The official blog for Windows Server Essentials and Small Business Server support and product group communications.
EPS Team Blogs
[Today's post comes to us courtesy of Wayne McIntyre, Damian Leibaschoff, and Justin Crosby]
The connect to a computer feature in SBS 2008 is one of the most popular features of RWW. The connect to a computer feature in SBS 2008 utilizes TS-Gateway behind the scenes, however, when there is a misconfiguration or a problem, RWW may only provide partial information to help isolate the root issue. This post will discuss most of the known issues, how to identify them and steps to resolve them.
What we will cover:
For certificate related errors, please review the issues discussed in this article: http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx
When you try to connect to a server or machine you get the following error:
You must have a certificate installed in TS Gateway Manager. This is handled by the “Set up your Internet Address Wizard” or the “Add a Trusted Certificate Wizard” in the SBS 2008 Console. To verify you have a certificate installed for TS Gateway do the following:
As stated beofre, you should not see this problem If you have completed the Internet Address Management Wizard, if for any reason no certificate is selected, make sure you click on Browse Certificates and select the proper certificate, for example “remote.contoso.com”.
You must pass the connection authorization policy to make a connection, and the resource authorization policy for the machine you are trying to connect to. This error may also display the VBSCRIPT error 50331676.
We have seen a few cases where the connection authorization policy was modified manually to only allow domain computers to make connections. This means that any machine outside the domain (e.g. their home machine) would not be able to connect. This is shown below. To access this policy:
You must have Windows Authentication enabled on the IIS /RPC virtual directory under the SBS Web Applications web site. If it is missing, you will see a looping prompt for authentication when you try to connect.
Since both Outlook Anywhere and TS Gateway share this Virtual Directory modifying authentication settings in Exchange for Outlook-Anywhere within the Exchange Management Console can disable Windows Auth. To make sure Windows-Auth is enabled in Exchange Management Shell (Run as admin) perform the following command:
Get-OutlookAnywhere (Ignore the warning)
(Ignore the warning)
Check the value for the IISAuthenticationMethods Parameter.
You can also check in IIS Manager under the RPC virtual directory, authentication.
Changing the authentication here may only help for a few minutes as Exchange will reset the settings again. You need to complete the proper Exchange configuration steps to resolve this.
If the output of the Exchange Management Shell shows that you are missing NTLM, you need to reset the Exchange setting for outlook anywhere from the Exchange Management Shell (run as admin) perform the following command (ignore the warning):
Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm
Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm
After you make this change, the settings in IIS will not immediately change, it might take up to 15 minutes for this change to happen. You can safely make the change in IIS, under the authentication for RPC to enable Windows Authentication and Basic Authentication and they should remain set as expected.
If you still cannot authenticate to the TS gateway prompt, the following resources discuss some known issues:
The client machine you are trying to connect to must have RDP enabled and listening on the default port of 3389. You must also verify that any firewalls present on the workstation are allowing the traffic inbound on TCP/3389. Additionally, the client machine you are making the connection from must allow the ActiveX Control to run. The easiest way to ensure that ActiveX will be enabled is by adding your remote web workplace site to your list of trusted sites in Internet Explorer.
You might connect to an unexpected machine when trying to connect to the remote machine. If this happens you should verify that the DNS records for the clients on the SBS 2008 server hosting RWW are correct. To do this open the DNS Management console from Start, Administrative Tools, DNS. Expand the forward lookup zones, and your local active directory zone. Verify that the host (A) records for the clients are correct.
The hostname section of the PTR record for the remote client machine’s public IP address cannot match the NetBIOS hostname of the SBS 2008 server. If these names match the RWW will not use TS proxy and the connection will fail or connect to an unexpected target.
The only fix is the change the PTR record for the client pc's external IP address.
Example: Suppose you are using a Windows Vista machine on the Internet. The public IP for this client is 65.53.x.x. The PTR record for this IP is server01.contoso.com. If the SBS 2008 server this machine is trying to connect to has a NetBIOS hostname of Server01, the connection will fail. Ideally your PTR record should match your MX record and your MX record should not be the NetBIOS hostname of your server.
Note: This is a very RARE issue.
TS Gateway Service Not Started After Restart in IIS Manager.
This issue is discussed on this post: http://blogs.technet.com/sbs/archive/2009/04/20/ts-gateway-service-not-started-after-restart-in-iis-manager.aspx
The Terminal Services Gateway service is not running, Contact your network administrator to resolve this issue.This error can happen due to a number of different issues other than the TS Gateway service not running or the role service not being installed.
PingBack from http://www.web2designer.org/news/?p=11035
"The wizard cannot configure the Remote Desktop Connection settings. Make sure that the client version of Remote Desktop Protocol (RDP) 6.0 or later is installed on this computer."
Weird thing is that our clients have the same issue connecting to their server, we see this when we connect to their server yet we can happily connect to other SBS2008 servers and the client PC's on their networks.
Yes have looked to ensure RDP 6.0 or > is installed but since we can access other servers and RWW at other sites then this ought not be a problem.
Tested with XP Pro SP3, Vista Business SP2 and Windows7....
Has anyone else observed this ?
I had alot of issues lately where I could not login to computers using RWW on SBS 2008. I kept getting the VBscript error 50331676. I saw some troubleshooting steps on this page but none of them worked for me.
After some digging I realized that my users were not listed under Domain Users, they were listed as Domain Admins. So I added them to the Domain Users group, restarted the TS Gateway service and poof, everything started working.
I don't know how the users got setup like that but I did migrate from a previous SBS 2003 installation to this SBS 2008 installation. Maybe it happened in the transition.
When i type: Get-OutlookAnywhere in the Exchange Shell, I see a different message:
Get-OutlookAnywhere : Unable to create Internet Information Services (IIS) directory entry. Error Message is: Access is denied.
. HResult = -2147024891
At line:1 char:19
Can someone point me the right way with this?
Make sure you are opening Exchnage Power Shell with elevated Administrative priveledges (right-click, run as administrator)
I am logged in as Domain Admin and can connect to the Server via RWW and can check email. However, when I try to connect to a PC in the domain it does not connect. There is no error message or other evidence of the cause.
Also, I can not RDP between machines inside the domain though Remote Access is enabled and I am authorized to log onto all machines as part of the remote users setup.
Any ideas would be greatly appreciated.
quite right - I needed to run as administrator - auth mthods appear fine.
However i'm seeing a similar issue in that something is making the first web page (that should redirect to https) ask for authtication from the outside world.
If the auth setting for say, the root of the "SBS Web Applications" is changed for "anonymous access" to disabled and re-enabled it works ok - for a short while until somethign breaks it again...