Step by Step Customizing RD Web Access 2012 R2 – Part 1

This is the first post in a series that focuses on customizing the RD Web Access 2012 R2 interface.
This post will not focus on Branding, I will address that in later posts.

Update: It turns out the option to remove the necessity to enter the domain name only worked on domain joined machines. I’ve added an extra part there to make this work on non-domain joined machines as well. I apologize for any inconveniences this may have caused.

Update: the second post in the series is published, which focuses on customizing the first main page. Read it here.
Update: the third and final post in the series is published, which focuses on customizing the second main page. Read it here.

First up is customizing the RD Web Access login page. We’ll be editing stuff, using the Application Settings in Internet Information Services manager (IIS Manager), we’ll be hiding / un-hiding stuff. Let’s get started!

For this entire post I’ll refer to a user which I created:
RDS Customize Web Access - login page 01
The user’s NT Account is “ITW\jklaas” and it’s UPN (User Principle Name) is “”, which is also the email address for this user.

By default all the files related to the Web Access interface can be found in %windir%\web\rdweb\pages\<language-code>.
RDS Customize Web Access - login page 03
This will also be the folder where we’ll do most of the customizing that’s discussed in this post.
Before we continue, make a backup copy of this entire %windir%\web\rdweb\pages folder.

I found that editing these files was easiest using an advanced editor like Notepad++, switching it’s code language to C#, and turning off the spelling checker if it’s enabled. You can download Notepad++ for free here:

The default Web Access interface login page looks like this:
RDS Customize Web Access - login page 02
As you can see, the interface by default expects the user to enter the username in the NT Account format, e.g. Domain\user name.

Removing the domain prefix requirement from the Web Access interface
UPDATE: After several updates and fixes to this method I decided to create a dedicated post for this. You can find this post here.

Forcing users to use the User Principal Name / email address for logging on
If you customized the domain name earlier in this post, restore “login.aspx” and “webscripts-domain.js” from the backup copy we made earlier.

If you publish the Web Access interface for a shared platform you can force users to use the UPN. Service Providers usually set the UPN to reflect the user’s email address.
This works by default in the Web Access interface, but the text label shows “Domain\user name” and the user is still able to use the NT Account to logon.
So we need to fix two things: the text on the label, and some code to accept only the UPN format.

Open “login.aspx” and move to line number 19:
RDS Customize Web Access - login page 05
This line holds the text for the label.
Change this line to:
RDS Customize Web Access - login page 09
Or replace “Email address:” with the custom text you prefer.
This changed the label text to ask for UPN, or email address.
Note: you need to make the same change on line 19 in “password.aspx” if you plan to allow or force users to change their password through the Web Access interface.

You might want to consider changing line 27:
RDS Customize Web Access - login page 10
You could change “The user name” into “The email address” for example.
If you plan to allow password changes through the Web Access interface, you might want to change the same text on line 29 in the “password.aspx” file.
And back to “login.aspx” on line 28:
RDS Customize Web Access - login page 11
You could change “domain name” into “email address”.
Save the file.

Open “webscripts-domain.js” and move to line number 44:
RDS Customize Web Access - login page 12
Change line 44 to a commented line:
RDS Customize Web Access - login page 13
Do this by entering “//” at the start of each line.

Next go to line 46:
RDS Customize Web Access - login page 14
Change this line into:
RDS Customize Web Access - login page 15

That’s it. Test your adjustments by reloading the page. You will only be able to login with a valid UPN now.
If you try to logon using the NT Account you’ll be presented with an error:
RDS Customize Web Access - login page 16

Allowing or forcing users to change their password
If you’ve created a new user you may consider to force the user to change his or her password upon first logon, or you might want to offer the user to change his or her password when it has expired.

On the RD Web Access server open Internet Information Services Manager (IIS Manager).
RDS Customize Web Access - login page 26
Expand the tree on the left and click Pages, then double-click Application Settings and select PasswordChangeEnabled. Notice its value is “false” by default and click Edit to change it to “true”. This change is immediate, without the need to restart IIS.

Refresh or open the Web Access page and log on with a user account that has its password expired or Change on first log on enabled:
RDS Customize Web Access - login page 27
Clicking the “here” link opens a new page:
RDS Customize Web Access - login page 28

Customizing the “Help” link
By default users are presented with a Help link in the top right corner of the user interface:
RDS Customize Web Access - login page 17
And clicking the link pops up a new window which by default shows the content from
RDS Customize Web Access - login page 18

You can easily switch to a local file, which is located on your RD Web Access server.

