none
Server 2012 RDWeb internal / external domain name mismatch

    Question

  • I have a 2012 R2 RDS single server set up and am having difficulty accessing the RDS session from RDWeb. The RDS server contains all roles:
    Connection Broker, Session Host, Gateway, and Web Access. 

    The server is named RDS.domain.local
    The local domain is domain.local

    Internally, I can access https://localhost/RDWeb/ and I am presented with the collection containing an RDS session. This works fine. 
    I have an A record externally pointing to Remote.domainname.com
    I can access RDWeb from this url: https://remote.domainname.com/RDWeb

    I can log in and authenticate, and am presented with the RDP icon for the RDS session. But, when I click it, it opens RDP but I get an error:
    "Your computer can't connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance."

    I CAN use the RDP client and enter the gateway settings of remote.domainname.com and use the computername of rds.domainname.local externally and this DOES work.

    I think the issue is with a domain mismatch, or since remote is not the name of the RDS server. I believe this because I had set this up in another environment where the domain and servername matched the gateway and RDweb server. What I mean is this:

    Working environment:
    internal domain name: domainname.com
    external domain name: domainname.com
    RDS / Gateway server: remote.domainname.com
    RDWeb URL:  https://remote.domainname.com/RDWeb

    Non-working environment:
    internal domain name: domainname.local
    external domain name: domainname.com
    RDS / Gateway server: rds.domainname.local
    RDWeb URL:  https://remote.domainname.com/RDWeb

    Please note above the difference in .local and .com, also the name of the server. I believe I need to change something in IIS to redirect remote.domainname.com to rds.domainname.local but I need some guidance as to if I am on the right path, and how to correct this. Thanks in advance!
    Tuesday, May 12, 2015 8:16 PM

Answers

  • Hi,

    1. In your RDS Deployment Properties -- RD Gateway tab, you should change the FQDN to be the external name, remote.domainname.com if I understand your description.

    2. You should change the published FQDN to remote.domainname.com for your RDS deployment using Set-RDPublishedName.ps1 cmdlet:

    Change published FQDN for Server 2012 or 2012 R2 RDS Deployment

    https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

    3. In RD Gateway Manager, properties of your Remote Desktop Resource Authorization Policy (RD RAP), Network Resource tab, please select Allow users to connect to any network resource.  Later if you want you can create a RDG-managed group with all of the required names and select it instead.

    4. On your internal network, please make sure there is a DNS A record for remote.domainname.com pointing to the private ip address of your server.

    5. After making the above changes please refresh the RDWeb page (if it is open) and test from external.  When launching a RemoteApp or full desktop connection, the initial prompt should have Remote computer: remote.domainname.com and Gateway server: remote.domainname.com on it if you changed the names correctly.

    I would appreciate it if you would rate the cmdlet for me (hopefully 4 or 5 stars).  I worked hard creating and testing it to help with scenarios just like yours.

    Thanks.

    -TP

    Wednesday, May 13, 2015 1:56 AM
    Moderator
  • Hi,

    Okay, the custom port is why it isn't working, along with the fact that you have 3389 going to another server.

    1. In RD Gateway Manager, Properties, Transport Settings tab, set UDP port to 4441 and leave HTTPS port set to 4441.

    2. Make sure TCP port 4441 and UDP port 4441 are forwarded to this server on the external firewall.

    3. In RDS Deployment Properties, RD Gateway tab, uncheck Bypass RD Gateway server for local addresses.

    4. In an administrator PowerShell prompt, please run commands similar to the following:

     
    Import-Module RemoteDesktop
    Set-RDSessionCollectionConfiguration -CollectionName QuickSessionCollection -CustomRdpProperty "gatewayhostname:s:remote.domainname.com:4441"
     

    5. Using Set-RDPublishedName cmdlet, please change the published FQDN back to remote.domainname.com (no port number on the end of it).

