This is the first post in a series that focuses on customizing the RD Web Access 2012 R2 interface.
This post will not focus on Branding, I will address that in later posts.
Update: It turns out the option to remove the necessity to enter the domain name only worked on domain joined machines. I’ve added an extra part there to make this work on non-domain joined machines as well. I apologize for any inconveniences this may have caused.
Update: the second post in the series is published, which focuses on customizing the first main page. Read it here.
Update: the third and final post in the series is published, which focuses on customizing the second main page. Read it here.
First up is customizing the RD Web Access login page. We’ll be editing stuff, using the Application Settings in Internet Information Services manager (IIS Manager), we’ll be hiding / un-hiding stuff. Let’s get started!
For this entire post I’ll refer to a user which I created:
The user’s NT Account is “ITW\jklaas” and it’s UPN (User Principle Name) is “jan.klaassen@it-worxx.nl”, which is also the email address for this user.
By default all the files related to the Web Access interface can be found in %windir%\web\rdweb\pages\<language-code>.
This will also be the folder where we’ll do most of the customizing that’s discussed in this post.
Before we continue, make a backup copy of this entire %windir%\web\rdweb\pages folder.
I found that editing these files was easiest using an advanced editor like Notepad++, switching it’s code language to C#, and turning off the spelling checker if it’s enabled. You can download Notepad++ for free here: http://notepad-plus-plus.org/.
The default Web Access interface login page looks like this:
As you can see, the interface by default expects the user to enter the username in the NT Account format, e.g. Domain\user name.
Removing the domain prefix requirement from the Web Access interface
UPDATE: After several updates and fixes to this method I decided to create a dedicated post for this. You can find this post here.
Forcing users to use the User Principal Name / email address for logging on
If you customized the domain name earlier in this post, restore “login.aspx” and “webscripts-domain.js” from the backup copy we made earlier.
If you publish the Web Access interface for a shared platform you can force users to use the UPN. Service Providers usually set the UPN to reflect the user’s email address.
This works by default in the Web Access interface, but the text label shows “Domain\user name” and the user is still able to use the NT Account to logon.
So we need to fix two things: the text on the label, and some code to accept only the UPN format.
Open “login.aspx” and move to line number 19:
This line holds the text for the label.
Change this line to:
Or replace “Email address:” with the custom text you prefer.
This changed the label text to ask for UPN, or email address.
Note: you need to make the same change on line 19 in “password.aspx” if you plan to allow or force users to change their password through the Web Access interface.
You might want to consider changing line 27:
You could change “The user name” into “The email address” for example.
If you plan to allow password changes through the Web Access interface, you might want to change the same text on line 29 in the “password.aspx” file.
And back to “login.aspx” on line 28:
You could change “domain name” into “email address”.
Save the file.
Open “webscripts-domain.js” and move to line number 44:
Change line 44 to a commented line:
Do this by entering “//” at the start of each line.
Next go to line 46:
Change this line into:
That’s it. Test your adjustments by reloading the page. You will only be able to login with a valid UPN now.
If you try to logon using the NT Account you’ll be presented with an error:
Allowing or forcing users to change their password
If you’ve created a new user you may consider to force the user to change his or her password upon first logon, or you might want to offer the user to change his or her password when it has expired.
On the RD Web Access server open Internet Information Services Manager (IIS Manager).
Expand the tree on the left and click Pages, then double-click Application Settings and select PasswordChangeEnabled. Notice its value is “false” by default and click Edit to change it to “true”. This change is immediate, without the need to restart IIS.
Refresh or open the Web Access page and log on with a user account that has its password expired or Change on first log on enabled:
Clicking the “here” link opens a new page:
Customizing the “Help” link
By default users are presented with a Help link in the top right corner of the user interface:
And clicking the link pops up a new window which by default shows the content from http://go.microsoft.com/fwlink/?LinkId=141038:
You can easily switch to a local file, which is located on your RD Web Access server.
On the RD Web Access server open Internet Information Services Manager (IIS Manager).
Expand the tree on the left and click Pages, then double-click Application Settings and select LocalHelp. Notice its value is “false” by default and click Edit to change it to “true”. This change is immediate so there’s no need to restart IIS.
Refresh or open the Web Access page and click the Help link:
It now shows a new window with the contents of the rap-help.htm file.
You can customize this file if you want.