On the RD Web Access server open Internet Information Services Manager (IIS Manager).
RDS Customize Web Access - login page 19
Expand the tree on the left and click Pages, then double-click Application Settings and select LocalHelp. Notice its value is “false” by default and click Edit to change it to “true”. This change is immediate so there’s no need to restart IIS.

Refresh or open the Web Access page and click the Help link:
RDS Customize Web Access - login page 20
It now shows a new window with the contents of the rap-help.htm file.
You can customize this file if you want.

If you want to point the link to a totally different location you need to edit “login.aspx”.
The logic for defining the help pages starts on line 84:
RDS Customize Web Access - login page 21
Change line 87 if you want to use a different file to show your users, and change line 91 if you want to use a different external URL.
Note: these Help entries are specific to the login page. The main page has a Help link as well, but this will be addressed in the next post in this series. This means that you could specify different Help content for the login page if you wish.
Note: if you change the Help entries in the “login.aspx” file, you must make the same changes in the “password.aspx” file if you plan to allow password changes through the Web Access interface.

Hiding the “Help” link on the login page
If you want to hide the Help link on the login page you need to edit %windir%\web\rdweb\pages\site.xsl.

Go to line 152:
RDS Customize Web Access - login page 22
Change this line to look like this:
RDS Customize Web Access - login page 23
And change line 154 to look like this:
RDS Customize Web Access - login page 24
The result of these two changes should look like this:
RDS Customize Web Access - login page 25
Making these two changes turns the code to display the link into a comment and thus hidden.
Save the file.

Refresh or open the Web Access page and you’ll see the link is gone.
Note: this removes the link from the login and password pages only. After logging in you’ll see the link is still there on the main page. Removing or customizing that link will be addressed in the next post in this series.

Customizing the security setting session timeouts
By default the user is presented with a choice in security settings:
RDS Customize Web Access - login page 29
The public computer setting session timeout is 20 minutes, and the private computer setting timeout is 240 minutes. These timeout settings are configurable.

On the RD Web Access server open Internet Information Services Manager (IIS Manager).
RDS Customize Web Access - login page 30
Expand the tree on the left and click Pages, then double-click Application Settings and select PrivateModeSessionTimeoutInMinutes or PublicModeSessionTimeoutInMinutes. Click Edit to change the default value to something you prefer or something that your organization enforces.
These changes are immediate, without the need to restart IIS.

Forcing the security setting to Public
I’ve consulted for organizations that needed to force every Web Access interface (Outlook Web App, RD Web Access, etc) to the public security setting.
For RD Web Access 2012 R2 there’s no Application Setting to do that.

We need to fix two thing to be able to force users to the public setting without means to change it.

Open “login.aspx”.
Change lines 523, 532, 536, 556, 576 and 587 from
RDS Customize Web Access - login page 31
RDS Customize Web Access - login page 32
These changes will effectively hide the user interface for changing the security setting.
Save the file.

Open “webscripts-domain.js” and move to line number 14:
RDS Customize Web Access - login page 33
Change this line to:
RDS Customize Web Access - login page 34
This change will force the code to always configure for public mode.
Save the file.

Refresh or open the Web Access page and you’ll see the interface options for choosing a security mode is gone.
RDS Customize Web Access - login page 35
If you want to hide the grey dividers as well you’ll need to open “login.aspx” again.

Change lines 513, 516, 519, 597, 609 and 612 from
RDS Customize Web Access - login page 31
RDS Customize Web Access - login page 32
These changes will effectively hide grey dividers and moves the Sign in button up.
Save the file.

Refresh or open the Web Access page and you’ll see the interface is much cleaner now.
RDS Customize Web Access - login page 36

Customizing the disclaimer
The Web Access login page shows a disclaimer upon opening:
RDS Customize Web Access - login page 37
You can replace this text with a text provided by your organization’s legal department, or you can choose to clear it.

Open “login.aspx” and move to line number 41:
RDS Customize Web Access - login page 38
You can change the text to whatever you like and it will show that as a disclaimer.
For this example I changed the line to:
RDS Customize Web Access - login page 39
Save the file.

