Win Server 2012 RDS RemoteApp - Multiple Logon Prompts - Logon Failed
I am at the end of my rope on this one and need some expert assistance - please!
I have a Windows 2012 Server setup as a stand-alone RDS RemoteApp web server. There are 2 published programs and I can access them NO PROBLEM from anywhere on my internal network and via VPN when visting the RDWEB site.
From the Internet, I can logon to RDWeb site without issue. I can also see the list of published apps, get the connected to Work Resources prompt in the system tray, view the feed of published apps, etc. However, no matter what I do, when I try to launch a published RemoteApp program while connected to the Internet, I get repeated prompts to logon again and each time, it reads "The logon attempt failed". I absolutely cannot get this thing to work from the Internet.
I've done a ton of reading and tried countless settings adjustments, all with no success. When I run BPA, I do get an error which reads the "The RD Gateway server" must be configured to use a valid SSL certificate". I have imported a valid GoDaddy SAN cert and the name I'm using to access from the outside world is one of the Subject Alternative Names. It imports OK and I see no issues when looking at it in RD Gateway Manager. The roles I have configured are:
RD Licensing
RD Web Access
RD Gateway
RD Connection Broker
RD Session Host
Again, I've spent hours double-checking group memberships, redirect settings, SSL bindings, adding the FQDN to local trusted sites, etc, etc. Nothing I do seems to let me launch a RemoteApp from the Internet. I don't even care about SSO, the second logon is fine, I just need it to let me in.
I've tried connecting from both Win 7 64-bit and Win 8 64-bit clients with no luck. I'm using IE 11 on both.
One more key note, I'm not using 443 for this RDWeb site. I'm coming in on a different port and have configured that in the RDS settings (and IIS SSL bindings). I actually jumped from 2008 R2 to 2012 because I read that 2012 supports alternate port coming inbound from the firewall. When I test internally, I'm doing it on that custom port and it works fine so I don't think that port has anything to do with it. Just mentioning it nonetheless.
Please help and thanks in advance! 3 screenshots attached.
Step-1---Connects-to-RDWeb.png
Step-2---Publisher-Warning.png
Step-3---Neverending-Logon-promp.png
I have a Windows 2012 Server setup as a stand-alone RDS RemoteApp web server. There are 2 published programs and I can access them NO PROBLEM from anywhere on my internal network and via VPN when visting the RDWEB site.
From the Internet, I can logon to RDWeb site without issue. I can also see the list of published apps, get the connected to Work Resources prompt in the system tray, view the feed of published apps, etc. However, no matter what I do, when I try to launch a published RemoteApp program while connected to the Internet, I get repeated prompts to logon again and each time, it reads "The logon attempt failed". I absolutely cannot get this thing to work from the Internet.
I've done a ton of reading and tried countless settings adjustments, all with no success. When I run BPA, I do get an error which reads the "The RD Gateway server" must be configured to use a valid SSL certificate". I have imported a valid GoDaddy SAN cert and the name I'm using to access from the outside world is one of the Subject Alternative Names. It imports OK and I see no issues when looking at it in RD Gateway Manager. The roles I have configured are:
RD Licensing
RD Web Access
RD Gateway
RD Connection Broker
RD Session Host
Again, I've spent hours double-checking group memberships, redirect settings, SSL bindings, adding the FQDN to local trusted sites, etc, etc. Nothing I do seems to let me launch a RemoteApp from the Internet. I don't even care about SSO, the second logon is fine, I just need it to let me in.
I've tried connecting from both Win 7 64-bit and Win 8 64-bit clients with no luck. I'm using IE 11 on both.
One more key note, I'm not using 443 for this RDWeb site. I'm coming in on a different port and have configured that in the RDS settings (and IIS SSL bindings). I actually jumped from 2008 R2 to 2012 because I read that 2012 supports alternate port coming inbound from the firewall. When I test internally, I'm doing it on that custom port and it works fine so I don't think that port has anything to do with it. Just mentioning it nonetheless.
Please help and thanks in advance! 3 screenshots attached.
Step-1---Connects-to-RDWeb.png
Step-2---Publisher-Warning.png
Step-3---Neverending-Logon-promp.png
ASKER
No need to - the issuing CA is GoDaddy which is inherently trusted by Internet Explorer. I've been using the same type of cert for Exchange and all OWA clients recognize the cert as valid without issue.
I've done a lot of additional research. The problems seems to be centered around that changing of the RemoteGateway port from standard 443 to something else. Even in Windows Server 2012, there are additional steps that must be taken to specifically send RemoteApp through a custom port (other than 443). I found this article which is excellent.
http://redmondmag.com/articles/2013/12/24/rd-gateway-in-windows-server.aspx
I've run the PowerShell command but it is still not working. I think the only clients that can use Remote App in a custom port (vs. 443) are those that use RDP v8.1 which is in Windows 8.1. It can also be done in Win 7 SP1 as long as you have the necessary RDP client updates, but it looks like there were some Smart Card authentication issues with that update in Win 7 SP1 so Microsoft recently pulled it (as of January 2014). I'm continuing to research and am about to test my implementation from a Windows 8.1 client in the meantime.
I'm leaving this question open to see if anyone can find a way for me to make this work.
I've done a lot of additional research. The problems seems to be centered around that changing of the RemoteGateway port from standard 443 to something else. Even in Windows Server 2012, there are additional steps that must be taken to specifically send RemoteApp through a custom port (other than 443). I found this article which is excellent.
http://redmondmag.com/articles/2013/12/24/rd-gateway-in-windows-server.aspx
I've run the PowerShell command but it is still not working. I think the only clients that can use Remote App in a custom port (vs. 443) are those that use RDP v8.1 which is in Windows 8.1. It can also be done in Win 7 SP1 as long as you have the necessary RDP client updates, but it looks like there were some Smart Card authentication issues with that update in Win 7 SP1 so Microsoft recently pulled it (as of January 2014). I'm continuing to research and am about to test my implementation from a Windows 8.1 client in the meantime.
I'm leaving this question open to see if anyone can find a way for me to make this work.
okay, for a start we can isolate the issue: Yes, fail back to port 443. configure the server 2012 to work with 443. ensure physical firewalls are doing the correct forwarding to the server 2012. attempt to login from internet and see how it goes.
if it works, then document all the settings.
configure to the custom port and check/configure the external firewalls. if possible, u may have to run the wireshark or some scanning program to check if the external traffic [from the internet] is hitting the server 2012.
cheers
if it works, then document all the settings.
configure to the custom port and check/configure the external firewalls. if possible, u may have to run the wireshark or some scanning program to check if the external traffic [from the internet] is hitting the server 2012.
cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A ton of research and testing paid off
Hi,
I am also having some issues with changing the port port
https://www.experts-exchange.com/questions/28445115/Specific-port-missing-in-RDS-published-apps-2012.html
If someone has an idea..
Thanks
I am also having some issues with changing the port port
https://www.experts-exchange.com/questions/28445115/Specific-port-missing-in-RDS-published-apps-2012.html
If someone has an idea..
Thanks
If not, Please install the same and check if its allow to connect
Mahesh