IIS Reverse Proxy and RD Gateway Server - 401 error [Answered]RSS

1 reply

Last post Oct 14, 2020 09:18 AM by Legacy777

‹ Previous Thread|Next Thread ›
  • IIS Reverse Proxy and RD Gateway Server - 401 error

    Oct 12, 2020 12:09 PM|Legacy777|LINK

    Hi all,

    I am running Windows Server 2019 with Remote Desktop Gateway installed within my internal network.  I am running Exchange 2019 on another VM and am using ARR and URL re-write to redirect traffic to exchange and RDG server.  I can access both Exchange and the RDG web server externally, however when I try and connect to the gateway with a remote desktop client I am getting a 401 error in my IIS logs.  I have checked that the gateway is functioning internally and have changed my firewall port to a different port directly to the gateway server and everything works fine.  The problem appears to be with ARR or my URL rewrite code.

    I have posted in the Remote Desktop Forums as well without any leads at the moment.  I've also done some searching and have run across these similar threads here:

    https://forums.iis.net/t/1229459.aspx
    https://forums.iis.net/t/1177295.aspx 

    Let me know if there's something I'm overlooking or if this just isn't going to work using IIS's ARR.

    Below is a snippet from the IIS log:

    2020-10-12 11:39:21 RDG_OUT_DATA /remoteDesktopGateway/ X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=b594099e-ad33-4d8f-90d7-4a2ff43fc90f&SERVER-STATUS=401 443 - HTTP/1.1 MS-RDGateway/1.0 - 401 0 0 210

    2020-10-12 11:39:21 RDG_OUT_DATA /remoteDesktopGateway/ X-ARR-LOG-ID=9ffd1698-8072-4129-a193-862354bccbb8 443 -  HTTP/1.1 MS-RDGateway/1.0 - 502 3 12030 179

    Here is my URL rewrite rule:

                   <rule name="RDG Redirect" stopProcessing="true">

                        <match url="(.*)" />

                        <conditions>

                            <add input="{HTTP_HOST}" pattern="^rdp.domain.com$" />

                            <add input="{HTTPS}" pattern="on" />

                        </conditions>

                        <action type="Rewrite" url="https://rdp.domain:443/{R:1}" />

                    </rule>

    Here is the event log details from the gateway server:

    Log Name:      Security

    Source:        Microsoft-Windows-Security-Auditing

    Date:          10/12/2020 6:39:21 AM

    Event ID:      4625

    Task Category: Logon

    Level:         Information

    Keywords:      Audit Failure

    User:          N/A

    Computer:      RDGServer.domain.com

    Description:

    An account failed to log on.

     

    Subject:

                Security ID:                   NULL SID

                Account Name:              -

                Account Domain:                       -

                Logon ID:                      0x0

     

    Logon Type:                              3

     

    Account For Which Logon Failed:

                Security ID:                   NULL SID

                Account Name:              user

                Account Domain:                       domain

     

    Failure Information:

                Failure Reason:             An Error occured during Logon.

                Status:                          0xC000035B

                Sub Status:                   0x0

     

    Process Information:

                Caller Process ID:         0x0

                Caller Process Name:    -

     

    Network Information:

                Workstation Name:        Computer

                Source Network Address:          192.168.1.1

                Source Port:                 15313

     

    Detailed Authentication Information:

                Logon Process:            

                Authentication Package: NTLM

                Transited Services:        -

                Package Name (NTLM only):     -

                Key Length:                  0

     

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

     

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

     

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

     

    The Process Information fields indicate which account and process on the system requested the logon.

     

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

     

    The authentication information fields provide detailed information about this specific logon request.

                - Transited services indicate which intermediate services have participated in this logon request.

                - Package name indicates which sub-protocol was used among the NTLM protocols.

                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Thanks!

    Josh

  • Re: IIS Reverse Proxy and RD Gateway Server - 401 error

    Oct 14, 2020 09:18 AM|Legacy777|LINK

    UPDATED with solution for RD WebTools.

    I've done some additional testing and research and from what I can tell IIS's application reverse proxy & URL rewrite do not pass authentication information on.  There were some pages that talk about configuring IIS to pass on authentication, but I didn't try them due to the fact I don't really have any more time to test this.

    So if all you're wanting to use is the RD gateway server to access computers behind your firewall and you're already using port 443 then the solution is to use another port and everything works as expected.  If you want to use RD webtools & applications then you need to manually set the gateway using the following PowerShell commands on the Broker machine:

    Import-Module RemoteDesktop
    Set-RDSessionCollectionConfiguration -CollectionName "YourCollectionName" -CustomRdpProperty "gatewayhostname:s:rdgateway.domain.com:port"

    As mentioned above I posted in the Remote Desktop forums and will link that below as well as some of the other pages I found for future reference in case anyone else runs across this.

    Josh

    Reference Links:

    RD Gateway Server and IIS Reverse Proxy

    ARR Unable to pass through Windows Authentication

    Configure Application Request Routing with Windows Authentication, Kerberos

    Configure Application Request Routing

    Forwarding NTLM credentials from IIS with ARR and URL Rewrite

    NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error

    DefaultTSGateway settings for RDS 2016 doesn't apply - External Users RD Can't find Computer

‹ Previous Thread|Next Thread ›