    6. In IIS Manager, in the left pane, navigate to and select Sites\Default Web Site\RDWeb\Pages.  In the middle pane double-click on Application Settings.  Set DefaultTSGateway to remote.domainname.com:4441 

    After performing the above steps please refresh the RDWeb page and test again from external.

    Thanks.

    -TP

    • Marked as answer by commdudeaf Thursday, May 14, 2015 1:52 AM
    Thursday, May 14, 2015 1:36 AM
    Moderator

All replies

  • Hi,

    1. In your RDS Deployment Properties -- RD Gateway tab, you should change the FQDN to be the external name, remote.domainname.com if I understand your description.

    2. You should change the published FQDN to remote.domainname.com for your RDS deployment using Set-RDPublishedName.ps1 cmdlet:

    Change published FQDN for Server 2012 or 2012 R2 RDS Deployment

    https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

    3. In RD Gateway Manager, properties of your Remote Desktop Resource Authorization Policy (RD RAP), Network Resource tab, please select Allow users to connect to any network resource.  Later if you want you can create a RDG-managed group with all of the required names and select it instead.

    4. On your internal network, please make sure there is a DNS A record for remote.domainname.com pointing to the private ip address of your server.

    5. After making the above changes please refresh the RDWeb page (if it is open) and test from external.  When launching a RemoteApp or full desktop connection, the initial prompt should have Remote computer: remote.domainname.com and Gateway server: remote.domainname.com on it if you changed the names correctly.

    I would appreciate it if you would rate the cmdlet for me (hopefully 4 or 5 stars).  I worked hard creating and testing it to help with scenarios just like yours.

    Thanks.

    -TP

    Wednesday, May 13, 2015 1:56 AM
    Moderator
  • Hi,

    1. In your RDS Deployment Properties -- RD Gateway tab, you should change the FQDN to be the external name, remote.domainname.com if I understand your description.

    2. You should change the published FQDN to remote.domainname.com for your RDS deployment using Set-RDPublishedName.ps1 cmdlet:

    Change published FQDN for Server 2012 or 2012 R2 RDS Deployment

    https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

    3. In RD Gateway Manager, properties of your Remote Desktop Resource Authorization Policy (RD RAP), Network Resource tab, please select Allow users to connect to any network resource.  Later if you want you can create a RDG-managed group with all of the required names and select it instead.

    4. On your internal network, please make sure there is a DNS A record for remote.domainname.com pointing to the private ip address of your server.

    5. After making the above changes please refresh the RDWeb page (if it is open) and test from external.  When launching a RemoteApp or full desktop connection, the initial prompt should have Remote computer: remote.domainname.com and Gateway server: remote.domainname.com on it if you changed the names correctly.

    I would appreciate it if you would rate the cmdlet for me (hopefully 4 or 5 stars).  I worked hard creating and testing it to help with scenarios just like yours.

    Thanks.

    -TP

    Thank you TP. I have made the changes you indicated above. Now, I log in / authenticate to RDWeb, I click the RDP session, and it is now connecting to remote.domainname.com but credentials will not authenticate to rdsservername.rds.local. Please see attached screenshot for the issue. 
    Wednesday, May 13, 2015 3:12 PM
  • Hi,

    Do you have certificate(s) from a trusted public authority such as GoDaddy, GeoTrust, Digicert, Thawte, etc. assigned for all 4 purposes in RDS Deployment properties -- Certificates tab?

    Still seeing the .local name on a credential prompt is normal, but seeing credential prompt itself is not.

    -TP

    Wednesday, May 13, 2015 7:36 PM
    Moderator
  • Hi,

    Do you have certificate(s) from a trusted public authority such as GoDaddy, GeoTrust, Digicert, Thawte, etc. assigned for all 4 purposes in RDS Deployment properties -- Certificates tab?

    Still seeing the .local name on a credential prompt is normal, but seeing credential prompt itself is not.

    -TP

    Yes, we are using a wildcard GoDaddy SSL cert for *.domainname.com. Please see attached screenshot. 