Refresh or open the Web Access page and you’ll see the “disclaimer” is now gone.
RDS Customize Web Access - login page 40
It’s not really gone of course. There’s just no text to show anymore.

And that concludes the post. Everything that’s customizable without adding new functionality or without touching “Branding” is now explained.

In the next post in the series I will focus on customizing the default page, the page that’s shown after a user logs on. In the post after that one I will focus on Branding the entire Web Access interface.


25+ years experience in Microsoft powered environments. Enjoy automating stuff using powershell. In my free time (hah! as if there is any) I used to hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). Recently I picked up my Lego addiction again.

Tagged with: , ,
Posted in Customize, Remote Desktop, Step-by-Step guide
103 comments on “Step by Step Customizing RD Web Access 2012 R2 – Part 1
  1. beamex says:

    Reblogged this on BeameX Place – Ramblings on Microsoft Technology and commented:
    Great article on customizing RD Web Access

  2. I changed the lines you say to remove domain prefix requirement.

    I’m able to log on using only the username but then no RemoteApp is working. If I log on using “domainname\username” then everything works fine. Any idea?

    • Arjan Mensch says:

      Hi Antonio,
      I’ve been trying to reproduce your situation during the weekend, but to no revail. I have no idea why this behaves the way it does in your situation. Are you trying to implement a default domain in an existing situation, or have you installed a lab following my post?

      • I have exactly the same problem as “webbingaway”. I didn’t install the lab following your post. It was a 2012 environment which was upgraded to 2012 R2.

        I have 2 RDSH, 1 RDCB and 1 RDGW/WA server. The RDGW/WA is on a different domain than the other ones.

    • X2Dojo says:

      Make sure the domain name is all upper case. I had similar issue and now it’s fixed. Thank you!

  3. Klaus Carette says:

    i Too have this problem. I can login without domain name (only username), but when i launch an application, it gives me an error that my credentials are not working. The given username is without the domain, so if i click on “change user” and modify this to domainname\username, then my remote app launches

    • Arjan Mensch says:

      Hey Klaus.

      Can you try the connection again from a machine that has never connected to the web interface, or delete all cookies. I think this may have to do with cookies being created.
      I tested this post on a new lab setup and it works without extra settings or modifications.
      When you connect to the web interface which is unmodified, and then log in, a cookie is created, and maybe this cookie is reused when you log in after you have done the modifications? I can’t confirm this yet, so please try to connect using a cookieless machine first.

  4. maxemilianhilbrand2013 says:

    Thank you for this article. The next step would be to secure RD Web Access.

    Cyberarms offers a security agent for RDweb, which avoids brute force or dictionary attacks, and password guessing. This might be worth a look. There’s also a free download on the website which is sufficient for small installations or unknown urls.

    See how to configure the RDWeb Security Agent here:

    best regards


  5. fiza says:

    Excellent. Exactly what I needed.

  6. […] might find these articles interesting if you want to brand & customise the RDWeb experience. Step by Step Customizing RD Web Access 2012 R2 – Part 1 | msfreaks Fix my IT system: Customise RDS Web access login […]

  7. webbingaway says:

    Excellent article.

    However, changing the login.aspx, password.aspx files does not seem to affect anything – when I open the browser it all looks in its “default” form. What am I doing wrong?

  8. webbingaway says:

    I’ve edited the domain name away as you’ve suggested, including adding my domain into the .js file. I can now login to the RDWeb interface just using my username, with no problem.

    However, when trying to launch any published app, the remote app fails, saying: “Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance”.

    If I sign-out and the sign-in – but with a full DOMAIN\USERNAME – it works.

    Any thoughts?

    • Arjan Mensch says:

      Hello webbingaway,

      Interesting, since you’re not the first person to mention this. In earlier tests to resolve this issue I thought it was a cookie-related problem.
      Can you please try again, but this time use in-private browsing or delete all cookies first, or use a different browser / machine?
      The code leads me to believe that the actual starting of apps happens based on a cookie that is assigned on the logon.aspx page. This cookie contains the username which, if you logged on using “domain\username” in the first place, is based on “domain\username”, which will result in “domain\domain\username” since you hardcoded the default domain using the methods in this post.

      • webbingaway says:

        I’ve tried both InPrivate browsing and deleting all cookies – no change in behavior. This reproduces on a different computer. Using browsers other than IE works – FF and Chrome just download an RDP file that launches MSTSC, then you enter your login details and it works, the same way as it had always.

