18 Replies
· · ·
Ghost Chili
OP
Jan 20, 2020 at 03:58 UTC
Check the default TSGateway
//www.concurrency.com/blog/w/remote-desktop-can%E2%80%99t-find-the-computer-through-rdw
0
· · ·
Mace
OP
Jan 20, 2020 at 04:58 UTC
The only port needed externally should be 443. You don't want to expose 3389 publicly.
What does the event viewer say when people try to connect?
2
· · ·
Mace
OP
Jan 20, 2020 at 07:06 UTC
First of all, stop forwarding everything to your RD gateway except for 443. You have a major security issue.
Also be sure your RD gateway got the January 2020 security patch, as there is a critical TD Gateway remote code execution bug that can be remotely exploited by an unauthenticated attacker.
To start, try manually connecting to your TD s wnssion host from outside and manually specify your RD Gateway server. If this doesn't work then you have a problem with RD gateway. If it does work, then your problem could be with RD Web, etc.
0
· · ·
Anaheim
OP
Jan 20, 2020 at 14:57 UTC
to jono that replied that was initially checked before the post. thanks.
to justin1250 i understand that is a security risk and will be addressing that as soon as i get it working. there will be firewall rules only allowing certain sites to connect. thanks.
to kevinmhsieh the january security patch has been installed. i'm not sure what your request is regarding the TD s wnssion.
the connections are being made from the browser and the remote desktop app will not be used in this application but i need to make sure all is working before i turn it off.
0
· · ·
Anaheim
OP
Jan 20, 2020 at 15:12 UTC
i tried using remote desktop to connect instead of the web browser and got the same message stating that the remote desktop gateway server was unavailable. i tried changing the remote desktop server name several different ways with no success.
0
· · ·
· · ·
Anaheim
OP
Jan 20, 2020 at 15:25 UTC
0
· · ·
Mace
OP
Jan 20, 2020 at 15:47 UTC
I meant to manually connect to RD session host via RD gateway. Autocorrect can really suck on my device.
Honestly I have never tried RD Web and RD gateway on same machine. I do know that it has to be done correctly, or the two services, which use the same listening port, will conflict.
0
· · ·
Anaheim
OP
Jan 20, 2020 at 16:40 UTC
kevinmhsieh thanks for clarifying on the autocorrect. i understand. i'm not sure if i'm following your lead though and it's probably because i don't understand. i can open a web browser on the rdweb server, go to the url//publicserver.publicdomain.com/rdwebget a login screen, login, see apps, and open the apps with one additional AD credentials prompt that i think shouldn't be there but with no errors through the process.
0
· · ·
Anaheim
OP
Jan 20, 2020 at 22:07 UTC
So after still working on the issue for quite some time i decided to just uninstall RD Web services and reinstall it. All of the errors have gone away but i'm still getting an extra authentication prompt when i go to launch the application that is published. Can anyone tell me how to get rid of the extra domain authentication credentials prompt when clicking on the published application. I've already supplied my domain credentials at the RD Web splash page and would think that it wouldn't be necessary again. Maybe that's the way the stupid thing works but if someone knows please let me know.
0
· · ·
Mace
OP
Best Answer
Jan 20, 2020 at 22:21 UTC
klpconsulting wrote:
So after still working on the issue for quite some time i decided to just uninstall RD Web services and reinstall it. All of the errors have gone away but i'm still getting an extra authentication prompt when i go to launch the application that is published. Can anyone tell me how to get rid of the extra domain authentication credentials prompt when clicking on the published application. I've already supplied my domain credentials at the RD Web splash page and would think that it wouldn't be necessary again. Maybe that's the way the stupid thing works but if someone knows please let me know.
