RDS Access outside local network

Posted on 2014-08-27
Last Modified: 2014-09-15
Good afternoon,

I've setup a new server with 2012r2 as a host. There are three VM's:

VM1 is the DC
VM2 is the RDS
VM3 is the Exchange 2013.

I've used as a guide for RDS.

The internal AD domainname is
The external e-mail domainname is

I've created the DNS forward lookup zones and pointing to the coresponding ip-adresses, so we can use these later to access from the internet.

The RDS servername is
I've registered a certificate at Comodo's with these names:

We have mulitple public IP-addresses and use a Vigor 2960 as firewall.
Port 443 is forwarded to the RDS1 servers internal ip-address.

If an employee uses their own laptop/pc from their home location, they are able to go to the website and logon successfully. But if they try to open a published application it will ask them again for the username and password. No way to get in. My guess is that SSO does not work for some reason. But... If I move the computer to the company, connect it to the company’s internal network and then try to open a published application, it does work. Most of the users have a Windows Home Version on their device. I already changed the connection authorisation policy that there is no need for any computer to be a member, to connect. By that non-domain members are able to use the RDS.

I can’t find out what the problem is, except that somehow SSO does not work (My guess)

Is it necessary to have in the SSL certificate?

Any ideas?

Question by:BGMServices
    LVL 34

    Expert Comment

    have you allowed domain users in RAP on RD Gateway manager ? need to not to be in public certificate

    You can deploy internal certificate authority and from there you can request certificate for RDS1 server
    Then you need to assign that certificate to RDS1 server with wmic command
    check below article for full command

    Have you allocated SSO and publishing certificate to RD Connection broker?

    Author Comment

    Good morning Mahesh,

    Thank you for helping me out on this,

    Yes I have checked this. The domain users are in there.
    The 3rd party SSL certificate is added correctly and recognised.

    About the wmic command. The certificate is already trusted. If I read this correctly I do not need to perform this command again. See attached image.

    On the local machine we use just one username and password. Username is User en the password is User. Most of the machines are thin clients and are non domain members. So SSO for the local User username is not needed.

    The problem only arises when the specific machine is not on the local network, but accessing the rds-gateway via internet.
    LVL 34

    Expert Comment

    The certificate seems OK

    The WMIC command will bind particlular certifcate to RDP connection
    The command need to be run on RD Session host servers
    You need to have SSL certificate from internal CA server with the FQDN of RD Session host and that certificate will be binded to RD Session Host server, this will remove rd session host certificate warning message
    Because you will not bind your public certificate to RD Session host

    When you accessing RDS from internet, your Web Access server tries to authenticate user with active directory, so ur ad auth ports must be opened from web access to Domain controllercess
    Like wise AD traffic need to be opended from RD gateway to DC as RD gateway tries to authenticate session with DC

    Also check below article since your internal and external dns name space is different

    Check RDS port Details

    Author Comment

    I Might have found something but I still can't explain why Windows 8 Pro and several Windows 7 Pro machines are able to connect.

    There is a line in the security log file of the local computer when opening a published application like this:
            Security ID: local computer name\local username
            Account name: local username
            Account domain: local computer name
            Login ID: 0x5c5aa8
            Login-GUID: {00000000-0000-0000-0000-000000000000}

    Used Account Credentials
            Account name: domain user name
            Account doamin: domain name
            Login-GUID: {00000000-0000-0000-0000-000000000000}

    Target server:
            Target server name:
            Aditional data:

    Process data
            Proces-ID: 0x1508
            Proces name: c:\windows\system32\mstsc.exe

    Network data
            network address: -
            Port: -

    The only difference on the working Windows 8 Pro machine is:
            Proces-id:            0x314
            Proces name:            C:\Windows\System32\lsass.exe

    This might explain why it takes so long to open an app the first time anyway. This servername cannot be reached from the internet. It should connect to

    How do I change this? I suppose with help of the link you sent me (internal and external dns name space is different). But how do I check what the setting is now? I'm in a live environment.

    Accepted Solution

    I found a solution my self.

    It's important to have Service Pack 1 installed. Server 2012r2 in our environment requires RDP Client version 6.3.9600. This is how you get it.

    In order to install the Remote Desktop Protocol 8.1 client for Windows 7 SP1,the following updates should be installed in the order shown:

    1.KB 2574819: An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1  
    2.KB 2857650: Update that improves the RemoteApp and Desktop Connections features is available for Windows 7
    3.KB 2830477: Update for RemoteApp and Desktop Connections feature is available for Windows
    4.KB 2913751: Smart card redirection in remote sessions fails in a Windows 7 SP1-based RDP 8.1 client
    5.(Optional) If you experience connection reliability issues after installing KB 2913751, we recommend installing KB 2923545: Update for RDP 8.1 is available for Windows 7 SP1 .

    Author Closing Comment


    Featured Post

    Live: Real-Time Solutions, Start Here

    Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

    Join & Write a Comment

    #Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
    This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now