If you want to point the link to a totally different location you need to edit “login.aspx”.
The logic for defining the help pages starts on line 84:
Change line 87 if you want to use a different file to show your users, and change line 91 if you want to use a different external URL.
Note: these Help entries are specific to the login page. The main page has a Help link as well, but this will be addressed in the next post in this series. This means that you could specify different Help content for the login page if you wish.
Note: if you change the Help entries in the “login.aspx” file, you must make the same changes in the “password.aspx” file if you plan to allow password changes through the Web Access interface.
Hiding the “Help” link on the login page
If you want to hide the Help link on the login page you need to edit %windir%\web\rdweb\pages\site.xsl.
Go to line 152:
Change this line to look like this:
And change line 154 to look like this:
The result of these two changes should look like this:
Making these two changes turns the code to display the link into a comment and thus hidden.
Save the file.
Refresh or open the Web Access page and you’ll see the link is gone.
Note: this removes the link from the login and password pages only. After logging in you’ll see the link is still there on the main page. Removing or customizing that link will be addressed in the next post in this series.
Customizing the security setting session timeouts
By default the user is presented with a choice in security settings:
The public computer setting session timeout is 20 minutes, and the private computer setting timeout is 240 minutes. These timeout settings are configurable.
On the RD Web Access server open Internet Information Services Manager (IIS Manager).
Expand the tree on the left and click Pages, then double-click Application Settings and select PrivateModeSessionTimeoutInMinutes or PublicModeSessionTimeoutInMinutes. Click Edit to change the default value to something you prefer or something that your organization enforces.
These changes are immediate, without the need to restart IIS.
Forcing the security setting to Public
I’ve consulted for organizations that needed to force every Web Access interface (Outlook Web App, RD Web Access, etc) to the public security setting.
For RD Web Access 2012 R2 there’s no Application Setting to do that.
We need to fix two thing to be able to force users to the public setting without means to change it.
Open “login.aspx”.
Change lines 523, 532, 536, 556, 576 and 587 from
to
These changes will effectively hide the user interface for changing the security setting.
Save the file.
Open “webscripts-domain.js” and move to line number 14:
Change this line to:
This change will force the code to always configure for public mode.
Save the file.
Refresh or open the Web Access page and you’ll see the interface options for choosing a security mode is gone.
If you want to hide the grey dividers as well you’ll need to open “login.aspx” again.
Change lines 513, 516, 519, 597, 609 and 612 from
to
These changes will effectively hide grey dividers and moves the Sign in button up.
Save the file.
Refresh or open the Web Access page and you’ll see the interface is much cleaner now.
Customizing the disclaimer
The Web Access login page shows a disclaimer upon opening:
You can replace this text with a text provided by your organization’s legal department, or you can choose to clear it.
Open “login.aspx” and move to line number 41:
You can change the text to whatever you like and it will show that as a disclaimer.
For this example I changed the line to:
Save the file.
Refresh or open the Web Access page and you’ll see the “disclaimer” is now gone.
It’s not really gone of course. There’s just no text to show anymore.
And that concludes the post. Everything that’s customizable without adding new functionality or without touching “Branding” is now explained.
In the next post in the series I will focus on customizing the default page, the page that’s shown after a user logs on. In the post after that one I will focus on Branding the entire Web Access interface.
Arjan
30+ years experience in Microsoft powered environments. Enjoy automating stuff using powershell. In my free time (hah! as if there is any) I used to hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). Recently I picked up my Lego addiction again.
Arjan Mensch
msfreaks 
Reblogged this on BeameX Place – Ramblings on Microsoft Technology and commented:
Great article on customizing RD Web Access
I changed the lines you say to remove domain prefix requirement.
I’m able to log on using only the username but then no RemoteApp is working. If I log on using “domainname\username” then everything works fine. Any idea?
Hi Antonio,
I’ve been trying to reproduce your situation during the weekend, but to no revail. I have no idea why this behaves the way it does in your situation. Are you trying to implement a default domain in an existing situation, or have you installed a lab following my post?
I have exactly the same problem as “webbingaway”. I didn’t install the lab following your post. It was a 2012 environment which was upgraded to 2012 R2.
I have 2 RDSH, 1 RDCB and 1 RDGW/WA server. The RDGW/WA is on a different domain than the other ones.