    Wednesday, May 13, 2015 7:43 PM
  • Hi,

    1. When you are logged on to the server and you ping remote.domainname.com, does it resolve to the local ip address of the server?  The same ip the .local resolves to?

    2. Do you see failure audit events in the Security log when you attempt to authenticate?

    3. What events are logged by the RD Gateway when you try to connect?  The RDG log is located under Event Viewer\ Applications and Services Logs\ Microsoft\ Windows\ TerminalServices-Gateway\

    -TP

    Wednesday, May 13, 2015 7:55 PM
    Moderator
  • Hi,

    1. When you are logged on to the server and you ping remote.domainname.com, does it resolve to the local ip address of the server?  The same ip the .local resolves to?

    2. Do you see failure audit events in the Security log when you attempt to authenticate?

    3. What events are logged by the RD Gateway when you try to connect?  The RDG log is located under Event Viewer\ Applications and Services Logs\ Microsoft\ Windows\ TerminalServices-Gateway\

    -TP

    1.) Yes, if I ping remote.domainname.com it returns the same IP as if I ping rds.domainname.local

    2.) On the RDS server, under the security log, at the time I authenticate through RDWeb, there are 4 signon and 4 signoff events. I have included the 8 events below, but TechNet only allows 2 per message so I apologize for multiple posts. 

    3.) During this time of RDWeb signon, there are no events in this log. 

    ** Update ** In addition to step 2, I noticed that these events are generated when authenticating to RDWeb only. After I click the RDP icon and am prompted for credentials, I enter them and click ok and no events are generated in the security log. 




    • Edited by commdudeaf Wednesday, May 13, 2015 8:37 PM
    Wednesday, May 13, 2015 8:28 PM
  • Wednesday, May 13, 2015 8:28 PM
  • Wednesday, May 13, 2015 8:29 PM
  • Wednesday, May 13, 2015 8:29 PM
  • Hi,

    1. No Audit Failure events in the Security log?  Is it set to log failure events?

    2. Is this server a domain controller, or a member server?

    We don't really care about the success entries for RDWeb at this point.  The entries in the RDG log should show up after you attempt to connect.

    Do you have a Windows 8.1 PC with default settings, not domain joined, that you can use for testing?  You can use a freshly-made VM if you want.  The idea is to test with a machine that doesn't have any non-default security or group policy settings.

    If you want you can temporarily change the published FQDN back to the .local while leaving the RD Gateway FQDN to the external name.  You will get a certificate mismatch prompt but based on your earlier description it should work.  If this is a test environment and/or you do not care that it doesn't work at the moment then naturally you may want to leave it as is.

    If you do not get this sorted out soon I may want you to email me directly.

    -TP

    Wednesday, May 13, 2015 9:29 PM
    Moderator
  • Hi,

    1. No Audit Failure events in the Security log?  Is it set to log failure events?

    2. Is this server a domain controller, or a member server?

    We don't really care about the success entries for RDWeb at this point.  The entries in the RDG log should show up after you attempt to connect.

    Do you have a Windows 8.1 PC with default settings, not domain joined, that you can use for testing?  You can use a freshly-made VM if you want.  The idea is to test with a machine that doesn't have any non-default security or group policy settings.

    If you want you can temporarily change the published FQDN back to the .local while leaving the RD Gateway FQDN to the external name.  You will get a certificate mismatch prompt but based on your earlier description it should work.  If this is a test environment and/or you do not care that it doesn't work at the moment then naturally you may want to leave it as is.

    If you do not get this sorted out soon I may want you to email me directly.

    -TP

    1.) The event log does audit failures. If I try to authenticate to RDWeb with the wrong password then audit failures DO show up in the security logs. 

    2.) The server is a member server. 

    3.) I am using a windows 8.1 computer that is not bound to the domain.

