RDS Access outside local network
Good afternoon,
I've setup a new server with 2012r2 as a host. There are three VM's:
VM1 is the DC
VM2 is the RDS
VM3 is the Exchange 2013.
I've used http://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/ as a guide for RDS.
The internal AD domainname is corp.domainname.nl
The external e-mail domainname is domainname.nl
I've created the DNS forward lookup zones rds-gateway.domainname.nl and exch.domainname.nl pointing to the coresponding ip-adresses, so we can use these later to access from the internet.
The RDS servername is RDS1.corp.domainname.nl
I've registered a certificate at Comodo's with these names:
rds-gateway.domainname.nl
autodiscover.domainname.nl
exch.domainname.nl
exchsrvr1.corp.domainname.
We have mulitple public IP-addresses and use a Vigor 2960 as firewall.
Port 443 is forwarded to the RDS1 servers internal ip-address.
If an employee uses their own laptop/pc from their home location, they are able to go to the rds-gateway.domainname.nl website and logon successfully. But if they try to open a published application it will ask them again for the username and password. No way to get in. My guess is that SSO does not work for some reason. But... If I move the computer to the company, connect it to the company’s internal network and then try to open a published application, it does work. Most of the users have a Windows Home Version on their device. I already changed the connection authorisation policy that there is no need for any computer to be a member, to connect. By that non-domain members are able to use the RDS.
I can’t find out what the problem is, except that somehow SSO does not work (My guess)
Is it necessary to have rds1.corp.domainname.nl in the SSL certificate?
Any ideas?
Björn
I've setup a new server with 2012r2 as a host. There are three VM's:
VM1 is the DC
VM2 is the RDS
VM3 is the Exchange 2013.
I've used http://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/ as a guide for RDS.
The internal AD domainname is corp.domainname.nl
The external e-mail domainname is domainname.nl
I've created the DNS forward lookup zones rds-gateway.domainname.nl and exch.domainname.nl pointing to the coresponding ip-adresses, so we can use these later to access from the internet.
The RDS servername is RDS1.corp.domainname.nl
I've registered a certificate at Comodo's with these names:
rds-gateway.domainname.nl
autodiscover.domainname.nl
exch.domainname.nl
exchsrvr1.corp.domainname.
We have mulitple public IP-addresses and use a Vigor 2960 as firewall.
Port 443 is forwarded to the RDS1 servers internal ip-address.
If an employee uses their own laptop/pc from their home location, they are able to go to the rds-gateway.domainname.nl website and logon successfully. But if they try to open a published application it will ask them again for the username and password. No way to get in. My guess is that SSO does not work for some reason. But... If I move the computer to the company, connect it to the company’s internal network and then try to open a published application, it does work. Most of the users have a Windows Home Version on their device. I already changed the connection authorisation policy that there is no need for any computer to be a member, to connect. By that non-domain members are able to use the RDS.
I can’t find out what the problem is, except that somehow SSO does not work (My guess)
Is it necessary to have rds1.corp.domainname.nl in the SSL certificate?
Any ideas?
Björn
ASKER
Good morning Mahesh,
Thank you for helping me out on this,
Yes I have checked this. The domain users are in there.
The 3rd party SSL certificate is added correctly and recognised.
About the wmic command. The certificate is already trusted. If I read this correctly I do not need to perform this command again. See attached image.
On the local machine we use just one username and password. Username is User en the password is User. Most of the machines are thin clients and are non domain members. So SSO for the local User username is not needed.
The problem only arises when the specific machine is not on the local network, but accessing the rds-gateway via internet.
Connection-Broker.png
Thank you for helping me out on this,
Yes I have checked this. The domain users are in there.
The 3rd party SSL certificate is added correctly and recognised.
About the wmic command. The certificate is already trusted. If I read this correctly I do not need to perform this command again. See attached image.
On the local machine we use just one username and password. Username is User en the password is User. Most of the machines are thin clients and are non domain members. So SSO for the local User username is not needed.
The problem only arises when the specific machine is not on the local network, but accessing the rds-gateway via internet.