Make sure the domain name is all upper case. I had similar issue and now it’s fixed. Thank you!
i Too have this problem. I can login without domain name (only username), but when i launch an application, it gives me an error that my credentials are not working. The given username is without the domain, so if i click on “change user” and modify this to domainname\username, then my remote app launches
Hey Klaus.
Can you try the connection again from a machine that has never connected to the web interface, or delete all cookies. I think this may have to do with cookies being created.
I tested this post on a new lab setup and it works without extra settings or modifications.
When you connect to the web interface which is unmodified, and then log in, a cookie is created, and maybe this cookie is reused when you log in after you have done the modifications? I can’t confirm this yet, so please try to connect using a cookieless machine first.
Thank you for this article. The next step would be to secure RD Web Access.
Cyberarms offers a security agent for RDweb, which avoids brute force or dictionary attacks, and password guessing. This might be worth a look. There’s also a free download on the website http://cyberarms.net which is sufficient for small installations or unknown urls.
See how to configure the RDWeb Security Agent here: http://cyberarms.net/security-insights/security-lab/rdweb-security.aspx
best regards
Max
Excellent. Exactly what I needed.
[…] might find these articles interesting if you want to brand & customise the RDWeb experience. Step by Step Customizing RD Web Access 2012 R2 – Part 1 | msfreaks Fix my IT system: Customise RDS Web access login […]
Hi!
Excellent article.
However, changing the login.aspx, password.aspx files does not seem to affect anything – when I open the browser it all looks in its “default” form. What am I doing wrong?
It looks like you’re not editing the right files. Make sure you edit the files in c:\windows\web\rdweb\pages\en-us and not the files in your backup copy?
You were right. I’ve made an unlikely beginners mistake..
I’ve edited the domain name away as you’ve suggested, including adding my domain into the .js file. I can now login to the RDWeb interface just using my username, with no problem.
However, when trying to launch any published app, the remote app fails, saying: “Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance”.
If I sign-out and the sign-in – but with a full DOMAIN\USERNAME – it works.
Any thoughts?
Hello webbingaway,
Interesting, since you’re not the first person to mention this. In earlier tests to resolve this issue I thought it was a cookie-related problem.
Can you please try again, but this time use in-private browsing or delete all cookies first, or use a different browser / machine?
The code leads me to believe that the actual starting of apps happens based on a cookie that is assigned on the logon.aspx page. This cookie contains the username which, if you logged on using “domain\username” in the first place, is based on “domain\username”, which will result in “domain\domain\username” since you hardcoded the default domain using the methods in this post.
I’ve tried both InPrivate browsing and deleting all cookies – no change in behavior. This reproduces on a different computer. Using browsers other than IE works – FF and Chrome just download an RDP file that launches MSTSC, then you enter your login details and it works, the same way as it had always.
An interesting observation when using IE:
Whenever I click on a published app icon, first I get a warning window that alrets me the publisher is unknown (the program could harm your computer etc..) and allows me to click “Connect” to continue. On this same window, I can choose which local resources I want to allow remote access to (clipboard, drives, printers etc) – on the very bottom of this window (titled “RemoteApp”) the system indicates how it is going to try to login:
“Use the following credentials to connect:”
When I’m entering the domain name, it shows there DOMAIN\USER and it works fine. When I’m only entering the username, it shows there only the username. Therefore, it seems that the domain name is in fact not transferred at all to the RemoteApp connection (so the case seems not to be DOMAIN\DOMAIN\username )
Hi webbingaway,
When this was first mentioned I had to rebuild my lab in a hurry to test this, and I think I have tested it from a domain member. That would explain the differences in behaviour. I’ll rebuild the lab soon, and figure this out from a non-domain member. More news, and probably a solution, soon.
This is exactly what we needed and I am looking forward to the next article on branding. Thank you.
Hi, i used this to remove the Domain\Username requirement so users only have to enter their username to make things simple. This works well internally, however when a remote user on the internet connects to the WA\GW (both roles on same server) they can login fine with just Username however apps fail to load; ive found when telling users to enter DOMAIN\Username apps load fine. Any ideas what i have to do to make login not need domain for internet users?
