Azure AD Application Proxy now supports the Remote Desktop Services web client

My team have been trying for ages to get something like this running smoothly.

We have a requirement to add MFA/conditional access to our Remote Desktop setup. 

Installing the HTML5 WebClient was our "go to" solution when lockdown hit and we needed to enable working from home for a large number of users but, without MFA support its not viable in its current setup to stay in place longterm.

If installed correctly using AppProxy (and using the MyApps portal) would this solution successfully pass the username/password credentials to the RDP gateway/session hosts so that the end user only ever has to enter his credentials once ?  Every attempt we have tried so far with App Proxy seems to force the user to enter user/password two or more times.

Thanks, 

Andy

@AndyBH couldn't agree more. In our testing with App Proxy and RDS apps, users had to enter their credentials at least 3 times before they got to their app making it, in its current situation, something we cannot sell to our employee base (and rightly so).

I'm not saying it's something that's easy for MS to fix but would be nice if we know if they were actively working on it or not :)

@Steve Hernou  - Good to know that others have the exact same experience. I agree that no "standard user" would be able to accept that which is why we also have not been able to roll it out. The closest other option we've found is by integrating an NPS server which will trigger the login authorization request on the Authenticator App if you have it but there is nothing on the PC screen to suggest its doing that. If your chosen auth method is an SMS or phone call then although the code is delivered to the user they have no method to enter it to gain access to RDP.

@Alex Simons (AZURE) You may want to update this page as it still states RDS web client is not supported with AppProxy. 

I've just noticed that in your diagram, ALL components are hosted in Azure. While this may possible longterm, for many of us (including me!) while using Azure AD and some hosted office apps is possible, all of our RDS environment remains on our local LAN. So far, any attempts to introduce Conditional Access have required multiple entries of user/password or linking to an NPS server which provided no user feedback. Can you confirm that with this new support we should be able to publish our on prem RDS farm through the My Apps Portal requiring no further user/password entry ?

The RDS docs should be updated shortly to reflect the changes. As for the questions around login prompts, it is expected and similar to the existing functionality. If the user’s computer is Azure AD joined, the user signs in to Azure AD automatically. The user will still need to provide their credentials on the RDWeb sign-in form. We're still investigating options for how to simplify this. Thank you for the feedback! Feel free to reach out to us at aadapfeedback@microsoft.com if you have any other questions or feedback.

We've been trying to get this working since private preview but unfortunately have not had success once we put azure in the picture.  The html5/rd side of things works great directly, but via the proxy the initial website loads and asks for creds, but when we enter them it immediately says "sign in failed. please check your user name and password and try again."  The creds are the same as the ones that just worked to get through the msonline logon of course.  This happens in multiple orgs/tenants we've tested with.  It doesn't even appear to be checking the creds - it's so immediate.  Can't find any logs or anything anywhere to see where the breakdown is...

How about support for remote desktop client through the gateway?  Many users will configure their home computer Windows RDP client to use our terminal server gateway as their entry point so that they can have a more streamlined experience to access their desktop in the office.  Will that still work?

I followed the document but I didn't make it work. So I have to publish two On-Premises application and with that, it works. I had to published two on-premises application on the Application Proxy:

- One pointing to my externalrds.contoso.com with Azure Authentication option.
- The second, pointing to my externalrds.contoso.com/rpc with Passthrough Authentication option.

Now with that configuration, I have the RDWeb portal and the Webclient working without problem. But it is not in the documentation.

I would like now to have SSO in the webclient site. I had enabled MFA, so when the user goes to https://externalrds.contoso.com/rdweb/webclient it will get a prompt from login.microsoft.com asking for the user credentials and MFA auth, it works perfectly. But after the user put their credentials and their MFA auth, it prompts again for credentials in the webclient site. I was wondering if there is any solution to enable SSO? Thank you so much for your effort.

Maybe you checkbox the Pre-Auth for both...that is the one that got me. it can pass through it's self for a pre-auth proxy

I also needed to do the ssl cert bind to the 3392 and then tie that in through the Gateway manager.

@Wes Lazara  

To get this working for HTML5 client, when creating the Azure Application Proxy, set the internal URL to be https://rdsserver.domain.com/RDWeb/ (without the /webclient on the end). 

Then if you go to https://rdsserver-tenant.msappproxy.net/RDWeb/webclient it will authenticate ok.

