Category Archives: Remote Desktop

Connecting to a Remote Desktop Gateway behind a proxy server

Connecting to a Windows 2012 R2 RD Gateway server when you are behind a proxy server, especially one requiring authentication, may fail with the following errors:

‘Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to.’

 RDPError2

Or

‘Remote Desktop can’t connect to the remote computer for one of these reasons:

  1. Remote access to the server is not enabled
  2. The remote computer is turned off
  3. The remote computer is not available on the network’

RDPError

Additionally, you will see the following event ID 4625 in the security log on the gateway server.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/5/2013 4:20:00 PM

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: N/A

Computer: RDGW.CONTOSO.COM

Description:

An account failed to log on.

 This issue is documented here:

 https://support.microsoft.com/en-us/kb/2903333

To fix it, set the EnforceChannelBinding registry value to 0 (zero) to ignore missing channel bindings on the Gateway server.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core

Type: REG_DWORD

Name: EnforceChannelBinding

Value: 0 (Decimal)

RDPError_reg

 Note By default, the EnforceChannelBinding value does not exist on the Gateway server. You must create this value. When you are done, reboot the server and it should work behind your proxy server.

Installing OneDrive on Windows Server 2012 R2

How to install OneDrive on Windows Server 2012 R2. Unlike it’s desktop counterpart, Windows 8.1, Windows Server 2012 R2 does not include the OneDrive client. But, you can install it manually. This is useful for a remote desktop (terminal server) environment where users may want to save their files online. Admittedly this is not a very secure option for most organisations, but could be acceptable for small businesses. I run this at home for the family on a small RDS farm, with OneDrive and Office installed, although Office 2013 does of course allow saving natively as well.

To install OneDrive on Window Server 2012 R2:

  • Disable Internet Explorer Enhanced Security Configuration from the Server Manager, Local Server page, if you have it enabled. This will allow you to sign in.- Install the .NET Framework 3.5 feature
  • Download Windows Live Essentials 2012 from http://windows.microsoft.com/en-us/windows-live/essentials
  • Install just OneDrive

You will then need to sign into the app.

Note that this does give the inferior Windows 7 style Onedrive sync, i.e. you have to choose which files and folders will be available on the server. It does not use the placeholders like in Windows 8, unfortunately, since this is basically the same Onedrive client that you can install on Windows 7.

Install and configure a Remote Desktop certificate on RD Session Host servers

When installing an Remote Desktop farm with a RD Gateway on Windows Server 2012, you install a certificate for the Broker, Web Access and Gateway roles using Server Manager. However, this does not add the certificate to the Remote Desktop Session Host (RDSH) servers. This means that you get a warning when connecting to a RemoteApp or desktop, because the RDSH severs will have a self-signed certificate. You can replace this certificate using a valid certificate. You will continue to get warnings for the following reasons:

  1. The name on the certificate does not match the RDSH server name
  2. The certificate is not from a trusted root certificate authority

The best way to resolve this is to purchase a single wilcard certificate e.g. *.domain.com that covers both the RDWeb URL, as well as the server names. This also requires that your internal domain is a subdomain of your external domain. So you might use domain.com on the web, and internal.domain.com as your AD domain. Your RDSH server is then e.g. rdsh01.internal.domain.com. You could also use a SAN certificate.

Note that you should NOT replace the certificates on the RDSH servers as listed below, if you are using self-signed certificates and you want to be able to connect from clients which are not joined to your domain. Even if you trust the root manually, the revocation information will not be available, and clients will not be able to connect, and will give a 0x607 error. See http://social.technet.microsoft.com/Forums/ru-RU/94780a11-23ba-4a3c-b11a-734007c2d2fd/an-authentication-error-has-occured-code-0x607?forum=winserverTS for more info on this error.

If you are just connecting internally from clients in the same domain, you should be able to use an internal Enterprise CA to create a SAN or wildcard certificate which you can use on your servers. So, only replace the certificates on the RDSH servers if:

  • Clients are all in the same      domain and you are using internal certificates
  • Clients are outside the domain,      but you have purchased commercial certificates

It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.

