Properly Removing the domain prefix requirement from RD Web Access 2012 R2


In the first post in the Customizing the RD Web Access 2012 R2 interface series I added a section that describes how to remove the Domain prefix in the login.aspx page.

Initially my customization only functioned for Domain joined machines, so the post required an update.
The updated customization fixed the initial problem: non Domain joined machines accessing the RD Web Access pages can now successfully log on using their username only, without prefixing it with the Domain Netbios name.
Until someone tested the Expired Password or Change Password functionality…
It turns out that this page uses different code to change the password, and this code requires a Domain prefix, or UPN.

I decided not to post another update, but instead dedicate a full post to this issue, and the solution to it.
If you now look at the original post you’ll see that I refer to this post when this customization is discussed.

So here goes, a full solution to properly remove the Domain Prefix requirement from the RD Web Access pages.

As always, backup the files in %windir%\Web\RDWeb\Pages, just in case..
I’m using the same environment I used in the original post, so for more info on that read that post.

The default Web Access interface login page looks like this:
RDS Customize Web Access - login page 02
As you can see, the interface by default expects the user to enter the username in the NT Account format, e.g. Domain\user name.

Removing the domain prefix requirement from the login page
If you publish the Web Access interface for a single domain infrastructure or if you want to define a default domain to logon to, you might want to consider to let the user just enter the username instead of the NT Account.
By default the Web Access application won’t let you do this:
RDS Customize Web Access - login page 04
Besides, even if it would, it still shows “Domain\user name:” on the label.
So we need to fix two things: the text on the label, and some code to accept just the username.

Open “login.aspx” and move to line number 19:
RDS Customize Web Access - login page 05
This line holds the text for the label.
Change this line to:

    const string L_DomainUserNameLabel_Text = "User name:";

Or replace “User name:” with a custom text you prefer.

Save the file.
This changed the label text to just ask for a username, and not to enter a domain prefix.

Open “webscripts-domain.js” and move to line number 7:
RDS Customize Web Access - login page 07
This line tells the rest of the code that by default there’s no domain available and it needs to be extracted from whatever the user entered in the fields in the login page.
Change this line to:

    var strDomainName = "ITW";

And of course replace “ITW” in this example with your own NETBIOS name for the domain.

Now move to line number 75 and insert the following code just before line 75:

if ( -1 == strDomainUserName.indexOf("\\") )
{
if ( -1 == strDomainUserName.indexOf("@") )
{
strDomainUserName = strDomainName+"\\"+strDomainUserName;
}
}

The result must look like this:
RDS Customize Web Access - login page 41
Now save the file.

Open “renderscripts.js”.
As the very first line, insert the following code:

    var strDomainName = "ITW";

Replace “ITW” with your own NETBIOS domain name.

The result of adding this line must look like this:
RDS Customize Web Access - login page 42
Now move to line 334 and insert the following code there:

if ( ( -1 == strDomainUserName.indexOf("\\") ) && ( -1 == strDomainUserName.indexOf("@") ) )
{
strDomainUserName = strDomainName+"\\"+strDomainUserName;
}

The result must look like this:
RDS Customize Web Access - login page 43

Now save this file as well.

Removing the domain prefix requirement from the password page
If you decided to allow users to change their password, the user can click a link to open the password.aspx page when they log on, or when the pages detect the password has expired.
If you want to remove the Domain Prefix from the RD Web Access interface, you need to do some more editing.
Open “password.aspx” and move to line number 19:
RDS Customize Web Access - login page 05
This line, again, holds the text for the label.
Change this line to:

    const string L_DomainUserNameLabel_Text = "User name:";

Or replace “User name:” with a custom text you prefer.

On line 36 add a new constant:

    const string L_DefaultDomain = "ITW";

Again, replace “ITW” with your own NETBIOS domain name.

Goto line 112:
RDS Customize Web Access - login page 45
Add the following code after this line:

ShortUserName.Value = DomainUserName.Value;
if ( !(DomainUserName.Value.Contains("\\"))  && !(DomainUserName.Value.Contains("@")) )
{
DomainUserName.Value = L_DefaultDomain+"\\"+DomainUserName.Value;
}

The result must look like this:
RDS Customize Web Access - login page 46

To prevent the UserName box to become empty if the user fails to enter correct values, this next piece is kind of nasty, but necessary ;)
Find line 174:
RDS Customize Web Access - login page 50
And change that line into

<form id="FrmLogin" name="FrmLogin" action="password.aspx?UserName=<%=ShortUserName.Value%>" method="post">

The result of that must look like this:
RDS Customize Web Access - login page 49
Really really dirty, but gets the job done.

