Common Remote Web Workplace (RWW) Connect to a Computer Issues in SBS 2008

Common Remote Web Workplace (RWW) Connect to a Computer Issues in SBS 2008

  • Comments 7
  • Likes

[Today's post comes to us courtesy of Wayne McIntyre, Damian Leibaschoff, and Justin Crosby]

The connect to a computer feature in SBS 2008 is one of the most popular features of RWW. The connect to a computer feature in SBS 2008 utilizes TS-Gateway behind the scenes, however, when there is a misconfiguration or a problem, RWW may only provide partial information to help isolate the root issue. This post will discuss most of the known issues, how to identify them and steps to resolve them.

What we will cover:

  1. Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
  2. VBScript Error: 50331676
  3. Connection Authorization Policies and Resource Authorization Policies.
  4. Authentication Failures
  5. Client Machine Requirements
  6. Internal DNS Considerations
  7. External DNS Considerations
  8. TS Gateway Service Known Issues

1.  Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

For certificate related errors, please review the issues discussed in this article: http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

2.  VBScript Error: 50331676

When you try to connect to a server or machine you get the following error:

clip_image002

You must have a certificate installed in TS Gateway Manager. This is handled by the “Set up your Internet Address Wizard” or the “Add a Trusted Certificate Wizard” in the SBS 2008 Console. To verify you have a certificate installed for TS Gateway do the following:

  1. Open TS Gateway Manager from Administrative Tools --- Terminal Services
  2. Select Properties on the Server Object, and choose the SSL Certificate tab from within properties. You should see a screen similar to the one below stating which certificate TS Gateway is using.

    clip_image003

As stated beofre, you should not see this problem If you have completed the Internet Address Management Wizard, if for any reason no certificate is selected, make sure you click on Browse Certificates and select the proper certificate, for example “remote.contoso.com”.

3.  Connection Authorization Policies and Resource Authorization Policies.

You must pass the connection authorization policy to make a connection, and the resource authorization policy for the machine you are trying to connect to. This error may also display the VBSCRIPT error 50331676.

We have seen a few cases where the connection authorization policy was modified manually to only allow domain computers to make connections. This means that any machine outside the domain (e.g. their home machine) would not be able to connect. This is shown below. To access this policy:

  1. Open TS Gateway Manager from Administrative Tools – Terminal Services
  2. Expand your computer object
  3. Expand Policies
  4. Select Connection Authorization Policies
  5. Right-Click on the General Connection Authorization policy on the right hand side and choose properties
  6. Make sure the Client computer group membership is blank if you want non-domain joined machines to be able to use the RWW Connect To Computer feature.

clip_image004

4.  Authentication Failures

You must have Windows Authentication enabled on the IIS /RPC virtual directory under the SBS Web Applications web site. If it is missing, you will see a looping prompt for authentication when you try to connect.

Since both Outlook Anywhere and TS Gateway share this Virtual Directory modifying authentication settings in Exchange for Outlook-Anywhere within the Exchange Management Console can disable Windows Auth. To make sure Windows-Auth is enabled in Exchange Management Shell (Run as admin) perform the following command:

Get-OutlookAnywhere

(Ignore the warning)

Check the value for the IISAuthenticationMethods Parameter.

clip_image006

You can also check in IIS Manager under the RPC virtual directory, authentication.

clip_image008

Changing the authentication here may only help for a few minutes as Exchange will reset the settings again. You need to complete the proper Exchange configuration steps to resolve this.

If the output of the Exchange Management Shell shows that you are missing NTLM, you need to reset the Exchange setting for outlook anywhere from the Exchange Management Shell (run as admin) perform the following command (ignore the warning):

Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm

After you make this change, the settings in IIS will not immediately change, it might take up to 15 minutes for this change to happen. You can safely make the change in IIS, under the authentication for RPC to enable Windows Authentication and Basic Authentication and they should remain set as expected.

If you still cannot authenticate to the TS gateway prompt, the following resources discuss some known issues:

5.  Client Machine Requirements

The client machine you are trying to connect to must have RDP enabled and listening on the default port of 3389. You must also verify that any firewalls present on the workstation are allowing the traffic inbound on TCP/3389.  Additionally, the client machine you are making the connection from must allow the ActiveX Control to run.  The easiest way to ensure that ActiveX will be enabled is by adding your remote web workplace site to your list of trusted sites in Internet Explorer.

