TMG authorization error to RD Gateway (Network Steve Forum)

TMG authorization error to RD Gateway

Hello,

I am trying to connect to published server, via RD Gateway and always get stucked in logon loop: Logon attempt failed.

In TMG log is this:

Denied Connection
<id id="L_LogPane_LogType">Log type: </id><id id="L_LogPane_WebProxyForward">Web Proxy (Reverse)</id>
<id id="L_LogPane_Status">Status: </id>12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
<id id="L_LogPane_Rule">Rule: </id>RDP gateway
<id id="L_LogPane_Source">Source: </id>XXX.XXX.XXX.XX:29742
<id id="L_LogPane_Destination">Destination: </id>XXX.XX.XXX.XXX:443
<id id="L_LogPane_Request">Request: </id>RPC_IN_DATA http://something.something.cz/rpc/rpcproxy.dll?localhost:3388
<id id="L_LogPane_FilterInfo">Filter information: </id>Req ID: 11a8e415; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
<id id="L_LogPane_Protocol">Protocol: </id>https
<id id="L_LogPane_User">User: </id>anonymous

TMG version: 7.0.9193.540. runs on Server 2008 R2.

RDGateway publishing rule is using same listener as Exchange (OWA, sync, Outlook RPC etc). On exchange all is working fine, certificate is wildcard one: *.domain.

test of Publish Rule for RD Gateway has this result:

Time reported by the Microsoft Forefront TMG Firewall Service: 0.004 seconds
Testing https://something.something.cz:443/RPC/
Category: General warning
Error details: The internal path of the URL was identified as part of a SharePoint or Exchange server publishing rule.
Action: Use the SharePoint Publishing Rule Wizard or the Exchange Publishing Rule Wizard.

Internally RD Gateway is working without any problems.

What am I doing wrong?

Thanks

July 13th, 2012 11:31am

It seems like the rule you are using on TMG is requiring authentication on inbound traffic.

The user is denied access since it does not authenticate.

If the client is unable to authenticate to the TMG server, set the rule to "All users". That will work even if you have authentication on the listener.

Free Windows Admin Tool Kit Click here and download it now

July 13th, 2012 2:08pm

Hi I changed the rule to "all users" but still no luck. And same error:

Denied Connection
<id id="L_LogPane_LogType">Log type: </id><id id="L_LogPane_WebProxyForward">Web Proxy (Reverse)</id>
<id id="L_LogPane_Status">Status: </id>12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
<id id="L_LogPane_Rule">Rule: </id>RDP gateway
<id id="L_LogPane_Source">Source: </id>External (:11910)
<id id="L_LogPane_Destination">Destination: </id>Local Host (:443)
<id id="L_LogPane_Request">Request: </id>RPC_IN_DATA https://something .something.cz:443/rpc/rpcproxy.dll?localhost:3388
<id id="L_LogPane_FilterInfo">Filter information: </id>Req ID: 11a9427a; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
<id id="L_LogPane_Protocol">Protocol: </id>https
<id id="L_LogPane_User">User: </id>anonymous
Additional information <id id="L_LogPane_ClientAgent">Client agent: </id>MSRPC <id id="L_LogPane_ObjectSource">Object source: </id>Internet (Source is the Internet. Object was added to the cache.) <id id="L_LogPane_CacheInfo">Cache info: </id>0x8 (Request includes the AUTHORIZATION header.) <id id="L_LogPane_ProcessingTime">Processing time: </id>1<id id="L_LogPane_MimeType"></id>

July 13th, 2012 2:57pm

Now your error message is different.

Your problem now is that the URL that you are trying to access is not allowed. You seem to be hitting the correct rule but that rule is not allowing the traffic for some reason. Without knowing how the rule is set up, it is hard to tell what is wrong. Please post how the rule and listener is configured.

Free Windows Admin Tool Kit Click here and download it now

July 13th, 2012 10:38pm

Hello Jenson,

here is the listener:

General - name: OWA 2010 Listener

Networks- External

Connections - Enable SSL (https) connections on port: 443

Certificates - Use single certificate for this Web Listener: *.domain.cz

Authentication - Client Authentication Method: Html Form Authentication; Authentication Validation Method: Windows (Active Directory)

Forms - nothing

SSO - nothing

And the rule:

July 16th, 2012 9:18am

Hi,

Thank you for the post.

You may refer to the guides to publish RD Gateway:

http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part1.html

http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part2.html

Regards,

Free Windows Admin Tool Kit Click here and download it now

July 17th, 2012 2:16am

Hello Nick,

I went through these guides couple of times already and I think I haevn't missed anything. I might try it one more time.. but responses from Janson seems more helpfull.

Anyway ill report back to u guys when I have everything checked.

July 17th, 2012 9:45am

Hello,

I went through these links again and still no luck. I have same error as last time.

So any other idea guys?

Free Windows Admin Tool Kit Click here and download it now

July 18th, 2012 1:49pm

Sorry for hassle on Monday morning, but any update?

July 23rd, 2012 6:34am

Hi Lukas

Not sure is this will help you but I was having the exact same issue. I ran the Forefront TMG BPA and there was an errror see below

I Had a rule (Publish Non Web Server Protocols) which published the Exchange RPC Protocol and forwared it to the exchange server as the error message states this will block all other RPC services on other rules. I removed this rule and confirmed that RPC to my exchange server was still working fine (I used www.testexchangeconnectivity.com to test) Double checked my Rdweb web publishing rule and confirmed I had the paths correct see screen shot below.

You may get a warning on the Rdweb Publishing rule when testing, relating to rpc already being applied to the exchange rule but i ignored it

Tested and I can now use RD Gateway without getting prompted over and over and also my Rdweb site can now use remote desktop connections as a published app from external.

Hope this helps, Cheers

Edited by Gus Loggie NZ Thursday, September 06, 2012 11:13 PM

Free Windows Admin Tool Kit Click here and download it now

September 6th, 2012 11:05pm

Hi Lukas

Not sure is this will help you but I was having the exact same issue. I ran the Forefront TMG BPA and there was an errror see below

You may get a warning on the Rdweb Publishing rule when testing, relating to rpc already being applied to the exchange rule but i ignored it

Tested and I can now use RD Gateway without getting prompted over and over and also my Rdweb site can now use remote desktop connections as a published app from external.

Hope this helps, Cheers

Edited by Gus Loggie NZ Thursday, September 06, 2012 11:13 PM

September 6th, 2012 11:05pm

Hi Lukas

Not sure is this will help you but I was having the exact same issue. I ran the Forefront TMG BPA and there was an errror see below

You may get a warning on the Rdweb Publishing rule when testing, relating to rpc already being applied to the exchange rule but i ignored it

Tested and I can now use RD Gateway without getting prompted over and over and also my Rdweb site can now use remote desktop connections as a published app from external.

Hope this helps, Cheers

Edited by Gus Loggie NZ Thursday, September 06, 2012 11:13 PM

Free Windows Admin Tool Kit Click here and download it now

September 6th, 2012 11:05pm

I had the same issue.

I resolved wtih the next steps:

1) At the RD gateway console uncheck "request client to send a statement"

2) At the RD gateway and RDweb server IIS console enable anonymous authentication default site and RPC site

3) at the RD gateway console use HTTPS-HTTP SSL bridging

July 21st, 2015 2:40am

This topic is archived. No further replies will be accepted.