This has worked well as a workaround changing webscripts-domain.js as mentioned in another forum:
In this instance the domain is called CHARLYMONKEY.
if ( objForm != null )
{
strDomainUserName = objForm.elements(“DomainUserName”).value;
// add default domain…
if ( strDomainUserName.indexOf(“\\”) == -1 )
{
strDomainUserName = “CHARLYMONKEY\\” + strDomainUserName;
objForm.elements(“DomainUserName”).value = strDomainUserName;
}
strPassword = objForm.elements(“UserPass”).value;
strWorkspaceId = objForm.elements(“WorkSpaceID”).value;
Hi Joe,
The issue with my solution is that it indeed only seems to work from machines that are in the same domain as the RD Web Access server.
The workaround you mention works, I found it as well, but it changes the text field in which you enter your username to reflect DOMAIN\USERNAME, so in this case, if your username is jklaas, and you would enter a wrong password, the text field for username would be filled with “CHARLYMONKEY\jklaas”.
Even though this works, it’s by no means a clean solution. I’m still waiting to find some time to do a rewrite of that part. As soon as I find some I will create a clean solution for this problem.
Thank you for your contribution!
To all who had problems with this article when removing the requirement to enter a domain name.
It turns out that in 2012R2 the authentication functions are now no longer in a single file, but in 2 files. Only editing the first file works for domain joined machines only.
If you look at the article again you can see I’ve added more code in the first file, and modified the second file to be able to remove the requirement to enter a domain name for non domain joined machines as well.
The workaround Joe posted here works as well, but I think it’s a nasty fix for reasons I mentioned in my reply to his comment.
I apologize for any inconvenience this incomplete customization may have caused.
Arjan, thank a lot for your effort. Very kind of you, but no apolgies needed :)
I’ve implemented your suggested solution and it works great!
Thanks Arjan! Have updated our system with this and works really well, will also save all the user confusion when they type a wrong password and wonder what the heck the domain part is on their username :)
Thank you for your articles heir. I will post my experience.
Changes made exactly as described in the files login.aspx, webscripts-domain.js and renderscripts.js. Both computers non-domain joined and login without domain name. Browsers is IE 11.
Windows 7 says when I launch a Remote App: “Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance”.
Windows 8.1 works perfectly when I launch a Remote App.
So it works on Windows 8.1 and not on Windows 7.
Hi! I must admit my lab only has Windows 8 and 8.1 machines. Can you confirm the Windows 7 machines has all the RDP patches installed?
The version of the RDP client on the Windows 7 machines is 6.1.7601
I’m using RDP Client version 6.3.9600 on Windows 7 and having no problems.
There you have it Lars, try patching the RDP client on your Windows 7 machine and let us know how it goes.
Make sure you’re running SP1 already.
Then install this hotfix: http://support.microsoft.com/kb/2574819/en-us
Then install the RDP patch: http://support.microsoft.com/kb/2592687/en-us
I believe that would give you the correct version.
Arjan,
We have been updating our Windows 7 clients to 6.3.9600 in accordance with a useful matrix of the various RDP versions from http://camie.dyndns.org/technical/mstsc-versions/
Stage 1 – KB2574819 v2 x64
Stage 2 – 2KB2857650 x64
Stage 3 – KB2830477 x64
Stage 4 – KB2923545 x64
So could we skip stages 2 to 4 and use KB2592687 instead ?
No Chris, I would stick to the path you describe. Which seems more complete, and my path would probably not bring you to the same version. I used the two patches I mentioned not so long a go for a customer who was using Windows 7 clients to access remote apps from a 2012 farm, and those two patches did the trick there.
@Lars, probably best to follow the path Chris describes here.
Thank you all. Now I have updated my Windows 7 test-PC with the updates and in this order:
1. 2592687
2. 2574819
3. 2857650
4. 2830477
5. 2913751 (only if SmartCard is used)
6. 2923545
The RDP now says version 6.3.9600
When I login without domain and only with a username it shows my Remote Apps. When I click on a Remote App I get a Windows Security box asking for my credentials and it only accepts my password if I use “domain\username”-format.
So I am back to scratch.
I followed the changes you outlined on Win Server 2012 R2 and it works perfectly for login.aspx, but the password change does not work. For the life of me I can’t find the difference. Do you have any suggestions for modifying password.aspx to make it not need the domain name?
Hi Erich.
It seems the password page needs an extension to the code on login.aspx. When I finally find some time to work on this blog again, I’ll dig in to hit.
