RDS deployment with Azure AD Application Proxy - RDP fails (authentication to the firewall failed due to missing firewall credentials)

Barry van Dijk 26

Basically, followed this MS Article: [application-proxy-integrate-with-remote-desktop-services][1]

Installed and registered a connector following [application-proxy-add-on-premises-application][2]

Enabled the Web Client following [remote-desktop-web-client-admin][3]

Using https://

Karlie Weng 13,951 Reputation points Microsoft Vendor

2021-05-05T06:29:43.92+00:00

This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
Barry van Dijk 26 Reputation points

2021-05-05T06:57:54.54+00:00

Hi Karlie, thanks for the quick note. If anything changes I'll let you know, though I'm currently out of options, so anxiously waiting for any suggestions.
Kyle Barina 1 Reputation point

2021-05-05T17:07:22.747+00:00

I have an identical issue. Please let us know what you find out.
_KUL 286 Reputation points

2021-06-17T00:10:37.25+00:00

Hello!
I also set up this scheme! I also have this problem! It's just awful ... I don't even know where to look for a solution. @Barry van Dijk were you able to solve the problem?
DavidBWI 1 Reputation point

2021-08-11T15:29:15.72+00:00

I have this same setup and this same issue and need to figure out a way to resolve ASAP! Please help.

Azure AD Web Application Proxy configured for PRE AUTH and Azure MFA.

RDS 2019 GW,WEB,CB on single server.

RDSH - 2 servers publishing APP collection.

HTML5 client installed.

I can connect to the app proxy URL and get Azure MFA preauth+MFA and launch any published app using either new html5 client or old IE activex method just fine. The problem is I need to use HTML5 client for chrome support and I need multi monitor support so I have to toggle the setting to download the RDP file instead of launch in browser. This produces the firewall error in the original post above.

How do I configure this to allow launch of RDP icon for full seamless app with multi monitor support in HTML 5 client with Azure Web Application proxy in preauth mode to support Azure MFA????
Jesper Møller 1 Reputation point

2021-10-22T09:58:26.76+00:00

Did you manage to resolve this issue?

I'm having the exact same issue and I can't figure it out.
Everything is working fine when launched in the webclient, but if I download the RDP file I'm getting the exact same error as you.
Pooja Nair (MINDTREE LIMITED) 26 Reputation points Microsoft Vendor

2022-11-18T00:31:13.217+00:00

Hey, I've an identical issue. Please let us know what you find out!

11 answers

Leila Kong 3,691 Reputation points

2021-05-06T02:24:05.76+00:00

Hello @Barry van Dijk ,

1.Do you use AD FS? Have you configured it with your RDS deployment, such as configuration mentioned in “ADFS WAP: How to configure SSO with RDWeb”: https://social.technet.microsoft.com/wiki/contents/articles/33630.adfs-wap-how-to-configure-sso-with-rdweb.aspx

Did the problem happen when access RemoteApp using IE? If so, please try to disable the Internet Explorer Protected Mode on IE to check the result.

2.Can you try to publish your External URL and not the MSAPPPROXY url made by Azure App Proxy?

3.Will the issue be fixed if you try the following Resolution:

I got the same popup in IE but I added RDWeb URL in the trusted sites and it went away. For non-IE browsers from the internet, we were getting this error which means my non-Microsoft OS users can’t use RDWeb. We opened a Microsoft case to fix this but Microsoft was clueless and reviewed multiple logs, involved WAP team, and other escalation teams. At the same time, Microsoft referred me to the TechNet link. https://technet.microsoft.com/en-us/library/dn765486.aspx After reviewing the link, I figured out that I had run the following command Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s:https://rdg.contoso.com’nrequire pre-authentication:i:1″ But I should have run this command. Set-RDSessionCollectionConfiguration -CollectionName “MyAppCollection” -CustomRdpProperty “pre-authentication server address:s: https://rdg.contoso.com/rdweb/n require pre-authentication:i:1″ After running the correct command. RDWeb app started working from all browsers from the internet. I should rather say, .rdp file started connecting to the apps and the error mentioned above went away.

FYI: https://msexchangeguru.com/2017/01/16/rdweb-noniebrowsers/ https://social.technet.microsoft.com/Forums/windows/en-US/8dda420e-bddd-4dfb-a50b-cd4090be6d2b/publish-rds-2016-infrastructure-through-azure-ad-proxy?forum=winserverTS https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-custom-domain

Best regards, Leila

If the Answer is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

1 person found this answer helpful.
Barry van Dijk 26 Reputation points

2021-05-06T06:11:50.123+00:00

HI Leila,

Thank you for your message, however:

We're not using ADFS, neither are we using IE.

We're not using the MSAPPROXY, but using our own External URL already (and use that for internal URL as well as suggested in the MS Docs)

I've already read the article and links mentioned above, before posting here. Most of the information is outdated and sometimes even incorrect.

