RDWeb with MFA: Unable to Open Application on Non-IE Browsers
Recently we land up to the issue where were unable to open the RDWeb applications with the non-IE browsers which were downloading .rdp file. Let me share the small fix here as this is nowhere documented in the Microsoft internal and external or any blog.
Issue:
We were getting the following popup which opening any application from RDWeb page.
Your computer can’t connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go to the firewall website that your network administrator recommends, and then try the connection again, or contact your network administrator for assistance.
Resolution:
I got the same popup in IE but I added RDWeb URL in the trusted sites and it went away.
For non-IE browsers from the internet, we were getting this error which means my non-Microsoft OS users can’t use RDWeb.
We opened a Microsoft case to fix this but Microsoft was clueless and reviewed multiple logs, involved WAP team, and other escalation teams.
At the same time, Microsoft referred me to the TechNet link.
https://technet.microsoft.com/en-us/library/dn765486.aspx
After reviewing the link, I figured out that I had run the following command
Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s:https://rdg.contoso.com’nrequire pre-authentication:i:1″`
But I should have run this command.
Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″`
After running the correct command. RDWeb app started working from all browsers from the internet. I should rather say, .rdp file started connecting to the apps and the error mentioned above went away.
Microsoft MVP | CTO @ Golden Five
Team@MSExchangeGuru
July 25th, 2017 at 5:38 pm
Cheers for this Prabhat, this explains my issue precisely. The only issue is I’m getting syntax errors when running the above commands. Are you able to review and advise?
The other article I tried following (that lead to the Browser incompatibility) is
http://blog.tmurphy.org/2015/06/securing-rd-gateway-with-web.html
It quotes:
Import-Module remotedesktop
Set-RDSessionCollectionConfiguration -CollectionName -CustomRdpProperty “pre-authentication server address:s:https://`nrequire pre-authentication:i:1″
This works, but only for Internet Explorer 11.
July 26th, 2017 at 4:22 pm
Here is the command
Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″
July 26th, 2017 at 6:34 pm
Thanks Prabhat, although still not working unfortunately. The summary of your change is effectively to add /rdwep to the end of the pre-auth server URL yeah? We’re using ADFS+On-premise Azure MFA Server so not sure if the MFA part makes a difference…
July 26th, 2017 at 7:11 pm
Share the error
July 26th, 2017 at 7:21 pm
Launching from IE11 – works fine.
Launching from Chrome/Firefox/Edge:
“Your computer can’t connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go the firewall website that your network administrator recommends, then try the connection again, or contact your network administrator for assistance.”
Looking at the RDP file that gets downloaded by Chrome/Firefox/Edge, everything looks ok to me.
redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
require pre-authentication:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:*CONNECTIONBROKER*
alternate shell:s:||*APPLICATIONALIAS*
remoteapplicationprogram:s:||*APPLICATIONALIAS*
gatewayhostname:s:*EXTERNALURL*
pre-authentication server address:s:https://*EXTERNALURL*/rdweb/
remoteapplicationname:s:*APPLICATIONNAME*
remoteapplicationcmdline:s:
workspace id:s:*CONNECTIONBROKENAME*
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Vitalware
alternate full address:s:*CONNECTIONBROKER*
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Require pre-authentication,Pre-authentication server address,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:*SIGNATURE*
Also, cheers for the help.
July 27th, 2017 at 10:02 pm
FYI I’ve logged a premier support job with MS for this, who have confirmed the behaviour we are experiencing (they tried Chrome in their lab). Will advise the results here once I hopefully have a resolution.
July 27th, 2017 at 11:31 pm
Let us know what premier support says or gives as resolution.
Mail me if you would like to use our Escalation services.
Prabhat.nigam@GoldenFive.net
July 31st, 2017 at 7:30 pm
Microsoft are still scratching their heads and escalating with their ADFS and WAP teams.
Just for my own sanity, are you able to run the below on your collection that is working fine and advise the results? Obviously redact the identifying stuff.
Get-RDSessionCollectionConfiguration -CollectionName **COLLECTIONNAME*** | select -ExpandProperty CustomRDPProperty
July 31st, 2017 at 8:55 pm
Remove – before expandproperty then give comma then without space write customrdpproperty like this
Select expandproperrty,customrdpproperty
July 31st, 2017 at 9:16 pm
Na that command works fine, I just more wanted to see if my results matched yours. When I run it, the results look like this:
pre-authentication server address:s:https://externalgayewayaddress/rdweb/
require pre-authentication:i:1
use redirection server name:i:1
August 1st, 2017 at 12:02 am
I would not be surprised if Joshua’s problem and mine are identical.
I have the same problem. I created a new server with all RDS roles installed. I can connect externally with IE, but get the same credentials error when using Chrome or Firefox. My CustomRDPProperty looks like Joshua’s.
One interesting thing and maybe it will give someone insight. You might want to try this Joshua.
