Solved

Win Server 2012 RDS RemoteApp - Multiple Logon Prompts - Logon Failed

Posted on 2014-02-01
6
7,972 Views
Last Modified: 2014-05-30
I am at the end of my rope on this one and need some expert assistance - please!  

I have a Windows 2012 Server setup as a stand-alone RDS RemoteApp web server.  There are 2 published programs and I can access them NO PROBLEM from anywhere on my internal network and via VPN when visting the RDWEB site.  

From the Internet, I can logon to RDWeb site without issue. I can also see the list of published apps, get the connected to Work Resources prompt in the system tray, view the feed of published apps, etc.  However, no matter what I do, when I try to launch a published RemoteApp program while connected to the Internet, I get repeated prompts to logon again and each time, it reads "The logon attempt failed".  I absolutely cannot get this thing to work from the Internet.

I've done a ton of reading and tried countless settings adjustments, all with no success.  When I run BPA, I do get an error which reads the "The RD Gateway server" must be configured to use a valid SSL certificate".  I have imported a valid GoDaddy SAN cert and the name I'm using to access from the outside world is one of the Subject Alternative Names.  It imports OK and I see no issues when looking at it in RD Gateway Manager.   The roles I have configured are:

RD Licensing
RD Web Access
RD Gateway
RD Connection Broker
RD Session Host

Again, I've spent hours double-checking group memberships, redirect settings, SSL bindings, adding the FQDN to local trusted sites, etc, etc.  Nothing I do seems to let me launch a RemoteApp from the Internet.  I don't even care about SSO, the second logon is fine, I just need it to let me in.

I've tried connecting from both Win 7 64-bit and Win 8 64-bit clients with no luck.  I'm using IE 11 on both.  

One more key note, I'm not using 443 for this RDWeb site.  I'm coming in on a different port and have configured that in the RDS settings (and IIS SSL bindings).  I actually jumped from 2008 R2 to 2012 because I read that 2012 supports alternate port coming inbound from the firewall.  When I test internally, I'm doing it on that custom port and it works fine so I don't think that port has anything to do with it.  Just mentioning it nonetheless.

Please help and thanks in advance!  3 screenshots attached.
Step-1---Connects-to-RDWeb.png
Step-2---Publisher-Warning.png
Step-3---Neverending-Logon-promp.png
0
Comment
Question by:dpmoney
6 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39827411
Have you installed RD gateway server certificate issuing authority root \ intermediate certificate on client computers in root \ intermediate certificate store ?

If not, Please install the same and check if its allow to connect

Mahesh
0
 

Author Comment

by:dpmoney
ID: 39827917
No need to - the issuing CA is GoDaddy which is inherently trusted by Internet Explorer.  I've been using the same type of cert for Exchange and all OWA clients recognize the cert as valid without issue.

I've done a lot of additional research.  The problems seems to be centered around that changing of the RemoteGateway port from standard 443 to something else.  Even in Windows Server 2012, there are additional steps that must be taken to specifically send RemoteApp through a custom port (other than 443).  I found this article which is excellent.  

http://redmondmag.com/articles/2013/12/24/rd-gateway-in-windows-server.aspx

I've run the PowerShell command but it is still not working.  I think the only clients that can use Remote App in a custom port (vs. 443) are those that use RDP v8.1 which is in Windows 8.1.  It can also be done in Win 7 SP1 as long as you have the necessary RDP client updates, but it looks like there were some Smart Card authentication issues with that update in Win 7 SP1 so Microsoft recently pulled it (as of January 2014).  I'm continuing to research and am about to test my implementation from a Windows 8.1 client in the meantime.

I'm leaving this question open to see if anyone can find a way for me to make this work.
0
 
LVL 12

Expert Comment

by:S00007359
ID: 39828203
okay, for a start we can isolate the issue: Yes, fail back to port 443. configure the server 2012 to work with 443. ensure physical firewalls are doing the correct forwarding to the server 2012. attempt to login from internet and see how it goes.
if it works, then document all the settings.

configure to the custom port and check/configure the external firewalls. if possible, u may have to run the wireshark or some scanning program to check if the external traffic [from the internet] is hitting the server 2012.

cheers
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Accepted Solution

by:
dpmoney earned 0 total points
ID: 39828215
It worked!  Problem solved!  Here is what I had to do in order to make my RDS RemoteApp program work in Windows Server 2012 using a custom HTTPS port:

Per the article noted above from redmondmag.com, I had to run a special PowerShell command in order specify that my RemoteApp will be coming through a custom HTTPS port on the RD Gateway.  Here is the command from the article:

You'll first need to run:

Import-Module RemoteDesktop

Next, us this command, adding in your values where appropriate.  The Connection Broker part had me scratching my head for a few minutes.  I researched that and it seems that inserting the Fully Qualified Internal Name of your server:

Set-RDSessionCollectionConfiguration –CollectionName "Your Session  Collectionnam" -CustomRdpProperty "  gatewayhostname:s:<RDGW-FQDN>:<yourport>" -ConnectionBroker  <Your RD ConnectionBroker>

Once I did this, I rebooted the server then tested the connection from my Windows 8.1 laptop and it worked!  I did get a warning about the SSL cert's name not matching (that is fine).

Next, I needed to get Windows 7 SP1 to connect.  In order to do that, I needed to update RDP in a specific order for it to support RemoteApp on a custom port.  Here is the article where I obtained that info:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/c74ca225-4dc0-44eb-bfff-a572dfd1f34b/rds-2012-does-not-seem-to-support-remoteappsrdweb-working-with-rd-gateway-and-port-changed-from-443?forum=winserverTS

Here's the excerpt:

On the Windows 7 SP1 client, do the following:

Uninstall KB2574819 and KB2592687 (if either is installed then you must reboot)

They must be done in this order:

1 - Install either the 32-bit or 64-bit download here:
windows 7 32bit - http://www.microsoft.com/en-us/download/details.aspx?id=35391
windows 7 64bit  - http://www.microsoft.com/en-us/download/details.aspx?id=35388

2 - Install either the 32-bit or 64-bit download here:
windows 7 32bit - http://www.microsoft.com/en-us/download/details.aspx?id=35393
windows 7 64bit - http://www.microsoft.com/en-us/download/details.aspx?id=35387

When finished, you'll need to reboot again.  After, launch Remote Desktop Connection and make sure the version is 6.2.9200

I then attempted to connect to my RemoteApp from the same Win 7 SP1 box and it worked!

Final thoughts - during my intense troubleshooting yesterday, I made a TON of config changes as suggested by numerous articles.  This included registry changes, IIS changes, RDS config changes, etc.  As each one failed, I rolled it back so I'm pretty confident my config is pretty much still stock.  The ONE change I did make per some article on the web was in IIS.  I went to Default Web Site | RDWeb | Pages and then opened Application Settings.  I changed the DefaultTSGateway value to external FQDN that my users will point to in order to access the RemoteApp - NOT the Internal server name and NOT with the customer port - just the external FQDN.

That's it!  Good luck!
0
 

Author Closing Comment

by:dpmoney
ID: 39841381
A ton of research and testing paid off
0
 

Expert Comment

by:TheGoodi
ID: 40101317
Hi,
I am also having some issues with changing the port port
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28445115.html

If someone has an idea..

Thanks
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now