Thanks for your effort, but unfortunately this does not provide a solution or new information.
Sign in to comment
Leila Kong 3,691 Reputation points

2021-05-07T09:51:59.227+00:00

Hello @Barry van Dijk ,

This is a quick note to let you know that I am currently performing research on this issue. If you have any updates during this process, please feel free to let me know.

Please also understand due to security policy and from our professional level, we do not provide dump/log analysis. In addition, if this problem is more urgent for you I still recommend that you open a case to Microsoft for further professional help.
https://support.microsoft.com/en-us/help/4341255/support-for-busines
Please sign in to rate this answer.
Barry van Dijk 26 Reputation points

2021-05-10T08:54:57.107+00:00

While doing some more testing, I noticed the error message is displayed instantly, which made me wonder if it tried connecting at all.

Disabling my network adapters, connecting again, same error (authentication to the firewall failed due to missing firewall credentials).

So, next step was taking a packet capture on the switchport my PC is connected to.

While taking a packet capture it became clear it actually never tries to connect as no network traffic is shown at all between my client and the target.

So, this makes me think something is wrong with the generated RDP (opened by RemoteApp), though I have no clue what, this is the default QuickSession Collection RDP generated for Calculator:
(I've removed/replaced sensitive information)

95252-cpub-calculator-quicksessioncollection-cmsrdsh.txt

Barry van Dijk 26 Reputation points

2021-05-10T10:04:00.967+00:00

Omitting the:

Set-RDSessionCollectionConfiguration -CollectionName "<yourcollectionname>" -CustomRdpProperty "pre-authentication server address:s:<proxyfrontendurl>`nrequire pre-authentication:i:1"

(This command enables single sign-on between RD Web and RD Gateway, and optimizes performance:)

Running the same RDP now (on the server it self), prompts me for the username/password, but keeps resulting in login attempt failed.
So, this might be the underlying issue, trying to figure out why it's not accepting my credentials.

Barry van Dijk 26 Reputation points

2021-05-10T11:51:51.31+00:00

Edited as the results I've mentioned before are not correct:

So, now I'm able to reproduce the following situation:

Changing my local hosts file to use the internal IP for the Remote Desktop Gateway:
Setting up an RDP connection using my gateway (made sure it is also using it from the local network) it works as expected.

Removing the entry from my local hosts file so it uses the Public IP (Western Europe msappproxy.net IP in my case)
Setting up an RDP connection using my gateway results in not accepting my credentials and keep asking for them.

Any ideas why this could be happening?

Barry van Dijk 26 Reputation points

2021-05-11T07:23:14.22+00:00

Please check my updated results above and if possible provide me with some hints.

Barry van Dijk 26 Reputation points

2021-05-11T07:44:59.847+00:00

One more update:

As I'm trying the Microsoft Terminal Services Client to debug it makes sense I'm unable to connect to the gateway server with Pre Authentication set to Azure Active Directory. As mstsc can't perform that Pre Authentication; when changing that to 'Passthrough' it will work using the public IP as well.

But the whole point ofcourse is to use Azure Active Directory (with MFA in my case)

So, this brings me back to my previous finding, where no network traffic is seen using RemoteApp (double checked and confirmed again no traffic is seen), definitely need some help here (see my comment with the attached text file, that seems to be the exact place where I'm stuck).
Sign in to comment
Leila Kong 3,691 Reputation points

2021-05-14T01:23:31.563+00:00

Hello @Barry van Dijk ,

1.Is there any related log on the RDgateway server?
Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices > Gateway/
admin
Operational

2.Do you use local server running NPS or central server running NPS?

3.Is RDgateway in DMZ?

4.Can you draw a flow chart of the connection process?

This issue seems a little complicated and we recommend you to open a case to Microsoft for further professional help. Thanks for your cooperation!
https://support.microsoft.com/en-us/help/4341255/support-for-busines
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Leila Kong 3,691 Reputation points

2021-05-27T07:28:14.967+00:00

Hello @Barry van Dijk ,

We haven’t heard from you in a couple of days.
Please post back at your convenience if we can assist further.
Please sign in to rate this answer.
Dheen Jaabir 1 Reputation point

2021-07-06T11:37:09.343+00:00

I have the exact same issue, need assistance troubleshooting,

!
Sign in to comment
Dheen Jaabir 1 Reputation point

2021-07-06T12:11:47.863+00:00

SOLUTION IS HERE : https://msexchangeguru.com/2017/01/16/rdweb-noniebrowsers/
Please sign in to rate this answer.
Dheen Jaabir 1 Reputation point

2021-07-07T06:48:16.043+00:00

But the above doesnt not work if I enable Azure AD Authentication, this works for only pass through authentication on the app rpoxy.
\
can we work on this please

DavidBWI 1 Reputation point

2021-08-11T15:31:17.657+00:00

Didn't work for me. Putting RDWEB at the end changes no behavior.
Sign in to comment

RDS deployment with Azure AD Application Proxy - RDP fails (authentication to the firewall failed due to missing firewall credentials)

11 answers

Best regards, Leila