        An interesting observation when using IE:
        Whenever I click on a published app icon, first I get a warning window that alrets me the publisher is unknown (the program could harm your computer etc..) and allows me to click “Connect” to continue. On this same window, I can choose which local resources I want to allow remote access to (clipboard, drives, printers etc) – on the very bottom of this window (titled “RemoteApp”) the system indicates how it is going to try to login:
        “Use the following credentials to connect:”

        When I’m entering the domain name, it shows there DOMAIN\USER and it works fine. When I’m only entering the username, it shows there only the username. Therefore, it seems that the domain name is in fact not transferred at all to the RemoteApp connection (so the case seems not to be DOMAIN\DOMAIN\username )

      • Arjan Mensch says:

        Hi webbingaway,
        When this was first mentioned I had to rebuild my lab in a hurry to test this, and I think I have tested it from a domain member. That would explain the differences in behaviour. I’ll rebuild the lab soon, and figure this out from a non-domain member. More news, and probably a solution, soon.

  9. Chris Edge says:

    This is exactly what we needed and I am looking forward to the next article on branding. Thank you.

  10. Joe says:

    Hi, i used this to remove the Domain\Username requirement so users only have to enter their username to make things simple. This works well internally, however when a remote user on the internet connects to the WA\GW (both roles on same server) they can login fine with just Username however apps fail to load; ive found when telling users to enter DOMAIN\Username apps load fine. Any ideas what i have to do to make login not need domain for internet users?

  11. Joe says:

    This has worked well as a workaround changing webscripts-domain.js as mentioned in another forum:

    In this instance the domain is called CHARLYMONKEY.

    if ( objForm != null )
    strDomainUserName = objForm.elements(“DomainUserName”).value;

    // add default domain…
    if ( strDomainUserName.indexOf(“\\”) == -1 )
    strDomainUserName = “CHARLYMONKEY\\” + strDomainUserName;
    objForm.elements(“DomainUserName”).value = strDomainUserName;

    strPassword = objForm.elements(“UserPass”).value;
    strWorkspaceId = objForm.elements(“WorkSpaceID”).value;

    • Arjan Mensch says:

      Hi Joe,
      The issue with my solution is that it indeed only seems to work from machines that are in the same domain as the RD Web Access server.
      The workaround you mention works, I found it as well, but it changes the text field in which you enter your username to reflect DOMAIN\USERNAME, so in this case, if your username is jklaas, and you would enter a wrong password, the text field for username would be filled with “CHARLYMONKEY\jklaas”.
      Even though this works, it’s by no means a clean solution. I’m still waiting to find some time to do a rewrite of that part. As soon as I find some I will create a clean solution for this problem.
      Thank you for your contribution!

  12. Arjan Mensch says:

    To all who had problems with this article when removing the requirement to enter a domain name.
    It turns out that in 2012R2 the authentication functions are now no longer in a single file, but in 2 files. Only editing the first file works for domain joined machines only.
    If you look at the article again you can see I’ve added more code in the first file, and modified the second file to be able to remove the requirement to enter a domain name for non domain joined machines as well.
    The workaround Joe posted here works as well, but I think it’s a nasty fix for reasons I mentioned in my reply to his comment.
    I apologize for any inconvenience this incomplete customization may have caused.

  13. webbingaway says:

    Arjan, thank a lot for your effort. Very kind of you, but no apolgies needed :)
    I’ve implemented your suggested solution and it works great!

  14. joe says:

    Thanks Arjan! Have updated our system with this and works really well, will also save all the user confusion when they type a wrong password and wonder what the heck the domain part is on their username :)

  15. Lars Kvorning says:

    Thank you for your articles heir. I will post my experience.
    Changes made exactly as described in the files login.aspx, webscripts-domain.js and renderscripts.js. Both computers non-domain joined and login without domain name. Browsers is IE 11.
    Windows 7 says when I launch a Remote App: “Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance”.
    Windows 8.1 works perfectly when I launch a Remote App.
    So it works on Windows 8.1 and not on Windows 7.

  16. Lars Kvorning says:

    Thank you all. Now I have updated my Windows 7 test-PC with the updates and in this order:
    1. 2592687
    2. 2574819
    3. 2857650
    4. 2830477
    5. 2913751 (only if SmartCard is used)
    6. 2923545

    The RDP now says version 6.3.9600

    When I login without domain and only with a username it shows my Remote Apps. When I click on a Remote App I get a Windows Security box asking for my credentials and it only accepts my password if I use “domain\username”-format.
    So I am back to scratch.

