Category Archives: Remote Desktop

Connecting to a Remote Desktop Gateway behind a proxy server

Connecting to a Windows 2012 R2 RD Gateway server when you are behind a proxy server, especially one requiring authentication, may fail with the following errors:

‘Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to.’



‘Remote Desktop can’t connect to the remote computer for one of these reasons:

  1. Remote access to the server is not enabled
  2. The remote computer is turned off
  3. The remote computer is not available on the network’


Additionally, you will see the following event ID 4625 in the security log on the gateway server.

<p lang="en-GB">Log Name: Security</p>
<p lang="en-GB">Source: Microsoft-Windows-Security-Auditing</p>
<p lang="en-GB">Date: 8/5/2013 4:20:00 PM</p>
<p lang="en-GB">Event ID: 4625</p>
<p lang="en-GB">Task Category: Logon</p>
<p lang="en-GB">Level: Information</p>
<p lang="en-GB">Keywords: Audit Failure</p>
<p lang="en-GB">User: N/A</p>
<p lang="en-GB">Computer: RDGW.CONTOSO.COM</p>
<p lang="en-GB">Description:</p>
<p lang="en-GB">An account failed to log on.</p>

 This issue is documented here:

To fix it, set the EnforceChannelBinding registry value to 0 (zero) to ignore missing channel bindings on the Gateway server.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core


Name: EnforceChannelBinding

Value: 0 (Decimal)


 Note By default, the EnforceChannelBinding value does not exist on the Gateway server. You must create this value. When you are done, reboot the server and it should work behind your proxy server.

Install and configure a Remote Desktop certificate on RD Session Host servers

When installing an Remote Desktop farm with a RD Gateway on Windows Server 2012, you install a certificate for the Broker, Web Access and Gateway roles using Server Manager. However, this does not add the certificate to the Remote Desktop Session Host (RDSH) servers. This means that you get a warning when connecting to a RemoteApp or desktop, because the RDSH severs will have a self-signed certificate. You can replace this certificate using a valid certificate. You will continue to get warnings for the following reasons:

  1. The name on the certificate does not match the RDSH server name
  2. The certificate is not from a trusted root certificate authority

The best way to resolve this is to purchase a single wilcard certificate e.g. * that covers both the RDWeb URL, as well as the server names. This also requires that your internal domain is a subdomain of your external domain. So you might use on the web, and as your AD domain. Your RDSH server is then e.g. You could also use a SAN certificate.

Note that you should NOT replace the certificates on the RDSH servers as listed below, if you are using self-signed certificates and you want to be able to connect from clients which are not joined to your domain. Even if you trust the root manually, the revocation information will not be available, and clients will not be able to connect, and will give a 0x607 error. See for more info on this error.

If you are just connecting internally from clients in the same domain, you should be able to use an internal Enterprise CA to create a SAN or wildcard certificate which you can use on your servers. So, only replace the certificates on the RDSH servers if:

  • Clients are all in the same      domain and you are using internal certificates
  • Clients are outside the domain,      but you have purchased commercial certificates

It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.

  • Open the MMC and open the      Certificates snapin
  • Add the Local Computer
  • Import the certificate into      Computer\Personal
  • Open the certificate and find      the thumbprint on the details tab. Copy the thumbprint to notepad and      delete all the spaces.
  • Open up an elevated PowerShell      prompt and write:
  • wmic      /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set      SSLCertificateSHA1Hash=”‎PASTE_THUMBPRINT_STRING”
  • You can check the certificate      by running:
  • Get-WmiObject -class      “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter      “TerminalName=’RDP-tcp'”

Note that sometimes for the last command, you may need to remote the end quotes around RDP-tcp and type them in again if posting.

See for more information.

Customising the RDWeb web page

This outlines the customisation options with the default RDWeb page in Microsoft Server 2012, when using Remote Desktop Services with RDWeb. You can easily replace the logon and text at the top of the page.

As an example, you can change the default:


To something like this:


Replaceable Company Logo Image

Add the new Icon into the image folder

  • Add the new icon into the images folder located in:


Modify the site.xsl file

  • Backup this file:


To e.g. C:\Windows\Web\RDWeb\Pages\Site.xsl.bak

The word Replaceable appears 3 times in this file. Do a find for this word to find the sections below:

Run notepad as admin and open. I find the easiest way to do this is to run Powershell as admin, and then launch notepad from there. That way if you close down notepad, you quickly launch as admin again without finding notepad.

Edit the file:


Replaceable Company Logo Image


<img src=”../images/logo_02.png” width=”48″ height=”48″/>

To e.g.:

<img src=”../images/donkey_blue.png” width=”58″ height=”34″/>

Replaceable Company Logo Text and Application Type


<td class=”headingCompanyName”><xsl:value-of select=”@workspacename”/></td>

To e.g.:

<td class=”headingCompanyName”>msdonkey remote access</td>


<xsl:value-of select=”$strings[@id = ‘HeadingApplicationName’]”/>

To e.g.:

RemoteApps and Desktops

Using the ‘Connect to a remote PC’ page in RDWeb Remote Desktop Web on Windows Server 2012

The Remote Desktop web site, which is a component of Remote Desktop Services in Windows Server 2012 and 2008, has a page called ‘Connect to a remote PC’.


This page will allow you to connect to servers or computers behind your Remote Desktop Gateway server, which is a handy feature if users need to connect to a full remote desktop behind the gateway, rather than just a remote app. This will also allow you to connect to your servers on an internal network directly, even if you are behind a web proxy server, so can be useful for remote management purposes when connected to a corporate network.

However, by default, this page will only allow you to connect to local resources, and will not use the gateway server.

To fix this, you need to make a change in IIS:

  • On your RD Web Access server, open IIS Manager
  • In the left pane, navigate to and Sites\Default Web Site\RDWeb\Pages
  • In the middle pane, double-click on Application Settings
  • Double-click on DefaultTSGateway and enter the external FQDN of your RD Gateway
  • Refresh the RDWeb page on the client and then test using an external client


Now, to connect to other machines on your network other than ones already in your RDSH farm, you also need to modify the RD Gateway policies to allow you to connect to those other resources. You probably already have an AD group configured in your RD Gateway policies, and you can just add to this group, but in case you don’t then can configure this as follows:

  • Create a new group in AD called e.g. SERVERNAME RD Gateway allowed servers, where SERVERNAME is the name of your RD Gateway server.
  • Add all the servers that you want to be able to connect to into this group. For a start this should include all of your RDSH servers, but you can also add other Windows servers on the network.
  • Open RD Gateway Manger (in the Tools/Terminal Services menu in the Server Manager in 2012), expand Policies, and click on the Resource Authorization Policy
  • On the Network Resource tab, change the AD group to SERVERNAME RD Gateway allowed servers
  • Note that you could also do this using an RD Gateway-managed group if you are using that feature


You will now be able to connect to any servers that are a member of this group using the ‘Connect to a remote PC’ page in RDWeb. You should be able to use the internal NETBIOS name of the servers, no need to use the FQDN.