Solved

Remote Desktop Gateway Login Problem

Posted on 2011-09-14
26
7,314 Views
1 Endorsement
Last Modified: 2013-11-21
Hi have had a problem i can’t seem to figure out and can’t seem to find an answer on the net.

Our setup is simple:
2008 domain.
1 server is running Win2008R2 acting as a Remote desktop Gateway server and an Exchange 2010 Client access server. (we do have other servers on the network this one just acts as a gateway)
We got a San certificate from Go daddy which we use to access remotely to webmail/Outlook Anywhere through this server.
All remote exchange comms with hostname mail.abcd.com work fine so we know the certificate is fine.
We have port 443 open.

The install of the role went through fine I tried to keep the default settings to avoid to many changes…. Installed the role. Added the mail.abcd.com certificate. Added the users to the CAP, selected the allow to any network resource in the RAP. All seems ok.
I have added the certificate to the server personal and trusted root containers as well as a few external clients I’m using for testing. (these clients use XP and win7)
The NPS is set to default install…(don’t know if this is causing it, can’t see anything specific)

Our problem is when we attempt to connect to a machine on the local network through the RD gateway remotely using the default workstation remote desktop connection we keep getting the logon error and it keeps prompting for credentials.
If I try using the rdweb page I still can´t connect to any local machines. (I have verified local machines do have allow remote connections enabled.)
I have spent days reading up forums and there is a lot about this but it all points to the same thing which I have tried…
I have tried:
Verifying that the Default Web is not redirecting anywhere.
I can logon to the site https://mail.****.co.uk/rpc and it gives me a blank white page.
I have tried going to my IIS\default web site\rdweb\pages and changing the application setting “DefaultTsGateway” and adding the hostname, mail.abcd.com
There is nothing in the logs that point to anything.
All services are running, RDGateway: RPC: IIS: etc.
Using the RDP client internally does not work either. (If I enable the bypassing internal address locally it works)
Using the RDWEB page I can connect locally but I’m sure it’s because its bypassing internal address locally.

Because I have Outlook anywhere and exchange 2010 client access installed I have been very careful with this as I have many client connecting remotely.

Any help would be appreciated.
 Error we getting Advance rdp settings General page
1
Comment
Question by:lcete
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
  • 3
  • +1
26 Comments
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36539794
check your authentication setting in the RPC virtual directory (should be under default website) in IIS.  make sure it's set to windows authentication.  
0
 
LVL 1

Author Comment

by:lcete
ID: 36539814
I have tried. I following this article...


Anyhow, start buy getting RDWEB working correctly then, work on TSGateway.

RDWEB should have only: Anonymous Authentication Enabled AutoDiscovery should have Anonymous, Basic and Windows Authentication Enabled. OWA: Basic Only. RPC: should have: Basic and Windows Authentication. RPCWCert: Should not have anything enabled. At lease those are the settings in My setup
0
 
LVL 6

Expert Comment

by:vand
ID: 36539868
Any change in behavior with an IISREST or net start tsgateway?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:lcete
ID: 36539887
im very wary on running an iisrest as i have exchange 2010 client access installed....
can i run it without causing any damage to exchange?
0
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36539900
Yes it will just make the cas unavailable for a few seconds
0
 
LVL 6

Expert Comment

by:vand
ID: 36539906
0
 
LVL 6

Expert Comment

by:vand
ID: 36539923
"Remote desktop Gateway server and an Exchange 2010 Client access server." Port Contention! They both use 443.
0
 
LVL 1

Author Comment

by:lcete
ID: 36539981
i have checked out that link, no joy,

i know they both use port 443, but surely its running of the same website and it can differentiate between the traffic. also now that you mentioned it, the default website does have a ? in a white small circle... all other services are working...

i did try something... in the rdweb pages i removed the defaulttsgateway setting "mail.abcd.com", ran iisreset, tried to connect again and took a few mins but it came up with an error it "could not connect..." i added the entry again and ran iisreset again and it starts popping up for credentials again...
0
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36539988
So the same server has cas and rd gateway in it......are you using different internal ip's and url's?  If not you may have a port conflict going on
0
 
LVL 1

Author Comment

by:lcete
ID: 36540007
both services on the same server.. yes.
no additional IP added. i though it was not needed as i have only one website running (default web)
also i can logon to the rdweb site without any problem internally and externally on https.

