remote offices to connect in to the network and run our accounting app.
Our network is configured as follows:
DC1 - Windows Server 2003 Standard, R2, SP2
DC2 - Server 2008 Enterprise, R2 (Virtual)
TS1 - Server 2008 Enterprise, R2 (Virtual)
The Remote Desktop Session Host and Remote Desktop Web Access roles are installed on TS1.
The Remote Desktop Licensing role is installed on DC2. The licensing server has been activated, and the RD User CALs have been applied.
I chose to not use Network Level Authentication, as my remote users have a mixture of XP Pro and Windows 7 workstations.
Here is where things get strange...
If I try to log on to the RD Web page (https://cspvmts/rdweb) from a workstation on the domain, using IE8, I am first prompted with a Windows Security logon. However, I cannot log on with any domain accounts (user or administrator). After 3 tries I am directed to a '401 not authorized' page. However, I CAN log on to the RDWeb if I use the machine administrator account and password. Once in, I can then log on to the RDS Default Connection and launch the accounting app from the RemoteApp tab.
If I try to log on to the RD Web page from a workstation on the domain using Mozilla Firefox v. 3.6.13, I CAN log in at the Windows Security logn with a domain user or admin account. I can also log in to the RDS Default Connection login. However, my RemoteApp tab is missing the launch icon for our accounting software. I have verified using RemoteApp Manager on the RDH that the RemoteApp program is set to show in RD Web Access.
Creating the .rdp file works ok. I haven't yet tried to create a Windows Installer Package.
Any thoughts would be appreciated....
Thanks!
I will preface this question by saying this is my first foray into Terminal Server/Remote Desktop Server configuration, so I may have done something obvious wrong that is causing my issues.
I am attempting to configure a Remote Desktop Serivces server for our remote offices to connect in to the network and run our accounting app.
Our network is configured as follows:
DC1 - Windows Server 2003 Standard, R2, SP2
DC2 - Server 2008 Enterprise, R2 (Virtual)
TS1 - Server 2008 Enterprise, R2 (Virtual)
The Remote Desktop Session Host and Remote Desktop Web Access roles are installed on TS1.
The Remote Desktop Licensing role is installed on DC2. The licensing server has been activated, and the RD User CALs have been applied.
I chose to not use Network Level Authentication, as my remote users have a mixture of XP Pro and Windows 7 workstations.
Here is where things get strange...
If I try to log on to the RD Web page (https://cspvmts/rdweb) from a workstation on the domain, using IE8, I am first prompted with a Windows Security logon. However, I cannot log on with any domain accounts (user or administrator). After 3 tries I am directed to a '401 not authorized' page. However, I CAN log on to the RDWeb if I use the machine administrator account and password. Once in, I can then log on to the RDS Default Connection and launch the accounting app from the RemoteApp tab.
If I try to log on to the RD Web page from a workstation on the domain using Mozilla Firefox v. 3.6.13, I CAN log in at the Windows Security logn with a domain user or admin account. I can also log in to the RDS Default Connection login. However, my RemoteApp tab is missing the launch icon for our accounting software. I have verified using RemoteApp Manager on the RDH that the RemoteApp program is set to show in RD Web Access.
Creating the .rdp file works ok. I haven't yet tried to create a Windows Installer Package.
Any thoughts would be appreciated....
Thanks!
ASKER
No go... reset IE and no change to the problem. I looked at the RemoteApp properties, and they were set to 'All authenticated users'. Just to try, I changed it to 'specified users' and inserted the remote users group here, but the issue with Mozilla didn't change, so I set it back to 'All authenticated users'.
Is TS1 a member of the TS Web Access Computers group? Also check to see if the Remote Desktop Users group on TS1 is populated.(add Domain users as a starting point)
Just for fun check and see if the ActiveX control for RDS sessions is being used on the IE8 machines as well. Strange issue.
Just for fun Restart IIS too. Sounds almost like IIS isn't talking to active directory for IE8 users.
Just for fun check and see if the ActiveX control for RDS sessions is being used on the IE8 machines as well. Strange issue.
Just for fun Restart IIS too. Sounds almost like IIS isn't talking to active directory for IE8 users.
ASKER
TS1 is a member of the Web Acess Computers group (local group that resides on the RDS Host, in this case TS1, correct?).
Our remote user group was added to the Remote Desktop Users Group on TS1.
I don't know how to check to see if the ActiveX control for RDS sessions is being used on the IE8 machines.
I tried restarting IIS and the RDS services, again with no change.
Your last thought about IIS not talking to AD got me to thinking though... there are a couple of weird things going on with IIS as well... one of them being a DCOM error that I am getting because IISWAMReg can't complete the local activation (the settings for this are greyed out for some reason)... the second is that if I log into the IIS admin site, I can't log on with a domain account at this point, either.
I am wondering if something in IIS may be broken... I think I will try removing the IIS and RDS roles and reinstalling them... it may be the quicker solution, even if I can't find out exactly what the root cause is...
Our remote user group was added to the Remote Desktop Users Group on TS1.
I don't know how to check to see if the ActiveX control for RDS sessions is being used on the IE8 machines.
I tried restarting IIS and the RDS services, again with no change.
Your last thought about IIS not talking to AD got me to thinking though... there are a couple of weird things going on with IIS as well... one of them being a DCOM error that I am getting because IISWAMReg can't complete the local activation (the settings for this are greyed out for some reason)... the second is that if I log into the IIS admin site, I can't log on with a domain account at this point, either.