Next, find line 189:
RDS Customize Web Access - login page 47
Delete this line, and replace it with the following code:

<input id="ShortUserName" name="ShortUserName" type="text" class="textInputField" runat="server" size="25" autocomplete="off" disabled /> <input id="DomainUserName" name="DomainUserName" type="hidden" runat="server" />

The result must look like this:
RDS Customize Web Access - login page 48
Save the file.

The password.aspx file is only meant to be accessed if the user is already authenticated. The password.aspx file is not meant to be used to allow users to change their password without being authenticated first. Examples of this include adding a link on the login.aspx page to password.aspx, or simply using the aspx files to allow domain users to just change their password, not using the RD Web Access at all.
If you do want to add a link to password.aspx to allow password change, I suggest you add a link on the toolbar. I describe how to do that in the Customization series.

To conclude:
This added “ITW” as the default authentication domain in both the login page as the password change page. Nothing changed in the rest of the code, so if your Web Access is intended for multiple domains, the user can still enter “CHILDDOMAIN\user name” or “TRUSTEDDOMAIN\user name” or even “ITW\user name” if the user wanted to do that.
We’ve also not destroyed the possibility to logon using UPN instead of NT Account logon.

These changes are instant, there’s no need to restart IIS. Just (re)load the Web Access page and test the changes.

Unfortunately, with this customization you need to enter the NETBIOS name hardcoded in three different files. In a future post, which will cover a full customization package with application settings in IIS I will show how to eliminate this and make Domain NETBIOS name an application setting which works across the complete RD Web Access interface.
Until next time,

Arjan

20+ years experience in Microsoft powered environments. Enjoy automating stuff using scripts, powershell, and even batch files. In my free time (hah! as if there is any) I hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). When I'm not doing that I enjoy traveling or riding my Yamaha R1 on the edge ;)

Tagged with: , ,
Posted in Customize, Remote Desktop, Step-by-Step guide
120 comments on “Properly Removing the domain prefix requirement from RD Web Access 2012 R2
  1. Erich Roneree says:

    I’m in the middle of testing now Arjan, but I see you included the “disabled” flag in the code beginning with <input id="shortUserName"…

    That disabled should not be there, correct? When I include it, the text box does not allow any text to be added.

    Thanks for working on this!

    • Arjan Mensch says:

      It’s supposed to be there, so that you cannot change the username. Setting it to “disabled” will just grey it out. It’s a new inputbox that’s not in the original code, and I use the code behind to fill it with the currently logged on user’s username.

      • Erich Roneree says:

        Ah, thanks for the clarification. I use the password change page only, so my users never actually log in to the site. The auto fill of the username won’t work for me. I will use your changes as a starting point to make a page that allows the users to enter their own passwords. Thanks.

      • Arjan Mensch says:

        Hi Erich,
        Can you check if the update to the post (the line 174 edit nasty bit) is a solution to your problem as well?

    • zelig says:

      Thanks for the help. i have 2 questions.
      1. is there a way to enter only in private mode? ( i read ur former post about public login and tried to reverse it but no work :( )
      2. i try to enter with chrome but it enters in public only. can i fix it?

      • Arjan Mensch says:

        Hi Zelig,
        1. should work the other way around, make sure you edit everything correctly.
        2. my focus is not on Chrome, sorry. If there are settings in chrome that influence javascript, try fiddling with those. The public/private settings bits are javascript based.

    • Sam says:

      Hi Arjan,
      i have implemented this solution Properly Removing the domain prefix requirement from RD Web Access 2012 R2 and its working like a charm.