0
 
LVL 6

Expert Comment

by:vand
ID: 36543272
Icete, it's port contention. I will try and see if I can get more info. There is no ability to "differentiate" IIS ties the port to the address.
0
 
LVL 6

Expert Comment

by:vand
ID: 36550701
More info:
When setting up a secure site, one that uses an SSL certificate to encrypt the data stream, all of the binding rules from above are still valid but there are special circumstances that must be taken into account.  The primary factor behind this stems from rule number one of secure site bindings: no IP address sharing is allowed unless you have a wildcard certificate or use a non-standard port.

http://support.orcsweb.com/KB/a308/iis-site-bindings.aspx
0
 
LVL 6

Expert Comment

by:vand
ID: 36550704
A quick word of caution about wildcard certificates and https bindings: if the certificate Name does not include "*." before the domain name IIS7 will not allow you to use https host names through the UI. Even if the certificate "issued to" contains *.domainname.com it will not work.  
0
 
LVL 1

Author Comment

by:lcete
ID: 36556028
Hi Vand.

i have had a look at the document and there is something that does not make sense.. Bindings are restricted.. that i get but in this case,

we dont have a wildcard cert we have a San.

we have 1 site, the default web (1 ip) one binding with multiple virtual directories.

all other virtual directories work,

https://mail.abcd.com/owa
https://mail.abcd.com/rdweb

these are 2 distinct roles and i can logon to both without a problem, no cert errors. if it was a binding problem would i not have errors logging onto https://mail.abcd.com/rdweb as this is the added Virtual directory when adding the RDG role?
0
 
LVL 6

Accepted Solution

by:
vand earned 500 total points
ID: 36562368
Named virtual hosting does not work for HTTPS because the server cannot interpret the Host header until the connection has been made, and making the connection requires the completion of the SSL encryption handshake used by HTTPS; SSL certificates (without extensions) can only have a single server host name as their subject, and thus the certificate and connection will only work for a single host name or wildcard. As a result, the named virtual hosting mechanism never has a chance to operate on the incoming connection.
0
 
LVL 1

Author Comment

by:lcete
ID: 36563664
OK, is there any way of using this one server as a client access server as well as a RDGateway server? (really would like this solution)

both protocols use https/443...
how would I get this to work if my only choice is using a second server using another port other than 443(already being used for Client Access)

just on another note this may help,
we have a range of Ip but we only using 1, would this help?
0
 
LVL 1

Author Comment

by:lcete
ID: 36563686
Just to add, i think this may help, we do have a terminal server running in the enviroment using standard port 3389...

would moving the role here help?
which port should we use?
0
 
LVL 6

Expert Comment

by:vand
ID: 36563791
Moving your RDGateway to the TS server should work as long as nothing on the TS server is using port 443.
0
 
LVL 1

Author Comment

by:lcete
ID: 36563877
I'd assume I'd have use port redirection on our firewall to translate to port 443 as I'm already using it on the client access server.
Right?
0
 
LVL 6

Expert Comment

by:vand
ID: 36593580
I'm not sure I understand. Your firewall should pass 443 to whomever is getting the request. If your servers exist inside the firewall, you need to allow 443 to both of those servers.
0
 
LVL 1

Assisted Solution

by:lcete
lcete earned 0 total points
ID: 36899351
Hi Guys,

sorry for the delayed reply but i have been busy and not had time to visit this problem until a few days ago. Vand you were right to a certain degree or at least you sent me looking in the right direction. you will have trouble if you have both services installed on the same server,

here is what i found.

http://www.exchange-genie.com/2009/02/continous-prompting-in-outlook-anywhere/

what we did was, since we had a pool of addresses i assigned a different ip to the TS server and installed the Gateway server on this second server. port mapped the ports for this new server and it worked straight away.

Vand thank you for your help and im assigning you the points.
0
 
LVL 1

Author Closing Comment

by:lcete
ID: 36929315
After searching found that you will have problems running both services on the same server.
0
 
LVL 1

Author Comment

by:lcete
ID: 36899364
thank you
0
 
LVL 6

Expert Comment

by:vand
ID: 36906235
Icete, is that the right link? The article does not seem to discuss Exchange and Gateway together.
0
 
LVL 1

Author Comment

by:lcete
ID: 36906337
Here the bit that explained to me what the problem was and together with what you said i figured it out.

If you enable Outlook Anywhere before you install Terminal Services Gateway, users cannot connect to their Exchange mailboxes by using RPC over HTTP.
 • If you enable Outlook Anywhere after you install Terminal Services Gateway, Outlook Anywhere users can connect to Exchange by using RPC over HTTP. However, after you open the TS Gateway Manager snap-in, Outlook Anywhere users can no longer connect to Exchange by using RPC over HTTP
0
 

Expert Comment

by:MichaelGE
ID: 36941423
Hi,
sorry to reopen this old post, but I'm wondering: Why is it, that this is working on SBS 2008 and/or SBS 2011. There you have Exchange and RD Gateway on the same machine...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question