Win Server 2012 RDS RemoteApp - Multiple Logon Prompts - Logon Failed

I am at the end of my rope on this one and need some expert assistance - please!  

I have a Windows 2012 Server setup as a stand-alone RDS RemoteApp web server.  There are 2 published programs and I can access them NO PROBLEM from anywhere on my internal network and via VPN when visting the RDWEB site.  

From the Internet, I can logon to RDWeb site without issue. I can also see the list of published apps, get the connected to Work Resources prompt in the system tray, view the feed of published apps, etc.  However, no matter what I do, when I try to launch a published RemoteApp program while connected to the Internet, I get repeated prompts to logon again and each time, it reads "The logon attempt failed".  I absolutely cannot get this thing to work from the Internet.

I've done a ton of reading and tried countless settings adjustments, all with no success.  When I run BPA, I do get an error which reads the "The RD Gateway server" must be configured to use a valid SSL certificate".  I have imported a valid GoDaddy SAN cert and the name I'm using to access from the outside world is one of the Subject Alternative Names.  It imports OK and I see no issues when looking at it in RD Gateway Manager.   The roles I have configured are:

RD Licensing
RD Web Access
RD Gateway
RD Connection Broker
RD Session Host

Again, I've spent hours double-checking group memberships, redirect settings, SSL bindings, adding the FQDN to local trusted sites, etc, etc.  Nothing I do seems to let me launch a RemoteApp from the Internet.  I don't even care about SSO, the second logon is fine, I just need it to let me in.

I've tried connecting from both Win 7 64-bit and Win 8 64-bit clients with no luck.  I'm using IE 11 on both.  

One more key note, I'm not using 443 for this RDWeb site.  I'm coming in on a different port and have configured that in the RDS settings (and IIS SSL bindings).  I actually jumped from 2008 R2 to 2012 because I read that 2012 supports alternate port coming inbound from the firewall.  When I test internally, I'm doing it on that custom port and it works fine so I don't think that port has anything to do with it.  Just mentioning it nonetheless.

Please help and thanks in advance!  3 screenshots attached.
Who is Participating?
dpmoneyAuthor Commented:
It worked!  Problem solved!  Here is what I had to do in order to make my RDS RemoteApp program work in Windows Server 2012 using a custom HTTPS port:

Per the article noted above from, I had to run a special PowerShell command in order specify that my RemoteApp will be coming through a custom HTTPS port on the RD Gateway.  Here is the command from the article:

You'll first need to run:

Import-Module RemoteDesktop

Next, us this command, adding in your values where appropriate.  The Connection Broker part had me scratching my head for a few minutes.  I researched that and it seems that inserting the Fully Qualified Internal Name of your server:

Set-RDSessionCollectionConfiguration –CollectionName "Your Session  Collectionnam" -CustomRdpProperty "  gatewayhostname:s:<RDGW-FQDN>:<yourport>" -ConnectionBroker  <Your RD ConnectionBroker>

Once I did this, I rebooted the server then tested the connection from my Windows 8.1 laptop and it worked!  I did get a warning about the SSL cert's name not matching (that is fine).

Next, I needed to get Windows 7 SP1 to connect.  In order to do that, I needed to update RDP in a specific order for it to support RemoteApp on a custom port.  Here is the article where I obtained that info:

Here's the excerpt:

On the Windows 7 SP1 client, do the following:

Uninstall KB2574819 and KB2592687 (if either is installed then you must reboot)

They must be done in this order:

1 - Install either the 32-bit or 64-bit download here:
windows 7 32bit -
windows 7 64bit  -

2 - Install either the 32-bit or 64-bit download here:
windows 7 32bit -
windows 7 64bit -

When finished, you'll need to reboot again.  After, launch Remote Desktop Connection and make sure the version is 6.2.9200

I then attempted to connect to my RemoteApp from the same Win 7 SP1 box and it worked!

Final thoughts - during my intense troubleshooting yesterday, I made a TON of config changes as suggested by numerous articles.  This included registry changes, IIS changes, RDS config changes, etc.  As each one failed, I rolled it back so I'm pretty confident my config is pretty much still stock.  The ONE change I did make per some article on the web was in IIS.  I went to Default Web Site | RDWeb | Pages and then opened Application Settings.  I changed the DefaultTSGateway value to external FQDN that my users will point to in order to access the RemoteApp - NOT the Internal server name and NOT with the customer port - just the external FQDN.

That's it!  Good luck!
Have you installed RD gateway server certificate issuing authority root \ intermediate certificate on client computers in root \ intermediate certificate store ?

If not, Please install the same and check if its allow to connect

dpmoneyAuthor Commented:
No need to - the issuing CA is GoDaddy which is inherently trusted by Internet Explorer.  I've been using the same type of cert for Exchange and all OWA clients recognize the cert as valid without issue.

I've done a lot of additional research.  The problems seems to be centered around that changing of the RemoteGateway port from standard 443 to something else.  Even in Windows Server 2012, there are additional steps that must be taken to specifically send RemoteApp through a custom port (other than 443).  I found this article which is excellent.

I've run the PowerShell command but it is still not working.  I think the only clients that can use Remote App in a custom port (vs. 443) are those that use RDP v8.1 which is in Windows 8.1.  It can also be done in Win 7 SP1 as long as you have the necessary RDP client updates, but it looks like there were some Smart Card authentication issues with that update in Win 7 SP1 so Microsoft recently pulled it (as of January 2014).  I'm continuing to research and am about to test my implementation from a Windows 8.1 client in the meantime.

I'm leaving this question open to see if anyone can find a way for me to make this work.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

S00007359Cloud Engineering OfficerCommented:
okay, for a start we can isolate the issue: Yes, fail back to port 443. configure the server 2012 to work with 443. ensure physical firewalls are doing the correct forwarding to the server 2012. attempt to login from internet and see how it goes.
if it works, then document all the settings.

configure to the custom port and check/configure the external firewalls. if possible, u may have to run the wireshark or some scanning program to check if the external traffic [from the internet] is hitting the server 2012.

dpmoneyAuthor Commented:
A ton of research and testing paid off
I am also having some issues with changing the port port

If someone has an idea..

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.