I am in the same boat. Worked great on login but on password reset it still requires domain name or it doesn’t work. I looked everywhere and can’t seem to find it.
Yes, it’s the same here. Password change uses code from the tsportalweb dll I think. I’ll look into it when I finally find some time for content on this blog.
Excellent post. You have no idea how many calls to the helpdesk you saved us simply by removing the need to type in the domain. People are definitely going to get used to it though. I look forward to an update on how to do the same to the Password Change page.
Any update with the password change, would perfect my web access page :)
Hi Joe,
I know I promised that, and that it’s a while ago as well.
So here you go: https://msfreaks.wordpress.com/2014/07/22/properly-removing-the-domain-prefix-requirement-from-rd-web-access-2012-r2/
I followed your directions and I almost have everything the way I want. I had a question about SSO. Can you use Windows 7 RDP with Server 2012 R2 SSO? If so how do you configure it?
Hi Roberto,
Yes, SSO will work from Windows 7 machines. If you have the correct RDP version installed.
For information on which version you can go to, and which patches you need to get there: http://www.c-amie.co.uk/technical/mstsc-versions/
Cheers
Hello Arjan,
I share the sentiments of many others here- thanks so much for your work on removing the domain name requirement from the web pages. It makes things so much easier! Makes you wonder why they don’t have an easy way to do this built into Server Mgr.
So one issue we do have is remote users with older OS’s like XP. When the RDP client opens, it asks them to log in and requires the domain to be filled in. Do you know of any way to eliminate the domain requirement when logging in with older RDP clients?
Hi Mike,
I’m sorry, I do not. As far as I know it’s not possible..
Hi!,
Thank you for the post!.
Is there a way to change “Work Resources” text?. I tried to change the text in line 14 under string L_CompanyName_Text = “custom text” but the change is not reflected.
Thanks!
Cheers,
Bruno.
Hi Bruno.
Sure. Check the Set-RDWorkspace command. (http://technet.microsoft.com/en-us/library/jj215501.aspx)
Newbe here, Can this also be used with 2008r2? I just started and happened to run across this posting.
Thanks
Hi Gary,
Short answer is no.
Long answer: yes, it is possible to do the same on 2008r2, just not with the code or edits I show here. It won’t even work on 2012. It’s for 2012R2 only.
Hi Arjun
I am totally new to server RDWeb, i want to connect to RDWeb page linked from my website. only authorized user can come to this link so there is no security issue to come on RDWeb page. Only the problem is:
I don’t want this link to open directly but through my link page. Suppose on my website i have http://www.mydomain.com/userpage and there is a link to my RDWeb page http://www.mydomain.com/RDWeb I don’t want this link open directly from internet.
Very similar as we use sessions in PHP to connect the page through previous page so that user cannot open that page directly.
I just put any type of synchronization that can avoid direct opening of http://www.mydomain.com/RDWeb. any solutions?
Thanks.
Khan Sharjeel Hayat
Hi Khun,
I think the only way you can accomplish this is to add code to default.aspx in the RDweb structure, which detects which URL the user comes from and then redirects the user to some other page if he did not come from your portal website.
Hello Arjan,
Thanks for telling i tried to put in login.aspx but it gave error as i just know about PHP sessions. If you can help me in writing a piece of code for this solution, it will be a great highness of you.
Thank you very much.
Hi Khan,
Google and Bing need to help you out here, I have no time in my schedule to code someone else’s projects, sorry.
Hello – We are a small school. I have the kids and staff accessing their files remotely via windows 2012 R2. When they access their files from the folder share, it come up in as Metro as default. I want the folders and files to appear in list/details as it’s WAYYY quicker. Any thoughts on how to make this change permanent? It’s hard to tell non-tech staff to click the button (that’s not labeled) in the upper right corner. Thanks Andy
Hi Andy,
Even though it’s out of scope, you can change view settings, or prevent thumbnails from being generated, using Group Policy. I think it’s the setting “Classic Shell” but not sure. Bing would be your friend here.
Hi Arjan – To be more clear, they are accessing their files from home when they are not at school via connect.socratesacademy.us. Once they login to the server 2012 R2 “Cloud” they then get the default metro look. I wouldn’t think that Group Policy has anything to do with this, but if you can reconfirm your previous statement, that would be great. I have been Binging for months and this blog is all I have found that’s close.
