Solved

Remote Desktop Gateway Login Problem

Posted on 2011-09-14
26
7,149 Views
1 Endorsement
Last Modified: 2013-11-21
Hi have had a problem i can’t seem to figure out and can’t seem to find an answer on the net.

Our setup is simple:
2008 domain.
1 server is running Win2008R2 acting as a Remote desktop Gateway server and an Exchange 2010 Client access server. (we do have other servers on the network this one just acts as a gateway)
We got a San certificate from Go daddy which we use to access remotely to webmail/Outlook Anywhere through this server.
All remote exchange comms with hostname mail.abcd.com work fine so we know the certificate is fine.
We have port 443 open.

The install of the role went through fine I tried to keep the default settings to avoid to many changes…. Installed the role. Added the mail.abcd.com certificate. Added the users to the CAP, selected the allow to any network resource in the RAP. All seems ok.
I have added the certificate to the server personal and trusted root containers as well as a few external clients I’m using for testing. (these clients use XP and win7)
The NPS is set to default install…(don’t know if this is causing it, can’t see anything specific)

Our problem is when we attempt to connect to a machine on the local network through the RD gateway remotely using the default workstation remote desktop connection we keep getting the logon error and it keeps prompting for credentials.
If I try using the rdweb page I still can´t connect to any local machines. (I have verified local machines do have allow remote connections enabled.)
I have spent days reading up forums and there is a lot about this but it all points to the same thing which I have tried…
I have tried:
Verifying that the Default Web is not redirecting anywhere.
I can logon to the site https://mail.****.co.uk/rpc and it gives me a blank white page.
I have tried going to my IIS\default web site\rdweb\pages and changing the application setting “DefaultTsGateway” and adding the hostname, mail.abcd.com
There is nothing in the logs that point to anything.
All services are running, RDGateway: RPC: IIS: etc.
Using the RDP client internally does not work either. (If I enable the bypassing internal address locally it works)
Using the RDWEB page I can connect locally but I’m sure it’s because its bypassing internal address locally.

Because I have Outlook anywhere and exchange 2010 client access installed I have been very careful with this as I have many client connecting remotely.

Any help would be appreciated.
 Error we getting Advance rdp settings General page
1
Comment
Question by:lcete
  • 12
  • 10
  • 3
  • +1
26 Comments
 
LVL 10

Expert Comment

by:SuperTaco
Comment Utility
check your authentication setting in the RPC virtual directory (should be under default website) in IIS.  make sure it's set to windows authentication.  
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
I have tried. I following this article...


Anyhow, start buy getting RDWEB working correctly then, work on TSGateway.

RDWEB should have only: Anonymous Authentication Enabled AutoDiscovery should have Anonymous, Basic and Windows Authentication Enabled. OWA: Basic Only. RPC: should have: Basic and Windows Authentication. RPCWCert: Should not have anything enabled. At lease those are the settings in My setup
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Any change in behavior with an IISREST or net start tsgateway?
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
im very wary on running an iisrest as i have exchange 2010 client access installed....
can i run it without causing any damage to exchange?
0
 
LVL 10

Expert Comment

by:SuperTaco
Comment Utility
Yes it will just make the cas unavailable for a few seconds
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
"Remote desktop Gateway server and an Exchange 2010 Client access server." Port Contention! They both use 443.
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
i have checked out that link, no joy,

i know they both use port 443, but surely its running of the same website and it can differentiate between the traffic. also now that you mentioned it, the default website does have a ? in a white small circle... all other services are working...

i did try something... in the rdweb pages i removed the defaulttsgateway setting "mail.abcd.com", ran iisreset, tried to connect again and took a few mins but it came up with an error it "could not connect..." i added the entry again and ran iisreset again and it starts popping up for credentials again...
0
 
LVL 10

Expert Comment

by:SuperTaco
Comment Utility
So the same server has cas and rd gateway in it......are you using different internal ip's and url's?  If not you may have a port conflict going on
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
both services on the same server.. yes.
no additional IP added. i though it was not needed as i have only one website running (default web)
also i can logon to the rdweb site without any problem internally and externally on https.