    4.) I used your powershell cmdlet to set the name back to rds.domainname.local. Now when I log in to RDWeb, it still authenticates. Then, when I click the RDP icon I do not get prompted for credentials again, but I get the error shown below. I would be more than happy to work with you directly through email and can provide whateven details you may need. This is currently not a production environment, we will be moving users over once I get this completed. I had set it up with RDP client originally but they require RDWeb. 

    Wednesday, May 13, 2015 10:09 PM
  • Hi,

    1. Based on what you have said so far it doesn't look like the RDG is working.  Is Remote Desktop Gateway showing as Started in services.msc?  Have you tried restarting it?

    2. On the firewall, please make sure that TCP and UDP port 3389 are blocked.  If you currently have 3389 open for some reason you will need to change things a bit first so that you can block 3389.  For example, you may need to forward a different external port and use Port Address Translation so that it is directed to the current server that 3389 is forwarded to.

    3. On the firewall, do you have both TCP 443 and UDP 3391 forwarded to this server?  I'm guessing you have TCP 443 since you are using RDWeb (unless you changed the default), but how about UDP 3391?

    Thanks.

    -TP

    Wednesday, May 13, 2015 10:37 PM
    Moderator
  • Hi,

    1. Based on what you have said so far it doesn't look like the RDG is working.  Is Remote Desktop Gateway showing as Started in services.msc?  Have you tried restarting it?

    2. On the firewall, please make sure that TCP and UDP port 3389 are blocked.  If you currently have 3389 open for some reason you will need to change things a bit first so that you can block 3389.  For example, you may need to forward a different external port and use Port Address Translation so that it is directed to the current server that 3389 is forwarded to.

    3. On the firewall, do you have both TCP 443 and UDP 3391 forwarded to this server?  I'm guessing you have TCP 443 since you are using RDWeb (unless you changed the default), but how about UDP 3391?

    Thanks.

    -TP

    TP, The RDS gateway is configured to use port 4441 instead of 443 because we have other services on the firewall that need 443 port forwarded. So, it is set up as follows:

    RD Gateway uses 4441 instead of 443. Public A record exists for remote.domainname.com that points to public IP on firewall. The Firewall port forwards port 4441 to the local IP of RDS gateway / server. When using RDWeb, clients use:

    https://remote.domainname.com:4441/RDWeb

    I do not have 3391 forwarded to anything. Port 3389 is port forwarded to another server, not this one. My understanding was that the only port needed to be open / forwarded was 443, but we worked around this by forwarding port 4441 instead since 443 and 3389 were already in use for other purposes. The gateway service is running and the server has been rebooted. I know the gateway is working because this DOES work with the RDP client. 

    In the RDP client in advanced settings, gateway, I enter remote.domainname.com:4441 and for the computer name I enter rds.domainname.local and this DOES work. 

    Could it be that I just need to port forward 3391 on the firewall as well? 



    • Edited by commdudeaf Thursday, May 14, 2015 1:06 AM
    Thursday, May 14, 2015 12:59 AM
  • I just configured port forwarding for port 3391 UDP to the local RD gateway as well and still get the same error. 
    • Edited by commdudeaf Thursday, May 14, 2015 1:12 AM
    Thursday, May 14, 2015 1:09 AM
  • Hi,

    Okay, the custom port is why it isn't working, along with the fact that you have 3389 going to another server.

    1. In RD Gateway Manager, Properties, Transport Settings tab, set UDP port to 4441 and leave HTTPS port set to 4441.

    2. Make sure TCP port 4441 and UDP port 4441 are forwarded to this server on the external firewall.

    3. In RDS Deployment Properties, RD Gateway tab, uncheck Bypass RD Gateway server for local addresses.

    4. In an administrator PowerShell prompt, please run commands similar to the following:

     
    Import-Module RemoteDesktop
    Set-RDSessionCollectionConfiguration -CollectionName QuickSessionCollection -CustomRdpProperty "gatewayhostname:s:remote.domainname.com:4441"
     

    5. Using Set-RDPublishedName cmdlet, please change the published FQDN back to remote.domainname.com (no port number on the end of it).

