RDS WebClient through AppProxy failing for external access

Robert Crichton 6 Reputation points
2022-09-06T14:55:57.607+00:00

My apologies if the question has been asked before but struggling to find an answer. I have seen some variations on the thread.

https://learn.microsoft.com/en-us/answers/questions/107443/remoteapp-webclient-launch-failure.html

I setup a new 2 node onPrem RDS 2022 setup Published through AppProxy on one of our other Tenancies just a few weeks ago and all fine. No issues at all.

However, now doing it again in a different tenancy \ network I look after and dang...i just cant get passed this issue. Starting to hurt

So in my setup I have again the same simple setup - 2 new 2022 RDS boxes OnPrem, domain joined fixed IP, no Inbound rules on physical Network access edge firewall to expose them to the public. One hosts Session Host and License Server roles the other does all the rest.

AppProxy setup to publish internal url "rdsgw.externaldomain.com" with the same value used for external url on the App using PassThrough and the correct Header Translation options as asked. We have added the /RdWeb/Webclient on the Branding area of Azure thus when a user signs in to Microsoft 365 expand their apps and select "RDSApp" it directs them to the full path for WebClient. That all works...

my rds gw host name is "rdsgw-hostname.internal.com" and I have in my OnPrem DNS a Zone for "externaldomain" with an A record for "rdsgw" pointing at the internal IP address of that GW server.

I have a wildcard Public cert "*.externaldomain.com" Its deployed on all roles and also on the WebClient and have checked its assigned to the ports as well.
RDS CAP Policies all standard with Domain Users and a Security Group with my account in it.
In my external Public DNS I have "rdsgw" set with a CNAME back to the Microsoft appproxy.net value

All seems happy signing in from home to the "rdsgw.externaldomain.com" using Edge picks up my AAD sign in token but still asks for my username and password. I have simple apps for testing published like Notpad. On Launching any Published App there is a very long pause before we get the Oops, we couldn't connect to "app"
The connection to the remote PC was lost. This might be because of a network connection problem. If this keeps happening ask your admin or tech support for help"

I dont see what I did different this time from last - but struggling and would love some help. The weirdo thing and possibly a clue I hope is that it works FINE internally when I plug a desktop or Laptop in to the same internal onPrem Lan browse that same url and sign in - it works in the HTML 5 WebClient site launches Notepad or any other app. The usual prompt appears about accessing local resources and a second later or less there is the app.

If i Browse the /RDweb site (not the /Webclient) the traditional looking Remote Access world the usual and expected happens "Firewall block" when launching the RDP using Edge.

OK says everyone what about internet explorer mode with ActiveX?

Ha sit down...soon as I browse the site in Edge launch it using the option to open in Internet Explorer mode it takes me to this url
https://learn.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-web#supported-operating-systems-and-browsers

WHAT? I think this last behaviour is from my Azure Intune or EndPoint as its now called Edge policiy which makes me wonder is that whats not making Edge launch the apps is there something there that would play a part?

Bear with me - you recall at the start i said i had built a fully happy version of this a few weeks ago. I try it in Edge with /WebClient all is still good. I try the /RdWeb in ieMode and its still happy with its ActiveX style launcher.

I have even tested on my iPhone and same results. All good for my 1st deployment but this one just doesnt launch the webclient apps doesnt seem to get to the ports.

Thoughts gladly welcome!

cheers

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,263 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,668 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Robert Crichton 6 Reputation points
    2022-09-06T15:56:42.537+00:00

    Here is the App Log from my working PC at home connecting to my working setup showing the good thing that happens when you click an app. We get the handshake whereas scroll down to see the bad one and see if it makes sense please?