  • Open the MMC and open the      Certificates snapin
  • Add the Local Computer
  • Import the certificate into      Computer\Personal
  • Open the certificate and find      the thumbprint on the details tab. Copy the thumbprint to notepad and      delete all the spaces.
  • Open up an elevated PowerShell      prompt and write:
  • wmic      /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set      SSLCertificateSHA1Hash=”‎PASTE_THUMBPRINT_STRING”
  • You can check the certificate      by running:
  • Get-WmiObject -class      “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter      “TerminalName=’RDP-tcp'”

Note that sometimes for the last command, you may need to remote the end quotes around RDP-tcp and type them in again if posting.

See http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx for more information.

Customising the RDWeb web page

This outlines the customisation options with the default RDWeb page in Microsoft Server 2012, when using Remote Desktop Services with RDWeb. You can easily replace the logon and text at the top of the page.

As an example, you can change the default:

RDWeb_Default

To something like this:

RDWeb_Custom

Replaceable Company Logo Image

Add the new Icon into the image folder

  • Add the new icon into the images folder located in:

C:\Windows\Web\RDWeb\Pages\en-US\images\

Modify the site.xsl file

  • Backup this file:

C:\Windows\Web\RDWeb\Pages\Site.xsl

To e.g. C:\Windows\Web\RDWeb\Pages\Site.xsl.bak

The word Replaceable appears 3 times in this file. Do a find for this word to find the sections below:

Run notepad as admin and open. I find the easiest way to do this is to run Powershell as admin, and then launch notepad from there. That way if you close down notepad, you quickly launch as admin again without finding notepad.

Edit the file:

C:\Windows\Web\RDWeb\Pages\Site.xsl

Replaceable Company Logo Image

Change:

<img src=”../images/logo_02.png” width=”48″ height=”48″/>

To e.g.:

<img src=”../images/donkey_blue.png” width=”58″ height=”34″/>

Replaceable Company Logo Text and Application Type

Change:

<td class=”headingCompanyName”><xsl:value-of select=”@workspacename”/></td>

To e.g.:

<td class=”headingCompanyName”>msdonkey remote access</td>

Change:

<xsl:value-of select=”$strings[@id = ‘HeadingApplicationName’]”/>

To e.g.:

RemoteApps and Desktops

Using the ‘Connect to a remote PC’ page in RDWeb Remote Desktop Web on Windows Server 2012

The Remote Desktop web site, which is a component of Remote Desktop Services in Windows Server 2012 and 2008, has a page called ‘Connect to a remote PC’.

rdweb_small

This page will allow you to connect to servers or computers behind your Remote Desktop Gateway server, which is a handy feature if users need to connect to a full remote desktop behind the gateway, rather than just a remote app. This will also allow you to connect to your servers on an internal network directly, even if you are behind a web proxy server, so can be useful for remote management purposes when connected to a corporate network.

However, by default, this page will only allow you to connect to local resources, and will not use the gateway server.

To fix this, you need to make a change in IIS:

  • On your RD Web Access server, open IIS Manager
  • In the left pane, navigate to and Sites\Default Web Site\RDWeb\Pages
  • In the middle pane, double-click on Application Settings
  • Double-click on DefaultTSGateway and enter the external FQDN of your RD Gateway
  • Refresh the RDWeb page on the client and then test using an external client

IIS

Now, to connect to other machines on your network other than ones already in your RDSH farm, you also need to modify the RD Gateway policies to allow you to connect to those other resources. You probably already have an AD group configured in your RD Gateway policies, and you can just add to this group, but in case you don’t then can configure this as follows:

  • Create a new group in AD called e.g. SERVERNAME RD Gateway allowed servers, where SERVERNAME is the name of your RD Gateway server.
  • Add all the servers that you want to be able to connect to into this group. For a start this should include all of your RDSH servers, but you can also add other Windows servers on the network.
  • Open RD Gateway Manger (in the Tools/Terminal Services menu in the Server Manager in 2012), expand Policies, and click on the Resource Authorization Policy
  • On the Network Resource tab, change the AD group to SERVERNAME RD Gateway allowed servers
  • Note that you could also do this using an RD Gateway-managed group if you are using that feature

RAP

You will now be able to connect to any servers that are a member of this group using the ‘Connect to a remote PC’ page in RDWeb. You should be able to use the internal NETBIOS name of the servers, no need to use the FQDN.