MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

RDWeb with MFA: Unable to Open Application on Non-IE Browsers

Recently we land up to the issue where were unable to open the RDWeb applications with the non-IE browsers which were downloading .rdp file. Let me share the small fix here as this is nowhere documented in the Microsoft internal and external or any blog.

Issue:

We were getting the following popup which opening any application from RDWeb page.

Your computer can’t connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go to the firewall website that your network administrator recommends, and then try the connection again, or contact your network administrator for assistance.


Resolution:

I got the same popup in IE but I added RDWeb URL in the trusted sites and it went away.

For non-IE browsers from the internet, we were getting this error which means my non-Microsoft OS users can’t use RDWeb.

We opened a Microsoft case to fix this but Microsoft was clueless and reviewed multiple logs, involved WAP team, and other escalation teams.

At the same time, Microsoft referred me to the TechNet link.

https://technet.microsoft.com/en-us/library/dn765486.aspx

After reviewing the link, I figured out that I had run the following command

Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s:https://rdg.contoso.com’nrequire pre-authentication:i:1″`

But I should have run this command.

Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″`

After running the correct command. RDWeb app started working from all browsers from the internet. I should rather say, .rdp file started connecting to the apps and the error mentioned above went away.

 

Prabhat Nigam

Microsoft MVP | CTO @ Golden Five

Team@MSExchangeGuru

33 Responses to “RDWeb with MFA: Unable to Open Application on Non-IE Browsers”

  1. Joshua Cooke Says:

    Cheers for this Prabhat, this explains my issue precisely. The only issue is I’m getting syntax errors when running the above commands. Are you able to review and advise?

    The other article I tried following (that lead to the Browser incompatibility) is

    http://blog.tmurphy.org/2015/06/securing-rd-gateway-with-web.html

    It quotes:

    Import-Module remotedesktop
    Set-RDSessionCollectionConfiguration -CollectionName -CustomRdpProperty “pre-authentication server address:s:https://`nrequire pre-authentication:i:1″

    This works, but only for Internet Explorer 11.

  2. Prabhat Nigam Says:

    Here is the command
    Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″

  3. Joshua Cooke Says:

    Thanks Prabhat, although still not working unfortunately. The summary of your change is effectively to add /rdwep to the end of the pre-auth server URL yeah? We’re using ADFS+On-premise Azure MFA Server so not sure if the MFA part makes a difference…

  4. Prabhat Nigam Says:

    Share the error

  5. Joshua Cooke Says:

    Launching from IE11 – works fine.

    Launching from Chrome/Firefox/Edge:

    “Your computer can’t connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go the firewall website that your network administrator recommends, then try the connection again, or contact your network administrator for assistance.”

    Looking at the RDP file that gets downloaded by Chrome/Firefox/Edge, everything looks ok to me.

    redirectclipboard:i:1
    redirectprinters:i:1
    redirectcomports:i:0
    redirectsmartcards:i:1
    devicestoredirect:s:*
    drivestoredirect:s:*
    redirectdrives:i:1
    session bpp:i:32
    prompt for credentials on client:i:1
    span monitors:i:1
    use multimon:i:1
    remoteapplicationmode:i:1
    server port:i:3389
    allow font smoothing:i:1
    promptcredentialonce:i:1
    require pre-authentication:i:1
    videoplaybackmode:i:1
    audiocapturemode:i:1
    gatewayusagemethod:i:2
    gatewayprofileusagemethod:i:1
    gatewaycredentialssource:i:0
    full address:s:*CONNECTIONBROKER*
    alternate shell:s:||*APPLICATIONALIAS*
    remoteapplicationprogram:s:||*APPLICATIONALIAS*
    gatewayhostname:s:*EXTERNALURL*
    pre-authentication server address:s:https://*EXTERNALURL*/rdweb/
    remoteapplicationname:s:*APPLICATIONNAME*
    remoteapplicationcmdline:s:
    workspace id:s:*CONNECTIONBROKENAME*
    use redirection server name:i:1
    loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Vitalware
    alternate full address:s:*CONNECTIONBROKER*
    signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Require pre-authentication,Pre-authentication server address,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
    signature:s:*SIGNATURE*

    Also, cheers for the help.