    2022-09-06T15:49:36.918Z GatewayTransport(NORM): GatewayTransport connecting...
    2022-09-06T15:49:36.921Z [Connection] Connection state changed to: Opening remote port
    2022-09-06T15:49:36.922Z [SessionViewModel] Session 9337799d-dd9f-4958-9827-1f487f9473c9 changed canvas display to none
    2022-09-06T15:49:37.404Z GatewayHandshakeState(NORM): Entering Gateway connection state GatewayHandshakeState
    2022-09-06T15:49:37.463Z ExtendedAuthenticationState(NORM): Entering Gateway connection state ExtendedAuthenticationState
    2022-09-06T15:49:37.463Z ExtendedAuthenticationState(NORM): Prompting for Gateway credentials.
    2022-09-06T15:49:37.465Z [Connection] Auth challenge
    2022-09-06T15:49:37.465Z [SessionViewModel] Credentials requested (username/password)
    2022-09-06T15:49:37.466Z ExtendedAuthenticationState::PromptForCredentials(NORM): Credential aquisition completed. Duration in ms: 2
    2022-09-06T15:49:37.586Z TunnelInitiationState(NORM): Entering Gateway connection state TunnelInitiationState
    2022-09-06T15:49:37.632Z TunnelAuthorizationState(NORM): Entering Gateway connection state TunnelAuthorizationState
    2022-09-06T15:49:37.733Z ChannelInitiationState(NORM): Entering Gateway connection state ChannelInitiationState
    2022-09-06T15:49:37.804Z GatewayConnectedState(NORM): Entering Gateway connection state GatewayConnectedState
    2022-09-06T15:49:37.804Z Connection(NORM): The transport has connected
    2022-09-06T15:49:37.804Z SessionSelectionState(NORM): Entering RDP state SessionSelection
    2022-09-06T15:49:37.805Z ConnectionInitiationState(NORM): Entering RDP state ConnectionInitiation
    2022-09-06T15:49:37.806Z [Connection] Connection state changed to: Configuring remote connection
    2022-09-06T15:49:37.805Z ConnectionInitiationState(NORM): Supported protocols: 7
    2022-09-06T15:49:37.806Z ConnectionInitiationState(NORM): There is not sufficient authentication information to use the RDSTLS protocol. Disabling...
    2022-09-06T15:49:37.852Z ConnectionInitiationState(NORM): Security protocol 2 was negotiated
    2022-09-06T15:49:37.852Z ConnectionInitiationState(NORM): Moving to TlsHandshakeState state
    2022-09-06T15:49:37.854Z TlsHandshakeState(NORM): Entering RDP state TlsHandshake
    2022-09-06T15:49:37.855Z [Connection] Connection state changed to: Establishing secure connection
    2022-09-06T15:49:37.857Z TLS::EnsureOSSLSeeded(NORM): A seed of 256 bytes has been provided for OSSL
    2022-09-06T15:49:37.858Z OSSLTransport(NORM): Initiating the TLS handshake.
    2022-09-06T15:49:38.005Z OSSLTransport(NORM): Validating the server certificate using an expected certificate...
    2022-09-06T15:49:38.005Z OSSLTransport(NORM): Certificate validation complete.
    2022-09-06T15:49:38.005Z OSSLTransport(NORM): TLS handshake complete

    Now here is the one that fails

    022-09-06T15:33:32.276Z [Connection] Connection state changed to: Opening remote port
    2022-09-06T15:33:32.276Z [SessionViewModel] Session d9152295-31a8-4984-affd-2079725d252c changed canvas display to none
    2022-09-06T15:33:38.813Z [Connection] Disconnect Called
    2022-09-06T15:33:38.822Z [Connection] Disconnecting
    2022-09-06T15:33:38.829Z WebSocketTransport(ERR): WebSocket error received for url=wss://rdsgw.remotedomain.com:443/remoteDesktopGateway?CorId=%7Bf7246328-ddb2-4b17-aff2-050bd5f90000%7D&ConId=%7B1121a2c2-0037-4249-ba7a-b309779c226a%7D&ClGen=HTML%3D1&ClBld=Type%3DRdClient%3B%20Build%3Dprivate&AuthS=SSPI_NTLM
    websockettransport.cpp(304): OnErrorFromJS()
    at Logger.a.errorWithoutTimestamp (https://rdsgw.remotedomain.com/rdweb/webclient/js/client.022fca6d.js:1:2890),at Function.<anonymous> (https://rdsgw.remotedomain.com/rdweb/webclient/js/client.022fca6d.js:9:6642),at methodCaller_emscripten$$val_$emscripten$$val_emscripten$$val$ (eval at new_ (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:202948), <anonymous>:6:26),at __emval_call_method (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:224640),at invoke_diiiii (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:256314),at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[8104\]:0x444f24,at invoke_viii (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:253457),at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[1465\]:0xdee11,at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[1808\]:0x10fbad,at invoke_vii (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:253620),at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[7510\]:0x389a61,at invoke_vii (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:253620),at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[729\]:0x664a0,at OnMessageCallback.OnMessageCallback$Invoke [as Invoke] (eval at new_ (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:202948), <anonymous>:9:1),at Worker.<anonymous> (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:26127)
    2022-09-06T15:33:38.830Z WebSocketTransport(NORM): WebSocket closed, url=wss://rdsgw.remotedomain.com:443/remoteDesktopGateway?CorId=%7Bf7246328-ddb2-4b17-aff2-050bd5f90000%7D&ConId=%7B1121a2c2-0037-4249-ba7a-b309779c226a%7D&ClGen=HTML%3D1&ClBld=Type%3DRdClient%3B%20Build%3Dprivate&AuthS=SSPI_NTLM, wasClean=false, code=1006, reason=""
    2022-09-06T15:33:38.834Z Connection(ERR): The connection generated an internal exception with disconnect code=ConnectionBroken(8), extended code=<null>, reason=WebSocket closed with code: 1006 reason:
    Thrown in thread 1122780 at:
    websockettransport.cpp(335)
    Call Stack:
    Callstacks are currently disabled