0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Icete, it's port contention. I will try and see if I can get more info. There is no ability to "differentiate" IIS ties the port to the address.
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
More info:
When setting up a secure site, one that uses an SSL certificate to encrypt the data stream, all of the binding rules from above are still valid but there are special circumstances that must be taken into account.  The primary factor behind this stems from rule number one of secure site bindings: no IP address sharing is allowed unless you have a wildcard certificate or use a non-standard port.

http://support.orcsweb.com/KB/a308/iis-site-bindings.aspx
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
A quick word of caution about wildcard certificates and https bindings: if the certificate Name does not include "*." before the domain name IIS7 will not allow you to use https host names through the UI. Even if the certificate "issued to" contains *.domainname.com it will not work.  
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Comment

by:lcete
Comment Utility
Hi Vand.

i have had a look at the document and there is something that does not make sense.. Bindings are restricted.. that i get but in this case,

we dont have a wildcard cert we have a San.

we have 1 site, the default web (1 ip) one binding with multiple virtual directories.

all other virtual directories work,

https://mail.abcd.com/owa
https://mail.abcd.com/rdweb

these are 2 distinct roles and i can logon to both without a problem, no cert errors. if it was a binding problem would i not have errors logging onto https://mail.abcd.com/rdweb as this is the added Virtual directory when adding the RDG role?
0
 
LVL 6

Accepted Solution

by:
vand earned 500 total points
Comment Utility
Named virtual hosting does not work for HTTPS because the server cannot interpret the Host header until the connection has been made, and making the connection requires the completion of the SSL encryption handshake used by HTTPS; SSL certificates (without extensions) can only have a single server host name as their subject, and thus the certificate and connection will only work for a single host name or wildcard. As a result, the named virtual hosting mechanism never has a chance to operate on the incoming connection.
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
OK, is there any way of using this one server as a client access server as well as a RDGateway server? (really would like this solution)

both protocols use https/443...
how would I get this to work if my only choice is using a second server using another port other than 443(already being used for Client Access)

just on another note this may help,
we have a range of Ip but we only using 1, would this help?
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
Just to add, i think this may help, we do have a terminal server running in the enviroment using standard port 3389...

would moving the role here help?
which port should we use?
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Moving your RDGateway to the TS server should work as long as nothing on the TS server is using port 443.
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
I'd assume I'd have use port redirection on our firewall to translate to port 443 as I'm already using it on the client access server.
Right?
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
I'm not sure I understand. Your firewall should pass 443 to whomever is getting the request. If your servers exist inside the firewall, you need to allow 443 to both of those servers.
0
 
LVL 1

Assisted Solution

by:lcete
lcete earned 0 total points
Comment Utility
Hi Guys,

sorry for the delayed reply but i have been busy and not had time to visit this problem until a few days ago. Vand you were right to a certain degree or at least you sent me looking in the right direction. you will have trouble if you have both services installed on the same server,

here is what i found.

http://www.exchange-genie.com/2009/02/continous-prompting-in-outlook-anywhere/

what we did was, since we had a pool of addresses i assigned a different ip to the TS server and installed the Gateway server on this second server. port mapped the ports for this new server and it worked straight away.

Vand thank you for your help and im assigning you the points.
0
 
LVL 1

Author Closing Comment

by:lcete
Comment Utility
After searching found that you will have problems running both services on the same server.
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
thank you
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Icete, is that the right link? The article does not seem to discuss Exchange and Gateway together.
0
 
LVL 1

Author Comment

by:lcete
Comment Utility
Here the bit that explained to me what the problem was and together with what you said i figured it out.

If you enable Outlook Anywhere before you install Terminal Services Gateway, users cannot connect to their Exchange mailboxes by using RPC over HTTP.
 • If you enable Outlook Anywhere after you install Terminal Services Gateway, Outlook Anywhere users can connect to Exchange by using RPC over HTTP. However, after you open the TS Gateway Manager snap-in, Outlook Anywhere users can no longer connect to Exchange by using RPC over HTTP
0
 

Expert Comment

by:MichaelGE
Comment Utility
Hi,
sorry to reopen this old post, but I'm wondering: Why is it, that this is working on SBS 2008 and/or SBS 2011. There you have Exchange and RD Gateway on the same machine...
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now