Here is a great set of guides for RDS:
//ryanmangansitblog.com/2015/03/02/rds-2012-deployment-and-configuration-guides/
Run through the SSO guide to get rid of the prompts
0
· · ·
Anaheim
OP
Jan 21, 2020 at 00:24 UTC
justin1250 that's a lot of great information on your page! Thanks so much for your assistance. I don't think i would have ever found this in such detail although i'm still having a little bit of trouble. I worked my way thru your SSO article and got to the end of the GPO section and decided to test it so far. I ran a gpupdate/force from the AD and RD server but I'm not getting the message regarding trusting the app's publisher and i'm still getting the prompt again for the credentials. I have another GPO related to mapped drives just above this policy with the same setup of users so I think it's assigned correctly. Can you explain what the TERMSRV/ requirement is in front of the server name? I am using the .local name there also which is what made sense to me. I'm posting a pic of the policy to see if you see anything i might have done incorrectly. Thanks!
0
· · ·
Mace
OP
Jan 21, 2020 at 00:30 UTC
Ryan's guides are great!
I believe it is an SPN. Makes the account or the terminal server trusted for delegation and allows the credentials to pass.
0
· · ·
Anaheim
OP
Jan 21, 2020 at 03:25 UTC
I've made the changes but still keep getting the request for credentials when i launch the app. I'm not sure what i'm missing.
0
· · ·
Mace
OP
Jan 21, 2020 at 04:45 UTC
Where are you applying the SSO GPO?
Have you checked the event logs on the servers for anything credential related?
0
· · ·
Anaheim
OP
Jan 21, 2020 at 15:30 UTC
i setup the GPO on the domain controller and assigned it to a small group of users that i am using as test users. i am seeing logon events in the domain controller security log but it doesn't show the user that logged in as it does when a user logs in locally.
0
· · ·
Anaheim
OP
Jan 21, 2020 at 15:42 UTC
So i was reading back through Ryan's guide on SSO and noticed this statement:
"SSO works only in the domain environment: Active Directory user accounts must be used, the RDS servers and user’s workstations must be included in the AD domain"
The remote users workstations are not part of the domain as they are remote. The RD Server and user accounts are part of the domain. Is this my problem?
0
· · ·
Anaheim
OP
Jan 21, 2020 at 18:49 UTC
GOT IT!
I found this in another one of Ryan's blogs:
//ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
This is the piece i was missing:
Add the Certificates created above to the .rdp trusted publishers using GPO:[Computer Configuration -> Administrative Templates -> Windows Desktop Services -> Remote Desktop Connection Client]. Specify SHA1 thumbprints of certificates representing RDP publishers
Ryan's path wasn't correct but after correcting the path in the GPO and pasting the thumbprint in the policy it worked. Only one authentication for the user at the splash page.
0
· · ·
Pimiento
OP
Apr 29, 2020 at 21:24 UTC
1st Post
How did you managed to change untrusted to trusted? I am unable to do so.
0
· · ·
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Archived Forums
>Remote Desktop clients
Question
-
0
Sign in to vote
Cannot connect from Macbook to Mac Pro using Microsoft Remote Desktop for Mac. Steps taken
1. Add PC
2. Enter local IP address as name of PC to remote into. User acct: "ask if required"
3. Add local IP address to gateway section
4. SaveRefer to pic://imgur.com/USgHVym
Systems, software, settings
Macbook Pro MacOS 10.15.4 Catalina
Macbook MacOS 10.14.4 Mojave
Microsoft Remote Desktop:Version 10.3.10 [1783]
Error message:
We couldn't connect to the remote PC because the Remote Desktop Gateway is temporarily unavailable. Try connecting later or contact your network administrator for assistance.
Error code: 0x300005e
Saturday, May 9, 2020 5:42 PM
-
0
Sign in to vote
You cannot use the Microsoft Remote Desktop for Mac client app to connect to another Mac, it's used primarily to connect to Windows machines. It's uses the RDP protocol which allows connections to Windows servers, and Pro versions of desktop OS's. Mac's use VNC natively, so you can use Screen Sharing thru Finder or any VNC client [if it's configured under Sharing/Screen Sharing on the Mac properly].
Monday, May 11, 2020 9:05 PM