      I would also implement a possibility of changing password from previous blog, but after i click on link change password i am getting this error:

      Compilation Error
      Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

      Compiler Error Message: CS0103: The name ‘L_DefaultDomain’ does not exist in the current context

      Source Error:

      Line 114: if ( !(DomainUserName.Value.Contains(“\\”)) )
      Line 115: {
      Line 116: DomainUserName.Value = L_DefaultDomain+”\\”+DomainUserName.Value;
      Line 117: }
      Line 118: }

      Source File: c:\Windows\Web\RDWeb\Pages\en-US\password.aspx Line: 116

      Could you help me with this?

      Thanks

      • Arjan Mensch says:

        Hi Sam,

        Looks like you forgot to add a piece of code on line 36 I think:

        const sting L_DefaultDomain = “ITW”

        (replace ITW here with you NetBIOS domain name)

      • Sam says:

        Thanks a lot Arjan,
        I ve made a mistake in that line (defult instead default) due that it wasnt working.

  2. Terry says:

    I’ve followed the guide here correctly as far as I can tell and I’ve reviewed my changes line by line but I still get asked for a domain name. I restarted the page in IIS just to be safe even though I shouldn’t have to. I have gone over and over my changes to make sure they are exactly what you have shown here but no joy. I skipped the password part as that’s not an issue in my environment. Any advice or a link to another guide to remove the domain requirement? Can’t figure out what I’m missing.

    • Arjan Mensch says:

      Hi Terry,
      If you zip and mail your modified files I could have a look?

      • Marcos says:

        Arjan, can you provide an email address so i can send you my files as well.. I am having same problem..

      • Arjan Mensch says:

        Hi Marcos. Terry had the problem that the Windows 2012R2 servers he had to work with were in-place upgraded from Windows 2012.
        For RDWeb this seems to prevent some of the customizations I mention in this blog.
        I you still want to send me the files, hover over my picture and go into my profile. Contact info is there.

      • Philipp says:

        Hallo,

        same Problem on Server 2012R2. Did all the Changes but without DomainName i cant login. Can you post whats the Problem? thank you

  3. Curt says:

    Great post. Have most of it done but for some reason, I can’t find the webscripts-domain.js file in any of the %windir%\windows\web\rdweb\pages folders. Am I missing something?

    • Arjan Mensch says:

      Hi Curt,

      It’s %windir%\web\rdweb\pages, which translates to C:\Windows\web\rdweb\pages on most servers. You have an extra “windows” in your path as you put it in your comment.

      • Curt says:

        right, sorry about that. the path you’ve specified is where I meant. The file’s not in there. Is it hidden or something?

      • Arjan Mensch says:

        No it’s not hidden as far as I can tell. What files do you see?
        The files that should be there:

        Default.aspx
        Default.aspx.cs
        RenderFail.css
        renderscripts.js
        Site.xsl
        tswf.xsd
        Web.config
        WebFeed.aspx
        WebFeed.aspx.cs
        webscripts-domain.js

        Just in case, turn on hidden files in File Explorer?

      • Curt says:

        Yup, all those are there, just missing the webscripts file. The RDG works but not the way I would like it to as outlined in this post. I was not the original tech who installed this, I just inherited it. Can the file be downloaded from the media disk, or does it get created during the installation? Thanks for your replies.

      • Curt says:

        Thank you for sending me the file. I have it in place and it seems to be working well except if I just use the username and password, it doesn’t pass the credentials to the session host serving up the remote applications. I have to use the domain\username after selecting a remote app to complete the connection. Probably for another post eh?

        thanks again.

      • Arjan Mensch says:

        Hi Curt,
        I think that is related to your environment as well. Definitely consider re-deploying. Missing files is a hint that something’s amiss in your environment..

  4. joe says:

    Im in a simalir situation to Erich Roneree; i need the username feild editable so have removed the disabled flag (Otherwise if it fails for complexity reasons users will not be able to enter there username, also some users dont want to wait for an expired password prompt so i have added a shortcut to the passwords hyperlink from the login page)

    What i have found is if prompted password must be changed, and it auto populates the username feild and a password thats enter mets the complexity the password changes OK. However if I use the shortcut to password page \ or if it fails on complexity and username needs to be re-entered. It will not allow the password to be reset and prompt:

    “The user name or password that you entered is not valid. Try typing it again. “

    • Arjan Mensch says:

      Hi Joe,
      I updated the post after reading your comment.
      The fix for your problem is in the password.aspx editing part of this post, concerning the edit on line 174 in that file.