  17. Erich Roneree says:

    I followed the changes you outlined on Win Server 2012 R2 and it works perfectly for login.aspx, but the password change does not work. For the life of me I can’t find the difference. Do you have any suggestions for modifying password.aspx to make it not need the domain name?

    • Arjan Mensch says:

      Hi Erich.
      It seems the password page needs an extension to the code on login.aspx. When I finally find some time to work on this blog again, I’ll dig in to hit.

  18. Jamie says:

    I am in the same boat. Worked great on login but on password reset it still requires domain name or it doesn’t work. I looked everywhere and can’t seem to find it.

    • Arjan Mensch says:

      Yes, it’s the same here. Password change uses code from the tsportalweb dll I think. I’ll look into it when I finally find some time for content on this blog.

  19. Nick says:

    Excellent post. You have no idea how many calls to the helpdesk you saved us simply by removing the need to type in the domain. People are definitely going to get used to it though. I look forward to an update on how to do the same to the Password Change page.

  20. joe says:

    Any update with the password change, would perfect my web access page :)

  21. Roberto Del Vecchio says:

    I followed your directions and I almost have everything the way I want. I had a question about SSO. Can you use Windows 7 RDP with Server 2012 R2 SSO? If so how do you configure it?

  22. Mike says:

    Hello Arjan,
    I share the sentiments of many others here- thanks so much for your work on removing the domain name requirement from the web pages. It makes things so much easier! Makes you wonder why they don’t have an easy way to do this built into Server Mgr.

    So one issue we do have is remote users with older OS’s like XP. When the RDP client opens, it asks them to log in and requires the domain to be filled in. Do you know of any way to eliminate the domain requirement when logging in with older RDP clients?

  23. Bruno says:


    Thank you for the post!.

    Is there a way to change “Work Resources” text?. I tried to change the text in line 14 under string L_CompanyName_Text = “custom text” but the change is not reflected.



  24. Gary says:

    Newbe here, Can this also be used with 2008r2? I just started and happened to run across this posting.


    • Arjan Mensch says:

      Hi Gary,
      Short answer is no.
      Long answer: yes, it is possible to do the same on 2008r2, just not with the code or edits I show here. It won’t even work on 2012. It’s for 2012R2 only.

  25. Sharjeel Khan says:

    Hi Arjun

    I am totally new to server RDWeb, i want to connect to RDWeb page linked from my website. only authorized user can come to this link so there is no security issue to come on RDWeb page. Only the problem is:
    I don’t want this link to open directly but through my link page. Suppose on my website i have and there is a link to my RDWeb page I don’t want this link open directly from internet.
    Very similar as we use sessions in PHP to connect the page through previous page so that user cannot open that page directly.

    I just put any type of synchronization that can avoid direct opening of any solutions?


    Khan Sharjeel Hayat

    • Arjan Mensch says:

      Hi Khun,
      I think the only way you can accomplish this is to add code to default.aspx in the RDweb structure, which detects which URL the user comes from and then redirects the user to some other page if he did not come from your portal website.

      • Khan Sharjeel says:

        Hello Arjan,

        Thanks for telling i tried to put in login.aspx but it gave error as i just know about PHP sessions. If you can help me in writing a piece of code for this solution, it will be a great highness of you.

        Thank you very much.

      • Arjan Mensch says:

        Hi Khan,
        Google and Bing need to help you out here, I have no time in my schedule to code someone else’s projects, sorry.

  26. Andy says:

    Hello – We are a small school. I have the kids and staff accessing their files remotely via windows 2012 R2. When they access their files from the folder share, it come up in as Metro as default. I want the folders and files to appear in list/details as it’s WAYYY quicker. Any thoughts on how to make this change permanent? It’s hard to tell non-tech staff to click the button (that’s not labeled) in the upper right corner. Thanks Andy

    • Arjan Mensch says:

      Hi Andy,
      Even though it’s out of scope, you can change view settings, or prevent thumbnails from being generated, using Group Policy. I think it’s the setting “Classic Shell” but not sure. Bing would be your friend here.