    6. In IIS Manager, in the left pane, navigate to and select Sites\Default Web Site\RDWeb\Pages.  In the middle pane double-click on Application Settings.  Set DefaultTSGateway to remote.domainname.com:4441 

    After performing the above steps please refresh the RDWeb page and test again from external.

    Thanks.

    -TP

    • Marked as answer by commdudeaf Thursday, May 14, 2015 1:52 AM
    Thursday, May 14, 2015 1:36 AM
    Moderator
  • Hi,

    Okay, the custom port is why it isn't working, along with the fact that you have 3389 going to another server.

    1. In RD Gateway Manager, Properties, Transport Settings tab, set UDP port to 4441 and leave HTTPS port set to 4441.

    2. Make sure TCP port 4441 and UDP port 4441 are forwarded to this server on the external firewall.

    3. In RDS Deployment Properties, RD Gateway tab, uncheck Bypass RD Gateway server for local addresses.

    4. In an administrator PowerShell prompt, please run commands similar to the following:

     
    Import-Module RemoteDesktop
    Set-RDSessionCollectionConfiguration -CollectionName QuickSessionCollection -CustomRdpProperty "gatewayhostname:s:remote.domainname.com:4441"
     

    5. Using Set-RDPublishedName cmdlet, please change the published FQDN back to remote.domainname.com (no port number on the end of it).

    6. In IIS Manager, in the left pane, navigate to and select Sites\Default Web Site\RDWeb\Pages.  In the middle pane double-click on Application Settings.  Set DefaultTSGateway to remote.domainname.com:4441 

    After performing the above steps please refresh the RDWeb page and test again from external.

    Thanks.

    -TP

    TP, YOU sir, are a genius! That worked perfect. Thank you so much for all of the help! I'm sure this article will help many others in the future. Of course, I also rated your script 5 stars! Thanks again! 
    Thursday, May 14, 2015 1:52 AM
  • Hi,

    Okay, the custom port is why it isn't working, along with the fact that you have 3389 going to another server.

    1. In RD Gateway Manager, Properties, Transport Settings tab, set UDP port to 4441 and leave HTTPS port set to 4441.

    2. Make sure TCP port 4441 and UDP port 4441 are forwarded to this server on the external firewall.

    3. In RDS Deployment Properties, RD Gateway tab, uncheck Bypass RD Gateway server for local addresses.

    4. In an administrator PowerShell prompt, please run commands similar to the following:

     
    Import-Module RemoteDesktop
    Set-RDSessionCollectionConfiguration -CollectionName QuickSessionCollection -CustomRdpProperty "gatewayhostname:s:remote.domainname.com:4441"
     

    5. Using Set-RDPublishedName cmdlet, please change the published FQDN back to remote.domainname.com (no port number on the end of it).

    6. In IIS Manager, in the left pane, navigate to and select Sites\Default Web Site\RDWeb\Pages.  In the middle pane double-click on Application Settings.  Set DefaultTSGateway to remote.domainname.com:4441 

    After performing the above steps please refresh the RDWeb page and test again from external.

    Thanks.

    -TP

    Hi TP,

    I am having an issue with this script I posted in another thread, if you have time to review. 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/04589dc5-a036-4282-af65-3892caab336d/2012-rds-custom-port-credentials-not-working?forum=winserverTS

    Tuesday, June 23, 2015 7:04 PM
  • This has been plaguing me in two different scenarios, 
    finally i found this answer, in this thread.

    -Unchecking Bypass RD Gateway Server for local addresses
    -Adding a name to Default TS  Gateway in IIS
    -Adding an entry in the HOST-file on the RDS Gateway server for the external name(pointing towards the RDS Host server)

    These 3 steps together solved it for me.

    Thanks!
    Thursday, January 26, 2017 5:52 PM