Connection-Broker.png
The certificate seems OK
The WMIC command will bind particlular certifcate to RDP connection
The command need to be run on RD Session host servers
You need to have SSL certificate from internal CA server with the FQDN of RD Session host and that certificate will be binded to RD Session Host server, this will remove rd session host certificate warning message
Because you will not bind your public certificate to RD Session host
When you accessing RDS from internet, your Web Access server tries to authenticate user with active directory, so ur ad auth ports must be opened from web access to Domain controllercess
Like wise AD traffic need to be opended from RD gateway to DC as RD gateway tries to authenticate session with DC
Also check below article since your internal and external dns name space is different
http://social.technet.microsoft.com/Forums/en-US/cf67f986-a507-46cb-b19e-d6d94236549a/how-to-setup-rds-custom-property-when-internal-and-external-domain-name-space-is-different?forum=winserverTS
Check RDS port Details
http://social.technet.microsoft.com/wiki/contents/articles/16164.which-ports-are-used-by-a-rds-2012-deployment.aspx
The WMIC command will bind particlular certifcate to RDP connection
The command need to be run on RD Session host servers
You need to have SSL certificate from internal CA server with the FQDN of RD Session host and that certificate will be binded to RD Session Host server, this will remove rd session host certificate warning message
Because you will not bind your public certificate to RD Session host
When you accessing RDS from internet, your Web Access server tries to authenticate user with active directory, so ur ad auth ports must be opened from web access to Domain controllercess
Like wise AD traffic need to be opended from RD gateway to DC as RD gateway tries to authenticate session with DC
Also check below article since your internal and external dns name space is different
http://social.technet.microsoft.com/Forums/en-US/cf67f986-a507-46cb-b19e-d6d94236549a/how-to-setup-rds-custom-property-when-internal-and-external-domain-name-space-is-different?forum=winserverTS
Check RDS port Details
http://social.technet.microsoft.com/wiki/contents/articles/16164.which-ports-are-used-by-a-rds-2012-deployment.aspx
ASKER
I Might have found something but I still can't explain why Windows 8 Pro and several Windows 7 Pro machines are able to connect.
There is a line in the security log file of the local computer when opening a published application like this:
Subject
Security ID: local computer name\local username
Account name: local username
Account domain: local computer name
Login ID: 0x5c5aa8
Login-GUID: {00000000-0000-0000-0000-0
Used Account Credentials
Account name: domain user name
Account doamin: domain name
Login-GUID: {00000000-0000-0000-0000-0
Target server:
Target server name: rds1.corp.domainname.nl
Aditional data: rds1.corp.domainname.nl
Process data
Proces-ID: 0x1508
Proces name: c:\windows\system32\mstsc.
Network data
network address: -
Port: -
The only difference on the working Windows 8 Pro machine is:
Procesdata:
Proces-id: 0x314
Proces name: C:\Windows\System32\lsass.
This might explain why it takes so long to open an app the first time anyway. This servername rds1.corp.domainname.nl cannot be reached from the internet. It should connect to rds-gateway.domainname.nl
How do I change this? I suppose with help of the link you sent me (internal and external dns name space is different). But how do I check what the setting is now? I'm in a live environment.
There is a line in the security log file of the local computer when opening a published application like this:
Subject
Security ID: local computer name\local username
Account name: local username
Account domain: local computer name
Login ID: 0x5c5aa8
Login-GUID: {00000000-0000-0000-0000-0
Used Account Credentials
Account name: domain user name
Account doamin: domain name
Login-GUID: {00000000-0000-0000-0000-0
Target server:
Target server name: rds1.corp.domainname.nl
Aditional data: rds1.corp.domainname.nl
Process data
Proces-ID: 0x1508
Proces name: c:\windows\system32\mstsc.
Network data
network address: -
Port: -
The only difference on the working Windows 8 Pro machine is:
Procesdata:
Proces-id: 0x314
Proces name: C:\Windows\System32\lsass.
This might explain why it takes so long to open an app the first time anyway. This servername rds1.corp.domainname.nl cannot be reached from the internet. It should connect to rds-gateway.domainname.nl
How do I change this? I suppose with help of the link you sent me (internal and external dns name space is different). But how do I check what the setting is now? I'm in a live environment.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
rds1.corp.domainname.nl need to not to be in public certificate
You can deploy internal certificate authority and from there you can request certificate for RDS1 server
Then you need to assign that certificate to RDS1 server with wmic command
check below article for full command
http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
Have you allocated SSO and publishing certificate to RD Connection broker?