  5. Xa says:

    I added a custom tab inside the portal for users to change their password. I was wondering how do I go about passing the logged in user’s username to the password page when I click on the Change password page?

    • Arjan Mensch says:

      Hi Xa,
      Have you tried with the modifications to the password page as I described? Or did you create your own password page and used that as a custom page?

      • Xa says:

        I modified the password page as you described above. The custom tab have a link href=”password.aspx”. If I was to create a new user and tell it to change password for the first time, it will tell the user to click here to change password and the username would show up in the username field and is disabled for modification.

        By the way, the machine I am using to access the portal do not join to the domain.

  6. thedvsgneeus says:

    Arjan, I tried using the above and it didnt seem to work, not sure if i missed a step but i did it three times. i then added this line and it worked great..

    to be:

    of course replace ? with ”

    thanks for your help tho.. great find.

  7. Eric says:

    No domain name to “Connect to a remote PC” with no inputing domain name in login page.

  8. Arjan,
    Great posts on the 2012 RD Web interface. I have a vexing issue I thought you may be able to assist ewith related to RD Web Access branding. The default for the page is Work Resources. In 2008 R2 this was configurable within the web.config file. However, in a pure 2012 environment, this value has been moved to a WMI value. Within the web.config file under the RDWeb folder in IIS is the following statement:

    “the settings are configured by updating the singleton instance of the Win32_Workspace WMI class on the RD Connection Broker server”

    While I can query this value using any manner of WMI tools, for the life of me I cannot update the value. I have spent hours trying to find the proper syntax to do this. Why Microsoft would move this to a WMI value and make it so difficult to change is beyond my ability to comprehend.

    Would you know how to update this value so I can brand my RD Web Access Page as desired?

  9. webbingaway says:

    Hi Arjan,
    Thanks for all the info.
    A non-passwordChange-related question, maybe you would have an insight, being an expert to the matter:
    * Taking into account that it is possible to publish applications that enable the user to share his drives, printers, clipboard etc.
    * However, having pressed a button of such a published app in the RDWeb screen, doesn’t necessarily brings up a remote-desktop window that has all the supported resources checked (i.e. the user needs to check the “drivers” and/or “printer” etc., manually).
    The question – do you know of any way of how to customize the automatically-generated rdp file (that is being generated when pressing the app icon on the RDWeb window) to control which checkboxes of the shared local resources are chceked?

    webbingAway

    • Arjan Mensch says:

      Hi WebbingAway,

      Untested, but check the site.xsl file. The RDP file is launched on line 694 and onward. You would copy lines 680-690 and insert them right before 694. That block of code is for modifying the connection type based on the experience checkbox, but you could copy and modify it to alter properties of the RDP file..
      In theory :)

  10. driftar says:

    Hi Arjan

    Great posts here about customizing the RDS 2012 websites. I’ve got just one issue with the steps in this post above. I’ve edited all the filed needed. The login works great without to give the NT login, so just username and password is required.

    This works for all users, except the administrator. The administrator can login, but unfortunatly, he can’t see the RDS farm icon.

    Every other user can login and sees the RDS farm icon, can click on it and connect via RDP. The admin can’t see this icon.

    Can you test / confirm this behavior? I think its a bug, or some more configuration in the code needed.

    Best regards from switzerland!
    driftar

    • Arjan Mensch says:

      Hi driftar,

      It looks like the servers think you’re logging on using the local administrator account. Easiest and besides that also best practice, fix for this is to rename your domain admin account :)
      I’m curious, since I don’t see this behavior in any of my environments: can you describe which roles you have combined and if any of your servers with RDP roles is also a domain controller?

      • kerobra says:

        I can confirm this thought of you. If you login as “NETBIOSDOMAIN\Administrator” he can see the remote-apps published in the RD-Config. If you login just as “Administrator” the page is blank.

  11. Percy K says:

    Hi Arjan,

    I’m having similar issues with missing files. I’ve removed the RDS Web role and added it back but it did not install the missing webscripts-domain.js , RenderFail.css, or Site.xsl files. This is a server 2008 r2 virtual server deployed from a template (our standard means of deploying servers) and has been joined to a single domain.