      • Andy says:

        Hi Arjan – To be more clear, they are accessing their files from home when they are not at school via Once they login to the server 2012 R2 “Cloud” they then get the default metro look. I wouldn’t think that Group Policy has anything to do with this, but if you can reconfirm your previous statement, that would be great. I have been Binging for months and this blog is all I have found that’s close.

      • Arjan Mensch says:

        Hi Andy,
        I was under the impression they are presented with the RDS Web Access page, in which applications are presented, and they click the File Explorer icon, which in turn opens a folder which was “slower”.
        I now understand they log in, click Remote Desktop or something like that and are presented with the new start menu full of tiles?
        That startmenu can not be turned off. You can however, make it so the user don’t start in the startmenu, but on the desktop. This is indeed a policy setting. As soon as the user presses the windows key or click the windows logo, they are again presented with the new startmenu (tiles layout). You can also (policy again) redirect your users to the “all apps” section of the modern startmenu, if that is more convenient.

      • Andy says:

        This is the view I want my users to see.

        They are currently seeing a “Metro” view, which I don’t know how to change from.

      • Arjan Mensch says:

        Hi Andy,
        That is the Windows Server Essentials web interface. Can’t help you with that.

  27. Alex says:

    Hey everyone, quick question. I’ve opened the login.aspx file in notepad to get rid of those grey lines but I’ve noticed that my file only contains 585 lines of text.

    Would this indicate my install of IIS or the RDS was not clean?

    I’m working in Server 2012 if that adds any insight to why the file may contain less lines.

    Thanks much!

  28. Ross says:

    Hi, We are running Server 2012 R2. Users log in to RDWeb, and once authenticated are presented with a Remote Desktop icon, which they launch to RDP to the RD session hosts. I followed this guide and it did successfully remove the domain prefix for RDWeb. I was able to log in to RDWeb with just my username and now domain prefix.

    However, this broke SSO. So, I can log in to RDWeb with no domain, but when I click the RDP icon in RDWeb to launch RDP session, I now get prompted for credentials, and have to enter domain\username.

    Is there a way to have the domain passed through so SSO still works? When I revert back to backup files of login.aspx, renderscripts.js, and webscripts-domain.js SSO works again. Thank you.

    • Arjan Mensch says:

      Hi Ross,
      As I’m getting more and more questions about this, I suspect that maybe some Windows Update broke this.
      At the time of writing these scenarios have been tested thoroughly and were working.
      When I find some time I will rebuild this lab and see what is broken and how to fix it.

  29. Reiner Vossmann says:

    hi Arjan,
    your article is fantastic. I have got one Question, is it possible to advise the Webinterface to insert the “gatewayusagemethod:i:1” in the RDP File with is transfered an exceuted on the Client ? Bakcground is, that the Web Interface of Gateway should insert Gatewayusagemethod:i:2 -> allway´s use Gateway. an the “internal” Web Interfaces should build RDP files with contain gatewayusagemethod:i:0 -> with means don´s use a Gateway. So internal users will not use a Gateway, bur external will ! Thank you !

  30. Share says:

    Hello Arjan!
    Could you tell me what I should change to set up “Private” mode as default, not public?
    Thank you very much for your posts!

    • Arjan Mensch says:

      Hi Share,
      Follow the guide above until you get to the part that says
      Open “webscripts-domain.js” and move to line number 14:

      Change that line to

      var bPrivateMode = true;

      Untested, but that should do the trick for you.

      • Share says:

        Hi Arjan,
        Yes, it works! Thank you.

        Could you tell me will you publish customization like change design default logon page?
        I want to add copmany logo or somethinh else.

      • Arjan Mensch says:

        Hi Share
        If it’s just logos and colors you want to change, that’s actually pretty easy. Check out That’s my live webaccess, not my labs.
        For a guide to get you started have a look here:

      • Share says:

        Grate disign :)

        Arjan, sorry, I made mistake. I tryed to test on the another PC – privat mode doesn’t work. I don’t hided secirity block and I can see which mode is selected


        var strPassword = “”;
        var strWorkspaceId = “”;
        var strWorkspaceFriendlyName = “”;
        var strRedirectorName = “”;
        var strRDPCertificates = “”;
        var bPrivateMode = true;
        var strTimeout = “0”;

        Maybe I should change code in the another line on in logon.aspx?

        PS many thanks for your quickly answers!

      • Arjan Mensch says:

        Hi Share.
        Unfortunately, I don’t know why that won’t work for you. It’s the only place you can for that variable to be true.