6.  Internal DNS Considerations

You might connect to an unexpected machine when trying to connect to the remote machine.  If this happens you should verify that the DNS records for the clients on the SBS 2008 server hosting RWW are correct.  To do this open the DNS Management console from Start, Administrative Tools, DNS.  Expand the forward lookup zones, and your local active directory zone.  Verify that the host (A) records for the clients are correct.

7.  External DNS Considerations

The hostname section of the PTR record for the remote client machine’s public IP address cannot match the NetBIOS hostname of the SBS 2008 server. If these names match the RWW will not use TS proxy and the connection will fail or connect to an unexpected target.

The only fix is the change the PTR record for the client pc's external IP address.

Example: Suppose you are using a Windows Vista machine on the Internet. The public IP for this client is 65.53.x.x. The PTR record for this IP is server01.contoso.com. If the SBS 2008 server this machine is trying to connect to has a NetBIOS hostname of Server01, the connection will fail. Ideally your PTR record should match your MX record and your MX record should not be the NetBIOS hostname of your server.

Note: This is a very RARE issue.

8.  TS Gateway Service known issues

TS Gateway Service Not Started After Restart in IIS Manager.

This issue is discussed on this post: http://blogs.technet.com/sbs/archive/2009/04/20/ts-gateway-service-not-started-after-restart-in-iis-manager.aspx

The Terminal Services Gateway service is not running, Contact your network administrator to resolve this issue.This error can happen due to a number of different issues other than the TS Gateway service not running or the role service not being installed.

  • If IPv6 has been unproperly unbound from the network interface you might get an error that states that the TS Gateway service is not installed.  Check the following link for issues related to improperly disabling IPv6: http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx
  • If Client certificates has been set to Accept or Require under the SSL setttings on the Rpc virtual directory. This must be set to Ignore.
  • In general, this error will happen when we cannot properly access the /RPC virtual directory or its settings have been changed from default.

Additional RWW related links:

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • PingBack from http://www.web2designer.org/news/?p=11035

  • "The wizard cannot configure the Remote Desktop Connection settings. Make sure that the client version of Remote Desktop Protocol (RDP) 6.0 or later is installed on this computer."

    Weird thing is that our clients have the same issue connecting to their server, we see this when we connect to their server yet we can happily connect to other SBS2008 servers and the client PC's on their networks.

    Yes have looked to ensure RDP 6.0 or > is installed but since we can access other servers and RWW at other sites then this ought not be a problem.

    Tested with XP Pro SP3, Vista Business SP2 and Windows7....

    Has anyone else observed this ?

  • I had alot of issues lately where I could not login to computers using RWW on SBS 2008.  I kept getting the VBscript error 50331676.  I saw some troubleshooting steps on this page but none of them worked for me.

    After some digging I realized that my users were not listed under Domain Users, they were listed as Domain Admins.  So I added them to the Domain Users group, restarted the TS Gateway service and poof, everything started working.

    I don't know how the users got setup like that but I did migrate from a previous SBS 2003 installation to this SBS 2008 installation.  Maybe it happened in the transition.

  • When i type: Get-OutlookAnywhere in the Exchange Shell, I see a different message:

    Get-OutlookAnywhere : Unable to create Internet Information Services (IIS) directory entry. Error Message is: Access is denied.

    . HResult = -2147024891

    At line:1 char:19

    +Get-OutlookAnywhere <<<<

    Can someone point me the right way with this?

    Thanks,

    James.

  • Hi James,

    Make sure you are opening Exchnage Power Shell with elevated Administrative priveledges (right-click, run as administrator)

  • I am logged in as Domain Admin and can connect to the Server via RWW and can check email. However, when I try to connect to a PC in the domain it does not connect. There is no error message or other evidence of the cause.

    Also, I can not RDP between machines inside the domain though Remote Access is enabled and I am authorized to log onto all machines as part of the remote users setup.

    Any ideas would be greatly appreciated.

    Thank you.

    Ahpun

  • quite right - I needed to run as administrator - auth mthods appear fine.

    However i'm seeing a similar issue in that something is making the first web page (that should redirect to https) ask for authtication from the outside world.

    If the auth setting for say, the root of the "SBS Web Applications" is changed for "anonymous access" to disabled and re-enabled it works ok - for a short while until somethign breaks it again...

    Any ideas?

    Thanks,

    James.