If I try opening a remote app externally with Chrome or Firefox, it fails. HOWEVER, if I start a remote app with IE (from the RDWeb Page), I can then launch the remote app (rdp file) in Chrome or Firefox and it works. It doesn’t matter if I leave the IE opened app open or if I close it – I can now open the remote app in FF and Chrome. This works for a while – I think it stops working after the cookie expires for the IE session.
Looking at the WAP server event viewer. Event Viewer-> Custom Views-> ServerRoles->Remote Access
When I login to the FS server in IE, Chrome, or FF, I see event 14027 showing “Web Application Proxy received an HTTP request with a valid edge token” and I get passed on to the RDWeb page. Try to launch a remote app in FF and Chrome fails and throws this error 13006 in the WAP server event viewer.
Connection to the backend server failed. Error: (0x80072efe).
Details:
Transaction ID: {4523eeff-01fe-0000-d2d9-5624fe01d301}
Session ID: {4523eeff-01fe-0000-c3d9-5624fe01d301}
Published Application Name: RDWeb
Published Application ID: 54297a32-7bec-926d-81c9-0c3de76d9032
Published Application External URL: https://rd.contoso.com/
Published Backend URL: https://rd.contoso.com/
User: xxxx@contoso.com
User-Agent: MS-RDGateway/1.0
Device ID:
Token State: NotFound
Cookie State: OK
Client Request URL: https://rd.contoso.com/remoteDesktopGateway/
Backend Request URL: https://rd.contoso.com/remoteDesktopGateway/
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: PassThrough
State Machine State: FEBodyWriting
Response Code to Client: 200
Response Message to Client: OK
Client Certificate Issuer:
Notice:
User-Agent: MS-RDGateway/1.0
Client Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
Backend Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
“https://rdweb.contoso.com/remoteDesktopGateway/” – Where does this come from? I definitely did not set up any such link. Maybe this is what is broken.
Sometimes, I get this event 13007 – and I can’t tell what is triggering it.
The HTTP response from the backend server was not received within the expected interval. Expected interval: 90 seconds. (Maybe this is related to InactiveTransactionsTimeoutSec which is set to 90.)
Details:
Transaction ID: {757c5c39-08b9-0000-b785-7c75b908d301}
Session ID: {757c5c39-08b9-0000-a685-7c75b908d301}
Published Application Name: rdweb
Published Application ID: 1f247fb7-127b-713c-b171-2fd50e80ebad
Published Application External URL: https://rdweb.contoso.com/
Published Backend URL: https://rdweb.contoso.com/
User: xxxx@contoso.com
User-Agent: MS-RDGateway/1.0
Device ID:
Token State: NotFound
Cookie State: OK
Client Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
Backend Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: PassThrough
State Machine State: FEBodyWriting
Response Code to Client: 200
Response Message to Client: OK
Client Certificate Issuer:
Again:
User-Agent: MS-RDGateway/1.0
Client Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
Backend Request URL: https://rdweb.contoso.com/remoteDesktopGateway/
Where does this come from? I definitely did not set up any such link. Maybe this is what is broken. Though, InactiveTransactionsTimeoutSec is set to 90 – so maybe this is just related to that.
Anyone have any idea? This is super frustrating. We have really been planning to use WAP & RDWeb for our production server and this is killing it and ME right now.
On a side note, I do believe that the command to set custom RDP Properties is:
Set-RDSessionCollectionConfiguration -CollectionName -CustomRdpProperty “pre-authentication server address:s:https:/rd.contoso.com/rdweb/`nrequire pre-authentication:i:1″
If you don’t have the ` (the character on the tilde key) before the n after “https:/rd.contoso.com/rdweb/”, it won’t correctly create a line break. If you just use n, you will see this in the RDP file:
pre-authentication server address:s:https://rd.contoso.com/rdweb/nrequire pre-authentication:i:1
No line break.
August 1st, 2017 at 7:20 pm
Cheers for the info Rico. Indeed we’re in the same boat.
My Microsoft case is progressing but the answer is looking more and more like a limitation of RD WAP+ADFS+MFA. Effectively it is the RDS/activeX addin that only works in IE11 that is, and what you allude to above, a hard requirement…
Will keep you posted.
August 1st, 2017 at 9:10 pm
Do you need me to work on your issue?
August 3rd, 2017 at 7:13 pm
Not sure if this post is working?
August 3rd, 2017 at 7:15 pm
Oh now it is….
I’ve had work from MS that indeed there are no options….
Referencing the link below (while specifically Azure WAP), confirms similar information.
https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-publish-remote-desktop
Support for other client configurations
The configuration outlined in this article is for users on Windows 7 or 10, with Internet Explorer plus the RDS ActiveX add-on. If you need to, however, you can support other operating systems or browsers. The difference is in the authentication method that you use.
Authentication method
Supported client configuration
Pre-authentication Windows 7/10 using Internet Explorer + RDS ActiveX add-on
Passthrough Any other operating system that supports the Microsoft Remote Desktop application
August 3rd, 2017 at 8:08 pm
If you need us to help you then let me tell you.