      • Share says:

        I think I found the solution –

        line number 178 –
        i’m testing next changes
        var bPrivateMode = document.getElementById(“rdoPrvt”).checked;

        var bPrivateMode = document.getElementById(“rdoPrvt”).checked=true;

  31. Shimon Adimor says:

    Hi Arjan,
    I have a full cloud environment in production, and I have used many of your posts so it has been VERY helpful to say the least.
    Recently I came across an issue which sounds strange, and I am looking for a possible explanation.
    A user tries to login to the cloud, and gets a message that the user or password is invalid. The user is 100% sure that the password is correct, and even though they try it many times the account doesn’t get blocked.
    The surprising solution is here – if the user chooses to change the password (using the password that is allegedly invalid as the original) the user is allowed to change the password and then able to login with the new password.
    This happens few times to different users a month since this cloud went live.
    Any idea how I can troubleshoot such an issue and get some kind of possible reasoning ?

    • Arjan Mensch says:

      Hi Shimon,
      Several routes come to mind.
      Log on to your webacces with an account that works using Firefox or Chrome.
      If you click an app or published desktop that browser will download the RDP file instead of launching it. Give this RDP file to the user with the problem when it happens again, and see if he / she can connect using the RDP file when he / she can’t login to the webaccess.
      Ask the user to clear any cookies or even reset the browser settings to defaults. Might be he / she has changed settings in cookies or advanced settins or whatever.
      Ask the user if he / she can try from a different machine using the same credentials.
      Ask the user if he / she can try using UPN or domain\username to log on (let him / her use every option you allow through webaccess).
      Check the IIS logs for the username and see what IIS thinks of the whole thing.

      These routes should all exclude one or another possibility.

      Let me know if you manage to find a solution.

      • Shimon says:

        Hi Arjan,
        It takes time until I get such an issue and try to deal with it…
        First – I can’t use the RDP for sure as it’s less secure, so RD WEB Access is the only route allowed.
        Second – Trying to login from a different machine gave the same result. Also resetting IE to default doesn’t make any difference.

        I’m lucky to only get very few of these each month. When I reset their password again and force them to change it, they are able to change it successfully.
        Could be a user error, but I don’t believe this is the case.

        But here’s another strange issue: Recently I started to get calls from users who received password expiration notice, and when they tried to change it – they get “Invalid user name or password” even though the credentials they used were working fine before.
        Any known issue here ?

      • Arjan Mensch says:

        Hi Shimon,
        The RDP file which you download using the method I describe is the same as when you use webaccess. It still utilizes the Gateway, and it still requests the user’s credentials when you start the RDP. It is just as safe as logging into webaccess and starting the RDP.
        Other than that, this is not a known issue and it has not happened to me before.
        Do the IIS logs mention anything? Or the eventlogs on the WebAccess / Gateway server? Perhaps even the Security logs on the domain controllers.

  32. cyclingfan says:

    I’m trying to edit the login.aspx file and it won’t save? it asks me to check if the file is open in another program.

    • Arjan Mensch says:

      Hi cyclingfan,
      Since it’s a file in your windows folder structure you need to run the program that you use to edit the files (probably Notepad or Notepad++) as an administrator, then open the file you want to edit, then edit it, then save it.

  33. Ben Hooper says:


    Is there a way to customize Windows Server Essentials’ Remote Web Access (RWA) to allow logon using the User Principal Name (UPN) aka email address format?



  34. David says:

    Firstly great guide it’s helped me a lot.
    I know this is a bit old now and you may not see it but i cant for the life of me figure out how to hide the RDWorkspace name text “Work Resources”. I know i can change it but i want to just hide it. I’ve googled around loads and everyone just says how to change it. I notice in your live example it’s gone. Could you enlighten me please?


    • Arjan Mensch says:

      Hi David,
      If you just want to hide that text you need to remove lines 124-126 in the site.xsl . If you want to hide the whole header including the computer icon, and the text “RemoteApp and Desktop Connection” you need to remove lines 109-138.

  35. Chris says:

    Have you had any success embedding the xsl into the separate aspx files rather than having them reference it? We’re deploying this as part of our SSL VPN web portal (yes I know about the rd gateway) and it’s having a fit about cross domain scripting because of the ssl vpn proxy. I wanted to try embedding the xsl within the pages, but am getting stuck….

