RDS Access outside local network

Good afternoon,

I've setup a new server with 2012r2 as a host. There are three VM's:

VM1 is the DC
VM2 is the RDS
VM3 is the Exchange 2013.

I've used http://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/ as a guide for RDS.

The internal AD domainname is corp.domainname.nl
The external e-mail domainname is domainname.nl

I've created the DNS forward lookup zones rds-gateway.domainname.nl and exch.domainname.nl pointing to the coresponding ip-adresses, so we can use these later to access from the internet.

The RDS servername is RDS1.corp.domainname.nl
I've registered a certificate at Comodo's with these names:

We have mulitple public IP-addresses and use a Vigor 2960 as firewall.
Port 443 is forwarded to the RDS1 servers internal ip-address.

If an employee uses their own laptop/pc from their home location, they are able to go to the rds-gateway.domainname.nl website and logon successfully. But if they try to open a published application it will ask them again for the username and password. No way to get in. My guess is that SSO does not work for some reason. But... If I move the computer to the company, connect it to the company’s internal network and then try to open a published application, it does work. Most of the users have a Windows Home Version on their device. I already changed the connection authorisation policy that there is no need for any computer to be a member, to connect. By that non-domain members are able to use the RDS.

I can’t find out what the problem is, except that somehow SSO does not work (My guess)

Is it necessary to have rds1.corp.domainname.nl in the SSL certificate?

Any ideas?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

have you allowed domain users in RAP on RD Gateway manager ?

rds1.corp.domainname.nl need to not to be in public certificate

You can deploy internal certificate authority and from there you can request certificate for RDS1 server
Then you need to assign that certificate to RDS1 server with wmic command
check below article for full command

Have you allocated SSO and publishing certificate to RD Connection broker?
BGMServicesAuthor Commented:
Good morning Mahesh,

Thank you for helping me out on this,

Yes I have checked this. The domain users are in there.
The 3rd party SSL certificate is added correctly and recognised.

About the wmic command. The certificate is already trusted. If I read this correctly I do not need to perform this command again. See attached image.

On the local machine we use just one username and password. Username is User en the password is User. Most of the machines are thin clients and are non domain members. So SSO for the local User username is not needed.

The problem only arises when the specific machine is not on the local network, but accessing the rds-gateway via internet.
The certificate seems OK

The WMIC command will bind particlular certifcate to RDP connection
The command need to be run on RD Session host servers
You need to have SSL certificate from internal CA server with the FQDN of RD Session host and that certificate will be binded to RD Session Host server, this will remove rd session host certificate warning message
Because you will not bind your public certificate to RD Session host

When you accessing RDS from internet, your Web Access server tries to authenticate user with active directory, so ur ad auth ports must be opened from web access to Domain controllercess
Like wise AD traffic need to be opended from RD gateway to DC as RD gateway tries to authenticate session with DC

Also check below article since your internal and external dns name space is different

Check RDS port Details
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

BGMServicesAuthor Commented:
I Might have found something but I still can't explain why Windows 8 Pro and several Windows 7 Pro machines are able to connect.

There is a line in the security log file of the local computer when opening a published application like this:
        Security ID: local computer name\local username
        Account name: local username
        Account domain: local computer name
        Login ID: 0x5c5aa8
        Login-GUID: {00000000-0000-0000-0000-000000000000}

Used Account Credentials
        Account name: domain user name
        Account doamin: domain name
        Login-GUID: {00000000-0000-0000-0000-000000000000}

Target server:
        Target server name: rds1.corp.domainname.nl
        Aditional data: rds1.corp.domainname.nl

Process data
        Proces-ID: 0x1508
        Proces name: c:\windows\system32\mstsc.exe

Network data
        network address: -
        Port: -

The only difference on the working Windows 8 Pro machine is:
        Proces-id:            0x314
        Proces name:            C:\Windows\System32\lsass.exe

This might explain why it takes so long to open an app the first time anyway. This servername rds1.corp.domainname.nl cannot be reached from the internet. It should connect to rds-gateway.domainname.nl

How do I change this? I suppose with help of the link you sent me (internal and external dns name space is different). But how do I check what the setting is now? I'm in a live environment.
BGMServicesAuthor Commented:
I found a solution my self.

It's important to have Service Pack 1 installed. Server 2012r2 in our environment requires RDP Client version 6.3.9600. This is how you get it.

In order to install the Remote Desktop Protocol 8.1 client for Windows 7 SP1,the following updates should be installed in the order shown:

1.KB 2574819: An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1  
2.KB 2857650: Update that improves the RemoteApp and Desktop Connections features is available for Windows 7
3.KB 2830477: Update for RemoteApp and Desktop Connections feature is available for Windows
4.KB 2913751: Smart card redirection in remote sessions fails in a Windows 7 SP1-based RDP 8.1 client
5.(Optional) If you experience connection reliability issues after installing KB 2913751, we recommend installing KB 2923545: Update for RDP 8.1 is available for Windows 7 SP1 .

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.