Hi Andy,
I was under the impression they are presented with the RDS Web Access page, in which applications are presented, and they click the File Explorer icon, which in turn opens a folder which was “slower”.
I now understand they log in, click Remote Desktop or something like that and are presented with the new start menu full of tiles?
That startmenu can not be turned off. You can however, make it so the user don’t start in the startmenu, but on the desktop. This is indeed a policy setting. As soon as the user presses the windows key or click the windows logo, they are again presented with the new startmenu (tiles layout). You can also (policy again) redirect your users to the “all apps” section of the modern startmenu, if that is more convenient.
This is the view I want my users to see.
They are currently seeing a “Metro” view, which I don’t know how to change from.
Hi Andy,
That is the Windows Server Essentials web interface. Can’t help you with that.
Hey everyone, quick question. I’ve opened the login.aspx file in notepad to get rid of those grey lines but I’ve noticed that my file only contains 585 lines of text.
Would this indicate my install of IIS or the RDS was not clean?
I’m working in Server 2012 if that adds any insight to why the file may contain less lines.
Thanks much!
Hi Alex,
The 2012 files are indeed different from the 2012r2 files.
These guides are for 2012r2.
Hi, We are running Server 2012 R2. Users log in to RDWeb, and once authenticated are presented with a Remote Desktop icon, which they launch to RDP to the RD session hosts. I followed this guide and it did successfully remove the domain prefix for RDWeb. I was able to log in to RDWeb with just my username and now domain prefix.
However, this broke SSO. So, I can log in to RDWeb with no domain, but when I click the RDP icon in RDWeb to launch RDP session, I now get prompted for credentials, and have to enter domain\username.
Is there a way to have the domain passed through so SSO still works? When I revert back to backup files of login.aspx, renderscripts.js, and webscripts-domain.js SSO works again. Thank you.
Hi Ross,
As I’m getting more and more questions about this, I suspect that maybe some Windows Update broke this.
At the time of writing these scenarios have been tested thoroughly and were working.
When I find some time I will rebuild this lab and see what is broken and how to fix it.
Hi All, Was anyone able to figure out how to get it to work without breaking SSO yet?
hi Arjan,
your article is fantastic. I have got one Question, is it possible to advise the Webinterface to insert the “gatewayusagemethod:i:1” in the RDP File with is transfered an exceuted on the Client ? Bakcground is, that the Web Interface of Gateway should insert Gatewayusagemethod:i:2 -> allway´s use Gateway. an the “internal” Web Interfaces should build RDP files with contain gatewayusagemethod:i:0 -> with means don´s use a Gateway. So internal users will not use a Gateway, bur external will ! Thank you !
Hi Reiner,
Just to make sure
You want it to use “gatewayusagemethod:i:1” instead of the other two options you mention? Your question is a bit confusing.
Hello Arjan!
Could you tell me what I should change to set up “Private” mode as default, not public?
Thank you very much for your posts!
Hi Share,
Follow the guide above until you get to the part that says
Open “webscripts-domain.js” and move to line number 14:
Change that line to
var bPrivateMode = true;
Untested, but that should do the trick for you.
Hi Arjan,
Yes, it works! Thank you.
Could you tell me will you publish customization like change design default logon page?
I want to add copmany logo or somethinh else.
Thanks.
Hi Share
If it’s just logos and colors you want to change, that’s actually pretty easy. Check out https://webaccess.it-worxx.nl. That’s my live webaccess, not my labs.
For a guide to get you started have a look here: http://fixmyitsystem.com/2010/12/customise-rds-web-access-login-pages.html
WOW!
Grate disign :)
Arjan, sorry, I made mistake. I tryed to test on the another PC – privat mode doesn’t work. I don’t hided secirity block and I can see which mode is selected
webscripts-domain.js
…
var strPassword = “”;
var strWorkspaceId = “”;
var strWorkspaceFriendlyName = “”;
var strRedirectorName = “”;
var strRDPCertificates = “”;
var bPrivateMode = true;
var strTimeout = “0”;
…
Maybe I should change code in the another line on in logon.aspx?
PS many thanks for your quickly answers!
Hi Share.
Unfortunately, I don’t know why that won’t work for you. It’s the only place you can for that variable to be true.