I am wondering if something in IIS may be broken... I think I will try removing the IIS and RDS roles and reinstalling them... it may be the quicker solution, even if I can't find out exactly what the root cause is...
I think you might have found your solution. Let us know...
For what it's worth I have configured quite a few RDS servers over the past 6 months and every one of them has had some sort of little nagging issue to work out. Like you I have uninstalled and re-installed more times than I would have liked to admit. Just be thankful you aren't working with RDSFarms and Session Brokering and Certificates. That brings back bad memories just mentioning it.
Good Luck
For what it's worth I have configured quite a few RDS servers over the past 6 months and every one of them has had some sort of little nagging issue to work out. Like you I have uninstalled and re-installed more times than I would have liked to admit. Just be thankful you aren't working with RDSFarms and Session Brokering and Certificates. That brings back bad memories just mentioning it.
Good Luck
ASKER
if you're still monitoring, here is where I am at now...
formatted, reloaded, and joined the RDS server to the domain with a different name, just in case I had some active directory issues causing me headaches.
Installed the remote desktop host and remote web role on my RDS Server (licensing server is on another box). Installed the application on the RDS Host.
at this point, the RD works perfectly over the intranet. I can connect to it internally and launch my application with no problems. However...
Since I have the box set up on the internal network, I used the wizard in my SonicWALL NSA240 firewall to create a Terminal Services rule (configured a NAT policy to route any 3389 traffic to a specific external ip inside to the internal ip of my RDS host). This setup didn't work because I used the RDWeb functionality, so I removed the 3389 services and directed based on port 443. At this point I can connect to the RDWeb site from outside the network.
However (again), I can see my RemoteApps, but when I try to run them I get the message 'The remote computer could not be found. Please contact your helpdesk about this error.'
Because the RDS Host sits inside the network, I don't think I should need to open the terminal services ports (I tried it just in case, but it didn't help).
I don't have a Remote Desktop Gateway installed, but according to the documentation, and from other postings, it isn't necessary. I did go into the RemoteApp Deployment Settings screen and change the RDGateway settings from from 'Automatically detect RD Gateway server settings' to 'Do not use an RD Gateway Server', but it didn't have any effect.
I am stumped here... any suggestions?
formatted, reloaded, and joined the RDS server to the domain with a different name, just in case I had some active directory issues causing me headaches.
Installed the remote desktop host and remote web role on my RDS Server (licensing server is on another box). Installed the application on the RDS Host.
at this point, the RD works perfectly over the intranet. I can connect to it internally and launch my application with no problems. However...
Since I have the box set up on the internal network, I used the wizard in my SonicWALL NSA240 firewall to create a Terminal Services rule (configured a NAT policy to route any 3389 traffic to a specific external ip inside to the internal ip of my RDS host). This setup didn't work because I used the RDWeb functionality, so I removed the 3389 services and directed based on port 443. At this point I can connect to the RDWeb site from outside the network.
However (again), I can see my RemoteApps, but when I try to run them I get the message 'The remote computer could not be found. Please contact your helpdesk about this error.'
Because the RDS Host sits inside the network, I don't think I should need to open the terminal services ports (I tried it just in case, but it didn't help).
I don't have a Remote Desktop Gateway installed, but according to the documentation, and from other postings, it isn't necessary. I did go into the RemoteApp Deployment Settings screen and change the RDGateway settings from from 'Automatically detect RD Gateway server settings' to 'Do not use an RD Gateway Server', but it didn't have any effect.
I am stumped here... any suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Fingo,
well, when all was said and done, I was able to get it to function properly. I had been leaving the RD Gateway Configuration to automatically detect gateway server. When I manually specified my RD Host as the gateway, it took off...
However, from that point on, the enterprise portal (we run a Microsoft Dynamix AX ERP system, which uses IIS on this server to host it's portal website) has been broken. The guy in charge of it thought it was a problem with RDS corrupting something within IIS7.0, so he uninstalled and reinstalled IIS. This solved his problem, but broke my RDS Host.
NOW... :)
I am attempting to uninstall RDS and reinstall it (i cannot get the default rdweb pages to even display, and I am not proficient enough with IIS to be able to troubleshoot why), but I receive the following error:
attempt to un-install remote desktop web access failed with error code 0x80070643.
This error is a generic windows installer error, with nothing else being logged in the event viewer. I would really hate to break IIS and bring back the developer who is reponsible for the portal to reconfigure again...
any suggestions?
Scott
well, when all was said and done, I was able to get it to function properly. I had been leaving the RD Gateway Configuration to automatically detect gateway server. When I manually specified my RD Host as the gateway, it took off...
However, from that point on, the enterprise portal (we run a Microsoft Dynamix AX ERP system, which uses IIS on this server to host it's portal website) has been broken. The guy in charge of it thought it was a problem with RDS corrupting something within IIS7.0, so he uninstalled and reinstalled IIS. This solved his problem, but broke my RDS Host.
NOW... :)
I am attempting to uninstall RDS and reinstall it (i cannot get the default rdweb pages to even display, and I am not proficient enough with IIS to be able to troubleshoot why), but I receive the following error:
attempt to un-install remote desktop web access failed with error code 0x80070643.
This error is a generic windows installer error, with nothing else being logged in the event viewer. I would really hate to break IIS and bring back the developer who is reponsible for the portal to reconfigure again...
any suggestions?
Scott
ASKER
Still having issues, but I think i am on the right track. Thanks for your help. I am going to close this question and submit another for the IIS problems I am having.
Thanks
Thanks
When this works it is great, but troubleshooting it can be a pain sometimes.
Let us know if these things work or not.
Hope it helps!