[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 825
  • Last Modified:

RDS Access outside local network

Good afternoon,

I've setup a new server with 2012r2 as a host. There are three VM's:

VM1 is the DC
VM2 is the RDS
VM3 is the Exchange 2013.

I've used http://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/ as a guide for RDS.

The internal AD domainname is corp.domainname.nl
The external e-mail domainname is domainname.nl

I've created the DNS forward lookup zones rds-gateway.domainname.nl and exch.domainname.nl pointing to the coresponding ip-adresses, so we can use these later to access from the internet.

The RDS servername is RDS1.corp.domainname.nl
I've registered a certificate at Comodo's with these names:

We have mulitple public IP-addresses and use a Vigor 2960 as firewall.
Port 443 is forwarded to the RDS1 servers internal ip-address.

If an employee uses their own laptop/pc from their home location, they are able to go to the rds-gateway.domainname.nl website and logon successfully. But if they try to open a published application it will ask them again for the username and password. No way to get in. My guess is that SSO does not work for some reason. But... If I move the computer to the company, connect it to the company’s internal network and then try to open a published application, it does work. Most of the users have a Windows Home Version on their device. I already changed the connection authorisation policy that there is no need for any computer to be a member, to connect. By that non-domain members are able to use the RDS.

I can’t find out what the problem is, except that somehow SSO does not work (My guess)

Is it necessary to have rds1.corp.domainname.nl in the SSL certificate?

Any ideas?

  • 4
  • 2
1 Solution
have you allowed domain users in RAP on RD Gateway manager ?

rds1.corp.domainname.nl need to not to be in public certificate

You can deploy internal certificate authority and from there you can request certificate for RDS1 server
Then you need to assign that certificate to RDS1 server with wmic command
check below article for full command

Have you allocated SSO and publishing certificate to RD Connection broker?
BGMServicesAuthor Commented:
Good morning Mahesh,

Thank you for helping me out on this,

Yes I have checked this. The domain users are in there.
The 3rd party SSL certificate is added correctly and recognised.

About the wmic command. The certificate is already trusted. If I read this correctly I do not need to perform this command again. See attached image.

On the local machine we use just one username and password. Username is User en the password is User. Most of the machines are thin clients and are non domain members. So SSO for the local User username is not needed.

The problem only arises when the specific machine is not on the local network, but accessing the rds-gateway via internet.
The certificate seems OK

The WMIC command will bind particlular certifcate to RDP connection
The command need to be run on RD Session host servers
You need to have SSL certificate from internal CA server with the FQDN of RD Session host and that certificate will be binded to RD Session Host server, this will remove rd session host certificate warning message
Because you will not bind your public certificate to RD Session host

When you accessing RDS from internet, your Web Access server tries to authenticate user with active directory, so ur ad auth ports must be opened from web access to Domain controllercess
Like wise AD traffic need to be opended from RD gateway to DC as RD gateway tries to authenticate session with DC

Also check below article since your internal and external dns name space is different

Check RDS port Details
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

BGMServicesAuthor Commented:
I Might have found something but I still can't explain why Windows 8 Pro and several Windows 7 Pro machines are able to connect.

There is a line in the security log file of the local computer when opening a published application like this:
        Security ID: local computer name\local username
        Account name: local username
        Account domain: local computer name
        Login ID: 0x5c5aa8
        Login-GUID: {00000000-0000-0000-0000-000000000000}

Used Account Credentials
        Account name: domain user name
        Account doamin: domain name
        Login-GUID: {00000000-0000-0000-0000-000000000000}

Target server:
        Target server name: rds1.corp.domainname.nl
        Aditional data: rds1.corp.domainname.nl

Process data
        Proces-ID: 0x1508
        Proces name: c:\windows\system32\mstsc.exe

Network data
        network address: -
        Port: -

The only difference on the working Windows 8 Pro machine is:
        Proces-id:            0x314
        Proces name:            C:\Windows\System32\lsass.exe

This might explain why it takes so long to open an app the first time anyway. This servername rds1.corp.domainname.nl cannot be reached from the internet. It should connect to rds-gateway.domainname.nl

How do I change this? I suppose with help of the link you sent me (internal and external dns name space is different). But how do I check what the setting is now? I'm in a live environment.
BGMServicesAuthor Commented:
I found a solution my self.

It's important to have Service Pack 1 installed. Server 2012r2 in our environment requires RDP Client version 6.3.9600. This is how you get it.

In order to install the Remote Desktop Protocol 8.1 client for Windows 7 SP1,the following updates should be installed in the order shown:

1.KB 2574819: An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1  
2.KB 2857650: Update that improves the RemoteApp and Desktop Connections features is available for Windows 7
3.KB 2830477: Update for RemoteApp and Desktop Connections feature is available for Windows
4.KB 2913751: Smart card redirection in remote sessions fails in a Windows 7 SP1-based RDP 8.1 client
5.(Optional) If you experience connection reliability issues after installing KB 2913751, we recommend installing KB 2923545: Update for RDP 8.1 is available for Windows 7 SP1 .

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now