    • Arjan Mensch says:

      Hi Chris,
      I have never had to do that. I don’t think it can be done. It would make things static if you could. Every setting that changes or new published apps would force you to recreate stuff I think.

  36. Hi Arjan

    First, thanks for your awesome guide.
    There is a way to have a “user account locked” warning on the Web Access Portal page? The “password expired” warning works great but in some cases the user is not able to login and will be useful for them and helpdesk to know from the Web Access page that is because the account is locked.

    • Arjan Mensch says:

      Hi Camilo,
      That’s not possible. If the login fails, for whatever reason (account locked, account does not exist, wrong password, etc) it just reports back that authentication failed. And this results in the default error message “Username or Password not valid”. There’s no way to differentiate on the actual reason for failing. The ExpiredPassword is an exception to this rule and is handled in a different way..

  37. Sharapov says:

    Is there anyway to display on the page some sort of warning that will tell users number of days (14 for example) before their password will expire?

    • Jeremy says:

      Default Domain Policy setting for that – Computer Configuration \ Windows Settings\Security Settings\Local Policies\Security Options\ Interactive Logon: Prompt user to change password…..

      • Sharapov says:

        This setting will prompt user when user logs in to the domain from computer. RDWeb does not display warning that password will expire in X days. Does anybody know if it is possible to display this warning on the login page after user logs in into RDWeb App portal?

      • Arjan Mensch says:

        Hi Sharapov,
        It is possible, but you will need to make the modifications yourself.
        In the same way I build the “Display Name” modification, you could retrieve the remaining days for your password from Active Directory.

      • Sharapov says:

        Hello Arjan,

        Thank you for the tip. I tried to change your function that you wrote for your “Display Name” modification. I changed the following 2 lines:



        return (results != null && results.Count > 0) ? Uri.EscapeDataString(results[0].Properties[“msDS-UserPasswordExpiryTimeComputed”][0].ToString()) : string.Empty;

        However, instead of 2 digit number of days left before password expiration I get 18 digits number. I know that those numbers represent milliseconds. I searched Internet high and low but couldn’t figure out how to convert it to 2 digits. Can you help?

        If you could write another article describing how to add expiration password warning to RDWeb page, I’m sure a lot of Internet users will be very thankful to you.

        Thank you

      • Arjan Mensch says:

        Hi Sharapov,
        I’m not great at those functions either, but an easy way would be to divide the number that is returned from AD by 864000000000.

  38. Jeremy says:

    I constantly get this message. I have not used a past 6 passwords when trying to change. Server is getting my domain policies just fine. Not using complexity, Length is 6 chars

    Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.

    • Arjan Mensch says:

      Hi Jeremy,
      Other than advising you to check all code modifications, I cannot help you with that error.
      For your audit question:
      It is within the user’s context itself, just like normal NTUSER credential password changes.

  39. Jeremy says:

    Also, when a successful password is reset, for auditing perspective what account is being used to do the actual reset of the users password? I have not delegated any accounts to grant the ability for this server or services to do that task in my AD. Is there a log?

  40. Martin Boudreau says:

    Amazing article, thank you. Following your guide, I was able to customize my Windows Server 2016 RD Web Access. I needed to force the security setting to Private mode and was able to achieve this with your guide.

  41. darwinbrewer says:

    Is it possible to have a tree view on the rd web page instead of the icons?

  42. Frank Curatolo says:

    I am having an issue hiding the grey dividers in 2016

  43. John Carver says:


    Thanks for all the help thus far. I am not sure if you still watch this post, but I have a question about the password reset piece. Is there a way to reset the password without knowing the current password. I am trying to limit the calls to support for unknown password resets. We can do it in AD, but would be great if the user could do it themselves!

  44. taro says:

    Allowing or forcing users to change their password: Is it possbile if my RD Gateway is in workgroup? That is I need this provision to change the local account password created on the RD Gateway server itself. (Not RDSH)

  45. Allan Lace says:

    Do you know how well this translates from Server 2012 to Server 2016? I’m attempting to replicate the process on a Server 2016 platform & the RD Web portal is still wanting to prefix with the domain

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog Authors

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 438 other followers

Blog Stats
  • 3,354,643 hits
  • An error has occurred; the feed is probably down. Try again later.
  • An error has occurred; the feed is probably down. Try again later.
%d bloggers like this: