Share via


RDS Troubleshooting: Logon Attempt Failed Messages When Connecting through RD Gateway

Case

Trying to fix web single sign-on (SSO) externally. SSO was working well internally, but when we were trying to make it work outside the environment (by using Remote Desktop Gateway), it was not working and resulted in continuous logon attempt failed error messages:

http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-65-40-metablogapi/0081.clip_5F00_image002_5F00_thumb_5F00_260C948D.jpg

After exhausting all the methods I could think of, I configured another server basically the same (I only included the Remote Desktop Services role services though). I figured that I could compare configurations and see the differential.

I started looking at the possibility of a corrupted web.config or host file as the error suggested, but the cause turned out to be defining an HTTP redirect for the default website in IIS.

Troubleshooting

To start working on this issue, first test to see if you are being redirected by going to the following website in a browser: https://<servername>/rpc

After entering your credentials, if everything is working fine you should see a blank screen with the URL https://<servername>/rpc. However, in my case, I saw Page cannot be displayed, which told me that something was not good and I needed to troubleshoot the issue.

Finally, after some research, I found the resolution, which was simpler than I expected (as I was thinking it could be a certificate-binding or broken-binding issue, which could have caused me hours to troubleshoot).

Solution

To resolve this issue, locate the HTTP redirection setting and disable it:

  1. In Server Manager, on the RD Gateway server, open Internet Information Services (IIS) Manager.
  2. In the IIS navigation tree, expand the server and the sites, and then select Default Web Site.
  3. In the middle pane (the settings area), double-click HTTP Redirect.
  4. Clear the Redirect requests to this destination check box.

After completing this, single sign-on was working externally as well, but the question remained: “How can I enable the redirection?” I didn’t want to manually type in http://contoso.com/rdweb because I wanted to use http://contoso.com/ instead. After doing some research and getting help from my colleagues, I found that it could be done by just making a small change, detailed in the following steps.

To redirect HTTP:

1. Open IIS Manager.

2. Go to the RD Web Access website (by default, it’s the “Default Web Site”).

3. In the middle pane, click HTTP redirect.

4. Select the Redirect requests to this destination check box, and type the address for your website; for example: http://contoso.com/rdweb.

5. In the Redirect Behavior section, select the Only redirect requests to content in this directory (not subdirectories) check box.

6. Apply settings.

You are now all set for HTTP redirection from http://contoso.com/ to http://contoso.com/rdweb without breaking RD Gateway connectivity.

Reference

 http://blogs.msdn.com/b/rds/archive/2011/09/07/how-to-troubleshoot-logon-attempt-failed-messages-when-connecting-through-rd-gateway.aspx