    connection.cpp(1731): OnException()

    at Logger.a.errorWithoutTimestamp (https://rdsgw.remotedomain.com/rdweb/webclient/js/client.022fca6d.js:1:2890),at Function.<anonymous> (https://rdsgw.remotedomain.com/rdweb/webclient/js/client.022fca6d.js:9:6642),at methodCaller_emscripten$$val_$emscripten$$val_emscripten$$val$ (eval at new_ (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:202948), <anonymous>:6:26),at __emval_call_method (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:224640),at invoke_diiiii (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:256314),at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[8104\]:0x444f24,at invoke_viii (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:253457),at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[1465\]:0xdee11,at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[1808\]:0x10fbad,at invoke_vii (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:253620),at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[7510\]:0x389a61,at invoke_vii (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:253620),at https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.4fe32847.wasm:wasm-function\[729\]:0x664a0,at OnMessageCallback.OnMessageCallback$Invoke [as Invoke] (eval at new_ (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:202948), <anonymous>:9:1),at Worker.<anonymous> (https://rdsgw.remotedomain.com/rdweb/webclient/librdp/html/librdphtml.c4af5b60.js:86:26127)
    2022-09-06T15:33:38.838Z WebSocketTransport(NORM): Connection close initiated for url=wss://rdsgw.remotedomain.com:443/remoteDesktopGateway?CorId=%7Bf7246328-ddb2-4b17-aff2-050bd5f90000%7D&ConId=%7B1121a2c2-0037-4249-ba7a-b309779c226a%7D&ClGen=HTML%3D1&ClBld=Type%3DRdClient%3B%20Build%3Dprivate&AuthS=SSPI_NTLM, code=1000, reason="NormalClosure(1000)"
    2022-09-06T15:33:38.839Z GatewayTransport(NORM): GatewayTransport closed.
    2022-09-06T15:33:38.841Z [Connection] Disconnected

  2. Robert Crichton 6 Reputation points
    2022-09-08T12:59:11.473+00:00

    OK the final answer in my case

    My Azure App Proxy on Premise.

    What ...yep. I just installed a new App Proxy Connector Group with a different and new 2022 server onPrem with a new fresh downloaded Connector. Edited my Enterprise App and edited the App Proxy Connector Group to this new one - gave 5 mins and a restart on the Proxy onPrem.

    Dun dun dun - bingo it works. Just as it did for the other AD site i installed this two weeks ago on. The difference between the two is i propbably updated their onPrem AppProxy server to a version that was happy. They are meant to update themselves automatically on every major release.

    There you go - in my case not the Certs name mismatch as I had applied all the fixes needed but the dashed version of my AppProxy onPrem Connector ( I had only the 1 - which is probably a weakness which I have fixed there by adding a second at a different site now anyway. (albeit my Published Apps at the moment point to the original default group. Hey ho thanks for reading folks!

    0 comments