I think I found the solution –
renderscript.js
line number 178 –
i’m testing next changes
from:
var bPrivateMode = document.getElementById(“rdoPrvt”).checked;
to:
var bPrivateMode = document.getElementById(“rdoPrvt”).checked=true;
Hi Arjan,
I have a full cloud environment in production, and I have used many of your posts so it has been VERY helpful to say the least.
Recently I came across an issue which sounds strange, and I am looking for a possible explanation.
A user tries to login to the cloud, and gets a message that the user or password is invalid. The user is 100% sure that the password is correct, and even though they try it many times the account doesn’t get blocked.
The surprising solution is here – if the user chooses to change the password (using the password that is allegedly invalid as the original) the user is allowed to change the password and then able to login with the new password.
This happens few times to different users a month since this cloud went live.
Any idea how I can troubleshoot such an issue and get some kind of possible reasoning ?
Thanks,
Shimon.
Hi Shimon,
Several routes come to mind.
Log on to your webacces with an account that works using Firefox or Chrome.
If you click an app or published desktop that browser will download the RDP file instead of launching it. Give this RDP file to the user with the problem when it happens again, and see if he / she can connect using the RDP file when he / she can’t login to the webaccess.
Ask the user to clear any cookies or even reset the browser settings to defaults. Might be he / she has changed settings in cookies or advanced settins or whatever.
Ask the user if he / she can try from a different machine using the same credentials.
Ask the user if he / she can try using UPN or domain\username to log on (let him / her use every option you allow through webaccess).
Check the IIS logs for the username and see what IIS thinks of the whole thing.
These routes should all exclude one or another possibility.
Let me know if you manage to find a solution.
Hi Arjan,
It takes time until I get such an issue and try to deal with it…
First – I can’t use the RDP for sure as it’s less secure, so RD WEB Access is the only route allowed.
Second – Trying to login from a different machine gave the same result. Also resetting IE to default doesn’t make any difference.
I’m lucky to only get very few of these each month. When I reset their password again and force them to change it, they are able to change it successfully.
Could be a user error, but I don’t believe this is the case.
But here’s another strange issue: Recently I started to get calls from users who received password expiration notice, and when they tried to change it – they get “Invalid user name or password” even though the credentials they used were working fine before.
Any known issue here ?
Hi Shimon,
The RDP file which you download using the method I describe is the same as when you use webaccess. It still utilizes the Gateway, and it still requests the user’s credentials when you start the RDP. It is just as safe as logging into webaccess and starting the RDP.
Other than that, this is not a known issue and it has not happened to me before.
Do the IIS logs mention anything? Or the eventlogs on the WebAccess / Gateway server? Perhaps even the Security logs on the domain controllers.
I’m trying to edit the login.aspx file and it won’t save? it asks me to check if the file is open in another program.
Hi cyclingfan,
Since it’s a file in your windows folder structure you need to run the program that you use to edit the files (probably Notepad or Notepad++) as an administrator, then open the file you want to edit, then edit it, then save it.
Hi,
Is there a way to customize Windows Server Essentials’ Remote Web Access (RWA) to allow logon using the User Principal Name (UPN) aka email address format?
Thanks.
Ben.
Hi Ben,
I’m sure there is, but Essentials doesn’t have my focus.
Hi, Arjan.
I’d greatly appreciate any help you can offer.
I’m updating my progress on http://serverfault.com/questions/695287/remote-web-access-upn-logon-format
Thanks.
Ben.
Firstly great guide it’s helped me a lot.
I know this is a bit old now and you may not see it but i cant for the life of me figure out how to hide the RDWorkspace name text “Work Resources”. I know i can change it but i want to just hide it. I’ve googled around loads and everyone just says how to change it. I notice in your live example it’s gone. Could you enlighten me please?
Thanks
Hi David,
If you just want to hide that text you need to remove lines 124-126 in the site.xsl . If you want to hide the whole header including the computer icon, and the text “RemoteApp and Desktop Connection” you need to remove lines 109-138.
Absolutely perfect
Thanks again
Have you had any success embedding the xsl into the separate aspx files rather than having them reference it? We’re deploying this as part of our SSL VPN web portal (yes I know about the rd gateway) and it’s having a fit about cross domain scripting because of the ssl vpn proxy. I wanted to try embedding the xsl within the pages, but am getting stuck….
Hi Chris,
I have never had to do that. I don’t think it can be done. It would make things static if you could. Every setting that changes or new published apps would force you to recreate stuff I think.