  6. Joshua Cooke Says:

    FYI I’ve logged a premier support job with MS for this, who have confirmed the behaviour we are experiencing (they tried Chrome in their lab). Will advise the results here once I hopefully have a resolution.

  7. Prabhat Nigam Says:

    Let us know what premier support says or gives as resolution.
    Mail me if you would like to use our Escalation services.
    Prabhat.nigam@GoldenFive.net

  8. Joshua Cooke Says:

    Microsoft are still scratching their heads and escalating with their ADFS and WAP teams.

    Just for my own sanity, are you able to run the below on your collection that is working fine and advise the results? Obviously redact the identifying stuff.

    Get-RDSessionCollectionConfiguration -CollectionName **COLLECTIONNAME*** | select -ExpandProperty CustomRDPProperty

  9. Prabhat Nigam Says:

    Remove – before expandproperty then give comma then without space write customrdpproperty like this

    Select expandproperrty,customrdpproperty

  10. Joshua Cooke Says:

    Na that command works fine, I just more wanted to see if my results matched yours. When I run it, the results look like this:

    pre-authentication server address:s:https://externalgayewayaddress/rdweb/
    require pre-authentication:i:1
    use redirection server name:i:1

  11. rico Says:

    I would not be surprised if Joshua’s problem and mine are identical.

    I have the same problem. I created a new server with all RDS roles installed. I can connect externally with IE, but get the same credentials error when using Chrome or Firefox. My CustomRDPProperty looks like Joshua’s.

    One interesting thing and maybe it will give someone insight. You might want to try this Joshua.

    If I try opening a remote app externally with Chrome or Firefox, it fails. HOWEVER, if I start a remote app with IE (from the RDWeb Page), I can then launch the remote app (rdp file) in Chrome or Firefox and it works. It doesn’t matter if I leave the IE opened app open or if I close it – I can now open the remote app in FF and Chrome. This works for a while – I think it stops working after the cookie expires for the IE session.

    Looking at the WAP server event viewer. Event Viewer-> Custom Views-> ServerRoles->Remote Access

    When I login to the FS server in IE, Chrome, or FF, I see event 14027 showing “Web Application Proxy received an HTTP request with a valid edge token” and I get passed on to the RDWeb page. Try to launch a remote app in FF and Chrome fails and throws this error 13006 in the WAP server event viewer.

    Connection to the backend server failed. Error: (0x80072efe).

    Details:
    Transaction ID: {4523eeff-01fe-0000-d2d9-5624fe01d301}
    Session ID: {4523eeff-01fe-0000-c3d9-5624fe01d301}
    Published Application Name: RDWeb
    Published Application ID: 54297a32-7bec-926d-81c9-0c3de76d9032
    Published Application External URL: https://rd.contoso.com/
    Published Backend URL: https://rd.contoso.com/
    User: xxxx@contoso.com
    User-Agent: MS-RDGateway/1.0
    Device ID:
    Token State: NotFound
    Cookie State: OK
    Client Request URL: https://rd.contoso.com/remoteDesktopGateway/
    Backend Request URL: https://rd.contoso.com/remoteDesktopGateway/
    Preauthentication Flow: PreAuthBrowser
    Backend Server Authentication Mode: PassThrough
    State Machine State: FEBodyWriting
    Response Code to Client: 200
    Response Message to Client: OK
    Client Certificate Issuer:

    Notice:
    User-Agent: MS-RDGateway/1.0
    Client Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
    Backend Request URL: https://rdweb.contoso.com/remoteDesktopGateway/

    “https://rdweb.contoso.com/remoteDesktopGateway/” – Where does this come from? I definitely did not set up any such link. Maybe this is what is broken.

    Sometimes, I get this event 13007 – and I can’t tell what is triggering it.

    The HTTP response from the backend server was not received within the expected interval. Expected interval: 90 seconds. (Maybe this is related to InactiveTransactionsTimeoutSec which is set to 90.)

    Details:
    Transaction ID: {757c5c39-08b9-0000-b785-7c75b908d301}
    Session ID: {757c5c39-08b9-0000-a685-7c75b908d301}
    Published Application Name: rdweb
    Published Application ID: 1f247fb7-127b-713c-b171-2fd50e80ebad
    Published Application External URL: https://rdweb.contoso.com/
    Published Backend URL: https://rdweb.contoso.com/
    User: xxxx@contoso.com
    User-Agent: MS-RDGateway/1.0
    Device ID:
    Token State: NotFound
    Cookie State: OK
    Client Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
    Backend Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
    Preauthentication Flow: PreAuthBrowser
    Backend Server Authentication Mode: PassThrough
    State Machine State: FEBodyWriting
    Response Code to Client: 200
    Response Message to Client: OK
    Client Certificate Issuer:

    Again:
    User-Agent: MS-RDGateway/1.0
    Client Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
    Backend Request URL: https://rdweb.contoso.com/remoteDesktopGateway/

    Where does this come from? I definitely did not set up any such link. Maybe this is what is broken. Though, InactiveTransactionsTimeoutSec is set to 90 – so maybe this is just related to that.

    Anyone have any idea? This is super frustrating. We have really been planning to use WAP & RDWeb for our production server and this is killing it and ME right now.

    On a side note, I do believe that the command to set custom RDP Properties is:
    Set-RDSessionCollectionConfiguration -CollectionName -CustomRdpProperty “pre-authentication server address:s:https:/rd.contoso.com/rdweb/`nrequire pre-authentication:i:1″

    If you don’t have the ` (the character on the tilde key) before the n after “https:/rd.contoso.com/rdweb/”, it won’t correctly create a line break. If you just use n, you will see this in the RDP file:

    pre-authentication server address:s:https://rd.contoso.com/rdweb/nrequire pre-authentication:i:1

    No line break.

  12. Joshua Cooke Says:

    Cheers for the info Rico. Indeed we’re in the same boat.

    My Microsoft case is progressing but the answer is looking more and more like a limitation of RD WAP+ADFS+MFA. Effectively it is the RDS/activeX addin that only works in IE11 that is, and what you allude to above, a hard requirement…

    Will keep you posted.

  13. Prabhat Nigam Says:

    Do you need me to work on your issue?

  14. Joshua Cooke Says:

    Not sure if this post is working?

  15. Joshua Cooke Says:

    Oh now it is….

    I’ve had work from MS that indeed there are no options….

    Referencing the link below (while specifically Azure WAP), confirms similar information.

    https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-publish-remote-desktop

    Support for other client configurations

    The configuration outlined in this article is for users on Windows 7 or 10, with Internet Explorer plus the RDS ActiveX add-on. If you need to, however, you can support other operating systems or browsers. The difference is in the authentication method that you use.

    Authentication method

    Supported client configuration

    Pre-authentication Windows 7/10 using Internet Explorer + RDS ActiveX add-on
    Passthrough Any other operating system that supports the Microsoft Remote Desktop application

  16. Prabhat Nigam Says:

    If you need us to help you then let me tell you.
    We charge almost 50% of MCS and do better than them because we do what works better for the customer. So you might like to try our consulting. No cost if we don’t fix it. Let me know at Prabhat.Nigam@GoldenFive.net

  17. Joshua Cooke Says:

    Thanks for the offer Prabhat, but we have free Microsoft cases as part of our enterprise agreement.

    Just to confirm, does your configuration match the below? Your original post is that yours is working fine but Microsoft/Rico aren’t able to reproduce it:

    – DMZ RD WAP host utilisation ADFS with MFA (on-premise Azure MFA Server)
    – Domain-joined RD WebAccess and Gateway on same host

  18. Prabhat Nigam Says:

    Yes, I have the same setup at my customer. Rather I have configured the multi-forest configuration for my customer.
    This is the number 1 blog dedicate to exchange server. We have started adding other technologies blogs because we are discovering many new Problem and Resolutions.
    Overall, we are a team which helps Microsoft in correcting the product.
    This issue is not easy for support team as they have no experience. There are not many customers who have implemented it.
    I think you should consider us if Microsoft can’t fix your issue on the First call.

    What if I tell you to run the following command and let us know if this fixes your issue (you have to watch for 2 things one space after s: and another space after rdweb/n):

    Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″

  19. Joshua Cooke Says:

    Hi Prabhat,

    That is still the same command mentioned a few times in this chain. I think you are still missing the ` between rdweb/ and n. Also note no space is required between n and require.

    Set-RDSessionCollectionConfiguration -CollectionName SH03 -CustomRdpProperty “pre-authentication server address:s: https://EXTERNALFQDN/rdweb/`nrequire pre-authentication:i:1″

    Also I’m not sure what you mean by ‘Rather I have configured the multi-forest configuration for my customer’ in relation to this context.

  20. Prabhat Nigam Says:

    Please run the command which I have given you and share the result.

    I was telling you that I have configured multi-forest with single Azure MFA tenant.

  21. Joshua Cooke Says:

    Indeed I’ve run the command and with the same results. IE with ActiveX fine, Chrome/Edge/Firefox logs in fine (ADFS + MFA), logs on to WebAccess fine, downloads RDP file, but upon launching failures with the original error around firewall auth.

  22. Prabhat Nigam Says:

    share the result of the command.
    Get-RDSessionCollectionConfiguration -CollectionName **COLLECTIONNAME*** | select -ExpandProperty CustomRDPProperty
    Do you want me to review your configuration?

  23. Joshua Cooke Says:

    Unfortunately we cannot engage your services as I work for a government agency. Microsoft still advise that the configuration is correct and that it (lack of support for Edge/Chrome/Firefox) it is a product limitation.

    None the less, the results of the above command are:

    pre-authentication server address:s:https://externalurl/rdweb/
    require pre-authentication:i:1
    use redirection server name:i:1

  24. Joshua Cooke Says:

    One quick thing to confirm – you only have port 443 open from the internet -> WAP and not 3389 as well?

  25. Prabhat Nigam Says:

    Yes, only 443

  26. Prabhat Nigam Says:

    You didn’t copy paste the command. Output is wrong

  27. Joshua Cooke Says:

    That was a copy paste. Screenshot :

    http://imgur.com/a/KjT8L

  28. Prabhat Nigam Says:

    I asked you to run this command first by just replacing MyAppcollection and url and my reply to you saying command is not correct is for this command. Please run the following command.
    Set-RDSessionCollectionConfiguration -CollectionName “SH03” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″

  29. Prabhat Nigam Says:

    If you are confused then let me know. We can connect online and it should not take more than 10 mins.

    By the way, we were bidding for some government work in Sydney through our partners in AU. We are in the process of opening our branch office in AU very soon as well.

  30. Joshua Cooke Says:

    You will find that command listed (Set-RDSessionCollectionConfiguration -CollectionName “SH03” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″) is in correct. A ` is required between rdweb/ and n otherwise it goes onto the same configuration line.

    Can you please run Get-RDSessionCollectionConfiguration -CollectionName **COLLECTIONNAME*** | select -ExpandProperty CustomRDPProperty on one of your collections that works and supply a screenshot? I just want to make sure.

    Thanks a lot

    Josh

  31. Prabhat Nigam Says:

    Hey Joshua,

    I am guiding you what you are doing wrong. You should consider me better than Microsoft by now and follow my suggestion. I don’t understand why didn’t you read this blog and reviewed the TechNet link mentioned in my blog.
    Overall you are wasting your and my time by not following the blog and arguing. Anyways your choice.

  32. Joshua Cooke Says:

    Hi Prabhat, indeed I read both. As for running the command as you listed, it results in a different error ‘your computer can’t connect to the remote computer because the remote desktop gateway server is temporarily unavailable”.

  33. Prabhat Nigam Says:

    Good. We fixed something. This is different error.

Leave a Reply

ad

Categories

Archives