Win Server 2012 RDS RemoteApp - Multiple Logon Prompts - Logon Failed

Posted on 2014-02-01
Last Modified: 2014-05-30
I am at the end of my rope on this one and need some expert assistance - please!  

I have a Windows 2012 Server setup as a stand-alone RDS RemoteApp web server.  There are 2 published programs and I can access them NO PROBLEM from anywhere on my internal network and via VPN when visting the RDWEB site.  

From the Internet, I can logon to RDWeb site without issue. I can also see the list of published apps, get the connected to Work Resources prompt in the system tray, view the feed of published apps, etc.  However, no matter what I do, when I try to launch a published RemoteApp program while connected to the Internet, I get repeated prompts to logon again and each time, it reads "The logon attempt failed".  I absolutely cannot get this thing to work from the Internet.

I've done a ton of reading and tried countless settings adjustments, all with no success.  When I run BPA, I do get an error which reads the "The RD Gateway server" must be configured to use a valid SSL certificate".  I have imported a valid GoDaddy SAN cert and the name I'm using to access from the outside world is one of the Subject Alternative Names.  It imports OK and I see no issues when looking at it in RD Gateway Manager.   The roles I have configured are:

RD Licensing
RD Web Access
RD Gateway
RD Connection Broker
RD Session Host

Again, I've spent hours double-checking group memberships, redirect settings, SSL bindings, adding the FQDN to local trusted sites, etc, etc.  Nothing I do seems to let me launch a RemoteApp from the Internet.  I don't even care about SSO, the second logon is fine, I just need it to let me in.

I've tried connecting from both Win 7 64-bit and Win 8 64-bit clients with no luck.  I'm using IE 11 on both.  

One more key note, I'm not using 443 for this RDWeb site.  I'm coming in on a different port and have configured that in the RDS settings (and IIS SSL bindings).  I actually jumped from 2008 R2 to 2012 because I read that 2012 supports alternate port coming inbound from the firewall.  When I test internally, I'm doing it on that custom port and it works fine so I don't think that port has anything to do with it.  Just mentioning it nonetheless.

Please help and thanks in advance!  3 screenshots attached.
Question by:dpmoney
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 37

Expert Comment

ID: 39827411
Have you installed RD gateway server certificate issuing authority root \ intermediate certificate on client computers in root \ intermediate certificate store ?

If not, Please install the same and check if its allow to connect


Author Comment

ID: 39827917
No need to - the issuing CA is GoDaddy which is inherently trusted by Internet Explorer.  I've been using the same type of cert for Exchange and all OWA clients recognize the cert as valid without issue.

I've done a lot of additional research.  The problems seems to be centered around that changing of the RemoteGateway port from standard 443 to something else.  Even in Windows Server 2012, there are additional steps that must be taken to specifically send RemoteApp through a custom port (other than 443).  I found this article which is excellent.

I've run the PowerShell command but it is still not working.  I think the only clients that can use Remote App in a custom port (vs. 443) are those that use RDP v8.1 which is in Windows 8.1.  It can also be done in Win 7 SP1 as long as you have the necessary RDP client updates, but it looks like there were some Smart Card authentication issues with that update in Win 7 SP1 so Microsoft recently pulled it (as of January 2014).  I'm continuing to research and am about to test my implementation from a Windows 8.1 client in the meantime.

I'm leaving this question open to see if anyone can find a way for me to make this work.
LVL 12

Expert Comment

ID: 39828203
okay, for a start we can isolate the issue: Yes, fail back to port 443. configure the server 2012 to work with 443. ensure physical firewalls are doing the correct forwarding to the server 2012. attempt to login from internet and see how it goes.
if it works, then document all the settings.

configure to the custom port and check/configure the external firewalls. if possible, u may have to run the wireshark or some scanning program to check if the external traffic [from the internet] is hitting the server 2012.

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.


Accepted Solution

dpmoney earned 0 total points
ID: 39828215
It worked!  Problem solved!  Here is what I had to do in order to make my RDS RemoteApp program work in Windows Server 2012 using a custom HTTPS port:

Per the article noted above from, I had to run a special PowerShell command in order specify that my RemoteApp will be coming through a custom HTTPS port on the RD Gateway.  Here is the command from the article:

You'll first need to run:

Import-Module RemoteDesktop

Next, us this command, adding in your values where appropriate.  The Connection Broker part had me scratching my head for a few minutes.  I researched that and it seems that inserting the Fully Qualified Internal Name of your server:

Set-RDSessionCollectionConfiguration –CollectionName "Your Session  Collectionnam" -CustomRdpProperty "  gatewayhostname:s:<RDGW-FQDN>:<yourport>" -ConnectionBroker  <Your RD ConnectionBroker>

Once I did this, I rebooted the server then tested the connection from my Windows 8.1 laptop and it worked!  I did get a warning about the SSL cert's name not matching (that is fine).

Next, I needed to get Windows 7 SP1 to connect.  In order to do that, I needed to update RDP in a specific order for it to support RemoteApp on a custom port.  Here is the article where I obtained that info:

Here's the excerpt:

On the Windows 7 SP1 client, do the following:

Uninstall KB2574819 and KB2592687 (if either is installed then you must reboot)

They must be done in this order:

1 - Install either the 32-bit or 64-bit download here:
windows 7 32bit -
windows 7 64bit  -

2 - Install either the 32-bit or 64-bit download here:
windows 7 32bit -
windows 7 64bit -

When finished, you'll need to reboot again.  After, launch Remote Desktop Connection and make sure the version is 6.2.9200

I then attempted to connect to my RemoteApp from the same Win 7 SP1 box and it worked!

Final thoughts - during my intense troubleshooting yesterday, I made a TON of config changes as suggested by numerous articles.  This included registry changes, IIS changes, RDS config changes, etc.  As each one failed, I rolled it back so I'm pretty confident my config is pretty much still stock.  The ONE change I did make per some article on the web was in IIS.  I went to Default Web Site | RDWeb | Pages and then opened Application Settings.  I changed the DefaultTSGateway value to external FQDN that my users will point to in order to access the RemoteApp - NOT the Internal server name and NOT with the customer port - just the external FQDN.

That's it!  Good luck!

Author Closing Comment

ID: 39841381
A ton of research and testing paid off

Expert Comment

ID: 40101317
I am also having some issues with changing the port port

If someone has an idea..


Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
Let’s list some of the technologies that enable smooth teleworking. 
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question