25,081 questions
prodect name :
Certificate Errors when Azure AD App Proxy to Publish Remote Desktop WebClient
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
danwheeler
10
Reputation points
Hi all, I've been battling this for almost a week now. We have an existing RDS deployment running on Server 2012 R2 published at https://application.company.com which is running fine for RD Gateway and RD Web. I need to layer MFA on top of the application so I figured Azure AD Application Proxy would be a good way to go and would allow us to remove our SNAT for the application in the future. I am trying to eliminate RDP/3389 from the internet and enforce MFA by using the webclient. I avoided the route of setting up the Azure AD MFA extension on our NPS server because this method only supports MFA push notification which our company wants to avoid. We want to stick with SMS/OTP for security reasons and RDP just doesn't support this.
I've got it all working except for the final RDP connection using the RDWeb WebClient which is failing with either a socket or a certificate error depending on how I have certs configured.
Basically, I've added a Server 2022 RDWeb and Gateway server to the existing Server 2012R2 deployment with the RDWeb HTML5 webclient installed. I did this because I didn't want to upgrade the existing RDS deployment's servers because it is too much of a risk to possibly take down this company's main LOB application.
RDWeb and the Webclient are working fine with HTTPS. I can auth to the proxy URL (https://app-company.msappproxy.net/rdweb/webclient/index.html) with Azure AD/MFA and see my RDS application.
There are 3 places I know of on the Gateway and RDWeb server that I need to manage certs:
- The RD Gateway
- IIS
- The Webclient (via Import-RDWebClientBrokerCert)
When I use a self-signed cert for these 3 locations, I get connected 95% of the way via the webclient but it finally fails with a certificate validation error in the webclient UI. It's showing me the thumbprint of the cert we use for the existing RDS deployment even though I'm not connecting through that deployment's gateway server. I AM connecting to a session host in that deployment so I'm not sure if it's failing cert validation at the point it actually connects to the terminal server? In other words, I'm using the Webclient at https://app-company.msappproxy.net but the session host has a certificate for app.company.com? But that doesn't make sense because I think RDP on the session host (terminal server) would be configured with the self-signed cert for that server just like any other server)
When I use the app.company.com cert for these 3 locations, I get an immediate failure and a websocket error:
WebSocketTransport(ERR): WebSocket error received for url=wss://app-company.msappproxy.net:443/remoteDesktopGateway?CorId=%7Bfc04ffba-a406-483b-9827-54ec1ddc0000%7D&ConId=%7B2854d0e3-ea01-4a31-a86f-5ebe6945a3fd%7D&ClGen=HTML%3D1&ClBld=Type%3DRdClient%3B%20Build%3Dprivate&AuthS=SSPI_NTLM
websockettransport.cpp(304): OnErrorFromJS()
Connection(ERR): The connection generated an internal exception with disconnect code=ConnectionBroken(8), extended code=<null>, reason=WebSocket closed with code: 1006 reason:
Thrown in thread 1136492 at:
websockettransport.cpp(335)
Call Stack:
at invoke_iiiiii
at https://app-company.msappproxy.net/rdweb/webclient/librdp/html/librdphtml.a2d54375.wasm:wasm-function[7858]:0x3cf3e2
at invoke_vii
at https://app-company.msappproxy.net/rdweb/webclient/librdp/html/librdphtml.a2d54375.wasm:wasm-function[728]:0x67eb0
I've tried using a custom domain for the Azure AD App Proxy and a local DNS server (Technitium) with a primary DNS zone and CNAME for app.company.com > app-company.msappproxy.net to simulate flipping our DNS over to the app proxy but the app proxy gives 404 errors whenever I use the custom domain. (I have an Azure support case open for this) If I have the app proxy set to custom domain app.company.com as the external URL, I get 404s no matter what I do and it won't even respond on app-company.appproxy.net which is where the CNAME points to so I end up having to change the external URL back to app-company.msappproxy.net to get it to respond again. So it seems like a bit of a catch 22, I get cert errors because I'm not using the same cert end-to-end but if I try to use custom domain so I can use the same cert, the external URL doesn't respond. So confused. Any help appreciated. Thanks
Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2023-05-10T23:35:12.49+00:00 Apologies for the delayed response! I am looking into this.
Did you try the alternative of creating a DNS entry with a CNAME record for every individual application segment?
'External URL of application segment'>'<External URL without domain>-<tenantname>.msapproxy.net'
So in the above instance >'home.contoso.ashcorp.us'points to >home-ashcorp1.msappproxy.net
Sign in to comment
2 answers
Sort by: Most helpful
-
-
index source 0 Reputation points2024-10-29T13:01:07.1366667+00:00 prodect or prand name ?