I have a single Windows Server 2008 R2 server that is hosting both my TS Gateway and TS RemoteApp. The server sits in a DMZ and appropriate firewall rules have been added to allow communication in and out (both directions). The server is part of the local domain that our entire enterprise is running on.
The application that I am trying to host is IE and users will access websites that sit outside of the DMZ. The reason for the DMZ is added protection from other websites and applications and data that should not be accessed.
I have created a separate OU for users that will only be allowed to access this server (Active Directory "logon to" settings). These users do not have administrative privileges but they are capable of logging onto this one box (I have checked this). They are part of the remote desktop users group on the local box.
All users within the domain (including users mentioned above) can log into the RDWEB connection. Once in each different type of user can see that correct remote apps that they can launch. Once I click on the application it launches and the user is prompted to enter their user name and password (with domain). Three scenarios occur here:
1) If domain admins put in their user name and password they are capable of launching remote applications and everything runs fine.
2) If normal domain users put in their user name and password they get a message prompt that says your account is not allowed to connect remotely (this is disabled by GPO for a reason so I don't expect this to work).
3) If a user that is within this new OU mentioned in setup section above uses their user name and password the local security log on the server shows EventID Error 533 of Type 3 (Network). The remote application never launches because it continues to say invalid user name and/or password. The authentication prompt appears over and over again until you select cancel. There is no other error or message that shows up...and I have been unable to find a solution to this problem.
Any ideas on how to solve this?