I have one question that I cant seem to find a clear answer for. If you use AAP in Pre-Auth mode for this does it impact the functionality of the gateway and the Remote Desktop Store Apps? In testing I cant seem to attach to the web feed using the Store Apps (even though I can download the feed in a browser) nor can I use the Gateway as a normal Gateway. The only information that gives a clue is a blurb in the docs:

• For the Azure AD pre-authentication flow, users can only connect to resources published to them in the RemoteApp and Desktops pane. Users can't connect to a desktop using the Connect to a remote PC pane.

But this sounds like its talking about the classic RDWeb site since it mentions the "Connect to a remote PC pane" which to my knowledge is not included in the webclient. Once enabled I can only seem to connect via the HTML5 Web Client, is this expected? If so, is pre-auth expected to be supported in the Store Apps at any point? Thanks!

Publish the RD host endpoint

1. Publish a new Application Proxy application with the following values:

   • Internal URL: https://\<rdhost\>.com/, where \<rdhost\> is the common root that RD Web and RD Gateway share

This ^^. Internal URL has to point to root of your RDWeb/RDGateway box. Some of the advice in comments is incorrect. 

Once you get the basics right there is no need for pass-thru auth or other questionable solutions.

I can get HTML5 working internally

I can access RDWeb with Internet Explorer using "remote-companyname.msappproxy.net/RDWeb"

However I can't connect via HTML5. "Your computer can't connect to the remote computer because authentication to the firewall failed".

I'm guessing it's a cert issue but HTML5 internally works ok if gateway is server.company.net etc.

Nevermind, got it sorted. Very handy. Is there anyway to disable users getting a choice to download the RDP file? The Powershell command doesn't seem to work?

@David Gorman 

how did you manage to get rid of the "Your computer can't connect to the remote computer because authentication to the firewall failed" error?

I have the same problem - and suspect certificates?

/Chris

@ChrisT82 , yes it was definitely the certs. I thought they were correct but when applying them they were showing as "not configured" and Ok. I thought it should have given an error.

The certs were from my AD Certificate Enrollment process and the certs had a template of Server and Client authentication.

Double post.

Is the HTML5 Web Client supported with AAD Application Proxy in passthrough mode?

I currently have 2 proxy applications

• RDS Web Access - https://webapps.mycompany.com/rdweb
• RDS Gateway - https://webapps.mycompany.com/rpc

Normal RDWeb works fine from both internal and external, however, HTML5 Web Client only works from internal.

If I choose in the HTML5 Web Client to download RDP files rather than launching them, it also works from external, but I can't launch apps directly in the browser from external.

The error comes right after the "Opening Ports" status and says unable to connect. Web client logs shows 3 errors.

• Exception: Possibly unhandled rejection: backdrop click Cause: undefined
• WebSocketTransport(ERR): WebSocket error received for url=wss://webapps.mycompany.com:443/remoteDesktopGateway?CorId=......... websockettransport.cpp(304): OnErrorFromJS()

• Connection(ERR): The connection generated an internal exception with disconnect code=ConnectionBroken(8), extended code=<null>, reason=WebSocket closed with code: 1006 reason:
  Thrown in thread 399652 at:
  websockettransport.cpp(335)
  Call Stack:
  at imb
  at fmb
  at Tp
  at Djd

  connection.cpp(1335): OnException()

Can anyone confirm if it is supposed to be working with passthrough or if Preauthentication on the AAD Proxy Application for the RDWeb is required?

@ManIT1980 did you figure out the problem, please? I have the same issue :\

thx in advance!

@ManIT1980 / @Jurme 

Did you guys figure this out? IE works great. RDWeb Client is failing with Chrome/Firefox

@ManIT1980 / @Jurme - Bump!

Did you ever find a solution to this? I have the same issue. 

@ManIT1980 / @Alex Simons (AZURE) 

I have the exact same problem. Is there any progress?

Many thanks.

We enabled MFA on our HTML5 web client using Rublon's solution, it works pretty well with Mobile Push and you don't have to host it on Azure: https://rublon.com/doc/rdhtml5/

Anyone know how to fix this "reason=WebSocket closed with code: 1006" websocket error when trying to use the HTML5 client through Azure AD Proxy? This thing is killing me, I've spent weeks and long nights trying to get it to work. Should be simple but is not at all. Everything works great until I try to open a RemoteApp using the HTML5 Webclient then I get this websocket error. Have reviewed my config a bajillion times now, all my certs are good on RDS, IIS, Webclient, Azure AD proxy, etc. Pulling my hair out trying to get this to work, can anyone help? Thanks, Dan.