Hi Arjan
First, thanks for your awesome guide.
There is a way to have a “user account locked” warning on the Web Access Portal page? The “password expired” warning works great but in some cases the user is not able to login and will be useful for them and helpdesk to know from the Web Access page that is because the account is locked.
Hi Camilo,
That’s not possible. If the login fails, for whatever reason (account locked, account does not exist, wrong password, etc) it just reports back that authentication failed. And this results in the default error message “Username or Password not valid”. There’s no way to differentiate on the actual reason for failing. The ExpiredPassword is an exception to this rule and is handled in a different way..
Is there anyway to display on the page some sort of warning that will tell users number of days (14 for example) before their password will expire?
Default Domain Policy setting for that – Computer Configuration \ Windows Settings\Security Settings\Local Policies\Security Options\ Interactive Logon: Prompt user to change password…..
This setting will prompt user when user logs in to the domain from computer. RDWeb does not display warning that password will expire in X days. Does anybody know if it is possible to display this warning on the login page after user logs in into RDWeb App portal?
Hi Sharapov,
It is possible, but you will need to make the modifications yourself.
In the same way I build the “Display Name” modification, you could retrieve the remaining days for your password from Active Directory.
Hello Arjan,
Thank you for the tip. I tried to change your function that you wrote for your “Display Name” modification. I changed the following 2 lines:
ds.PropertiesToLoad.Add(“msDS-UserPasswordExpiryTimeComputed”);
….
return (results != null && results.Count > 0) ? Uri.EscapeDataString(results[0].Properties[“msDS-UserPasswordExpiryTimeComputed”][0].ToString()) : string.Empty;
However, instead of 2 digit number of days left before password expiration I get 18 digits number. I know that those numbers represent milliseconds. I searched Internet high and low but couldn’t figure out how to convert it to 2 digits. Can you help?
If you could write another article describing how to add expiration password warning to RDWeb page, I’m sure a lot of Internet users will be very thankful to you.
Thank you
Sharapov
Hi Sharapov,
I’m not great at those functions either, but an easy way would be to divide the number that is returned from AD by 864000000000.
I constantly get this message. I have not used a past 6 passwords when trying to change. Server is getting my domain policies just fine. Not using complexity, Length is 6 chars
Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.
Hi Jeremy,
Other than advising you to check all code modifications, I cannot help you with that error.
For your audit question:
It is within the user’s context itself, just like normal NTUSER credential password changes.
Also, when a successful password is reset, for auditing perspective what account is being used to do the actual reset of the users password? I have not delegated any accounts to grant the ability for this server or services to do that task in my AD. Is there a log?
Amazing article, thank you. Following your guide, I was able to customize my Windows Server 2016 RD Web Access. I needed to force the security setting to Private mode and was able to achieve this with your guide.
Is it possible to have a tree view on the rd web page instead of the icons?
I am having an issue hiding the grey dividers in 2016
Arjan,
Thanks for all the help thus far. I am not sure if you still watch this post, but I have a question about the password reset piece. Is there a way to reset the password without knowing the current password. I am trying to limit the calls to support for unknown password resets. We can do it in AD, but would be great if the user could do it themselves!
Allowing or forcing users to change their password: Is it possbile if my RD Gateway is in workgroup? That is I need this provision to change the local account password created on the RD Gateway server itself. (Not RDSH)
Hi taro, no that is not possible as far as I know because the local security database is not exposed.
Do you know how well this translates from Server 2012 to Server 2016? I’m attempting to replicate the process on a Server 2016 platform & the RD Web portal is still wanting to prefix with the domain
Hello, I want to add captcha verification to the login screen. Is this possible?
Black Friday is a widespread colloquial term for the day after Thanksgiving Day in the United States, considered as one of the biggest shopping days of the year. A lot of retailers open their doors wide and offer very publicized gross sales on Black Friday. In fact, many people agree with Black Friday to be the most important day of the year with regards to shopping. On this day, people can go to their favorite store or shop with the hope of finding the best sale or the best deal of the year. A lot of money is often made in these earnings and most people enjoy going to these places. This article will talk about the day of the week, Black Friday in detail and give some informal on how to maximize gross sales for the duration of this time period.
I want to blacklist one password using RDweb?
Is there any method to do the same? Please help.