We charge almost 50% of MCS and do better than them because we do what works better for the customer. So you might like to try our consulting. No cost if we don’t fix it. Let me know at Prabhat.Nigam@GoldenFive.net
August 6th, 2017 at 11:52 pm
Thanks for the offer Prabhat, but we have free Microsoft cases as part of our enterprise agreement.
Just to confirm, does your configuration match the below? Your original post is that yours is working fine but Microsoft/Rico aren’t able to reproduce it:
– DMZ RD WAP host utilisation ADFS with MFA (on-premise Azure MFA Server)
– Domain-joined RD WebAccess and Gateway on same host
August 7th, 2017 at 1:31 am
Yes, I have the same setup at my customer. Rather I have configured the multi-forest configuration for my customer.
This is the number 1 blog dedicate to exchange server. We have started adding other technologies blogs because we are discovering many new Problem and Resolutions.
Overall, we are a team which helps Microsoft in correcting the product.
This issue is not easy for support team as they have no experience. There are not many customers who have implemented it.
I think you should consider us if Microsoft can’t fix your issue on the First call.
What if I tell you to run the following command and let us know if this fixes your issue (you have to watch for 2 things one space after s: and another space after rdweb/n):
Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″
August 7th, 2017 at 8:29 pm
Hi Prabhat,
That is still the same command mentioned a few times in this chain. I think you are still missing the ` between rdweb/ and n. Also note no space is required between n and require.
Set-RDSessionCollectionConfiguration -CollectionName SH03 -CustomRdpProperty “pre-authentication server address:s: https://EXTERNALFQDN/rdweb/`nrequire pre-authentication:i:1″
Also I’m not sure what you mean by ‘Rather I have configured the multi-forest configuration for my customer’ in relation to this context.
August 7th, 2017 at 9:29 pm
Please run the command which I have given you and share the result.
I was telling you that I have configured multi-forest with single Azure MFA tenant.
August 9th, 2017 at 6:59 pm
Indeed I’ve run the command and with the same results. IE with ActiveX fine, Chrome/Edge/Firefox logs in fine (ADFS + MFA), logs on to WebAccess fine, downloads RDP file, but upon launching failures with the original error around firewall auth.
August 9th, 2017 at 7:08 pm
share the result of the command.
Get-RDSessionCollectionConfiguration -CollectionName **COLLECTIONNAME*** | select -ExpandProperty CustomRDPProperty
Do you want me to review your configuration?
August 9th, 2017 at 7:41 pm
Unfortunately we cannot engage your services as I work for a government agency. Microsoft still advise that the configuration is correct and that it (lack of support for Edge/Chrome/Firefox) it is a product limitation.
None the less, the results of the above command are:
pre-authentication server address:s:https://externalurl/rdweb/
require pre-authentication:i:1
use redirection server name:i:1
August 9th, 2017 at 7:41 pm
One quick thing to confirm – you only have port 443 open from the internet -> WAP and not 3389 as well?
August 9th, 2017 at 7:43 pm
Yes, only 443
August 9th, 2017 at 7:45 pm
You didn’t copy paste the command. Output is wrong
August 9th, 2017 at 7:57 pm
That was a copy paste. Screenshot :
http://imgur.com/a/KjT8L
August 9th, 2017 at 11:50 pm
I asked you to run this command first by just replacing MyAppcollection and url and my reply to you saying command is not correct is for this command. Please run the following command.
Set-RDSessionCollectionConfiguration -CollectionName “SH03” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″
August 10th, 2017 at 12:06 am
If you are confused then let me know. We can connect online and it should not take more than 10 mins.
By the way, we were bidding for some government work in Sydney through our partners in AU. We are in the process of opening our branch office in AU very soon as well.
August 10th, 2017 at 12:26 am
You will find that command listed (Set-RDSessionCollectionConfiguration -CollectionName “SH03” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″) is in correct. A ` is required between rdweb/ and n otherwise it goes onto the same configuration line.
Can you please run Get-RDSessionCollectionConfiguration -CollectionName **COLLECTIONNAME*** | select -ExpandProperty CustomRDPProperty on one of your collections that works and supply a screenshot? I just want to make sure.
Thanks a lot
Josh
August 10th, 2017 at 12:40 am
Hey Joshua,
I am guiding you what you are doing wrong. You should consider me better than Microsoft by now and follow my suggestion. I don’t understand why didn’t you read this blog and reviewed the TechNet link mentioned in my blog.
Overall you are wasting your and my time by not following the blog and arguing. Anyways your choice.
August 10th, 2017 at 7:46 pm
Hi Prabhat, indeed I read both. As for running the command as you listed, it results in a different error ‘your computer can’t connect to the remote computer because the remote desktop gateway server is temporarily unavailable”.
August 10th, 2017 at 8:25 pm
Good. We fixed something. This is different error.