Troubleshooting UPN Authentication Issues in Remote Server Gateway
Hello everyone, I'm a system administrator currently facing an issue with UPN authentication on our Remote Server Gateway. I'm seeking advice or suggestions to resolve this problem. Here's a brief overview of the situation: Internally (at work), authentication using sAMAccountName and Kerberos works with no issues. However, with our Remote Server Gateway, UPN authentication consistently fails, while sAMAccountName works. Steps Taken: Adjusted user accounts, including adding them to global and forest admin groups. Checked DNS configurations, which seem to be correct. Reviewed group policies and found no restrictive settings affecting UPN authentication. Encountered some general event errors related to the failed connections, but they don't provide usable information. My concern is to understand how it could work. Is it possible that Kerberos or NTLM configurations are affecting UPN authentication on the Remote Server Gateway? If so, how can these settings be diagnosed and adjusted? Has anyone faced similar UPN authentication issues with Remote Server Gateways, but working with sAMAccount? Any solutions or advice would be valuable
Security Risk: iOS Remote Desktop Client accepting invalid RD Gateway Certificates
After accidentally importing a wrong certificate (CN mismatch) for our RD Gateway jump host, some mobile users were starting to complain immediately because they were getting certificate warnings. After the first report, I verified using my fully updated iPhone with the latest Microsoft Remote Desktop Client (10.3.6) but did not get any certificate warnings with a pre-configured connection using that RD Gateway. However, when using the Workspace Feed (aka RD WebAccess), there was a certificate warning when refreshing the feed. I then cross checked with the Android RDP Client and it showed the RD Gateway Certificate warning as expected. Well, I was a bit baffled and did some experiments: It seems the iOS RDP Client accepts any certificate without checking, self-signed, wrong CN, ... everything seems to be happily accepted ! I even tested with an old Pad using the abandoned Version 8 iOS client and it had the same issue. I know that Apple users love it if something just works, but in this case this would go way to far 😉 And no - the client did not connect directly to the target RDP server - as in skipping the gateway. That connection would not be possible without gateway and the connection also was confirmed in RD Gateway Monitor. Is it possible that Microsoft has this "feature" in the iOS RDP Client, like forever, and I'm the first to notice?Updates KB4534297/KB4534309 Break RDS through Web Application Proxy on Server 2012 R2
We have Remote Desktop https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-integrate-with-remote-desktop-services through Web Application Proxy, both running on Server 2012 R2. The RDS application in WAP is configured for pass-through authentication so users can connect from both Windows and non-Windows ("rich apps" on Android/iOS/Mac) devices. This has been working for the past few years without issue. After installing recent update KB4534309 (or the rollup that contains it, KB4534297), the non-Windows clients are unable to connect. They show error 0x3000008 during the "initiating remote connection" phase: We couldn't connect to the gateway because of an error. If this keeps happening, ask your admin or tech support for help. Has anyone experienced this or figured out a way to fix it?