    • Arjan Mensch says:

      Hi Percy,
      I’ve seen this several times now with upgraded Windows 2012 or Windows 2008R2 machines. Try deploying a native 2012R2 machine and copying the complete RDWeb folder, or reinstall your servers from scratch..

  12. Chris says:

    Hopefully the author is still watching this. I completed the guide, and it works great on the splash page, but when I click the RDP icon to go into one of our terminal servers after I login, it brings up a windows credential prompt, and I have to enter the credentials again.

    Any idea?

  13. Ryan says:

    I followed the instructions in the first series for using an email address as I want users to login with their UPN suffix. This does not seem to be working though, authentication always fails, and I have configured DNS such that the rdweb server can reach a DC. I don’t see specific mention of using email addresses on this followup piece, should it work the way it is from the first piece or do I need to make the netbios changes mentioned in this piece?

    • Ryan says:

      Nevermind, I didn’t realize I needed to change the users default logon name suffix in AD. Luckily ADModify.net makes this a snap for even hundreds of users! Everything is working great with just the original series instructions. Thanks!

  14. Pavel says:

    Hi man. I have few articles about customization RDWeb, for example: How publishing configuration File for RemoteApp (wcx) to easy configuration RemoteApp for users. reply in my email, and I’ll sent you. Nice blog!

  15. Daniel Bartholomaeus says:

    This is a wonderful article but I have a couple of problems. I think I have carefully followed the instructions but still the password reset page does not autopopulate the username field AND, once the username field is enabled, the user needs to enter their UPN or Domain\Username to successfully change the password. The static domain setting is not being picked up. Can I send you my files for further analysis thanks Arjan?

  16. Swads says:

    This guide worked great for me. Only issue was that after I implemented the change my WebSSO stopped working for external non domain joined clients. I knew this was an issue if you changed to Windows Authentication for pass through to Web Access but it appears to also be an issue in this instance as well.

    • moonshdw8 says:

      I have the exact same issue as Swads. Great tutorial, by the way. For users outside the network who try and open RDP sessions, they get prompted to enter their credentials again. The login pop-up has the local server name showing as the server name rather than the public FQDN if that narrows anything down.

  17. Yasser says:

    Very Good post, I tried it and works. I figure out one issue, if I want to create Access remote app and Deskop connection from control panel “Control Panel\All Control Panel Items\RemoteApp and Desktop Connections” when reach the screen to set the user credentials it is not accept it even I enter the domain name! did you faced such problem?

    Also all users can access the RD webpage without set the domain name except the administrator account it needs domain name! any comments on this

    • Arjan Mensch says:

      Hi Yasser,
      Removing the domain prefix from Web Access does not remove it from the feed. The feed should still work using the NTUserName though (domain\username) or even using the UPN.
      The Administrator is a special account. It works for me in my lab, but that’s because the local admin has the same password as the domain admin.
      Were your RemoteApps via Control Panel working before you edited the Web Access files?

      • Yasser says:

        Hi Arjan,

        Thank you for you quick reply, actually everything was working fine before did the changes! i can easily create the remote app and desktop connection through control panel.

        Also after removing the domain name I faced also another issues I will not listed now until I make sure it is appeared after made the changes

        Did you check it will works if you can access the rdwa and log in from the internet (through RDGW), after doing the changes?

      • Arjan Mensch says:

        Hi Yasser,
        At the time everything worked. Might be that some Windows Update borked things.. When I find the time I will recreate this lab and see what happens.

      • Yasser says:

        Hi Arjan,

        For time being I will revert back the changes and check if everything back well.

  18. Amir says:

    or you could simply go to IIS > Default Website > RDWeb > Click on “Application Settings” > and set the “WorkspaceName” to your domain NetBIOS name.

    hope this helps.

  19. Brent says:

    Hello,
    Not sure what I did wrong, after I made the changes. I can log in with just the user name and it logs me in. But I have noting under Current folder:/. However I can log in with the domain and username together like before and everything I have published shows up. What did I do wrong? Thank for any help any one can provide.

    • Arjan Mensch says:

      Hi Brent,
      Not sure what’s happening there. Check if changing CAP/RAP policies has any effect?

      • Brent says:

        Hi Arjan,

        Thanks for pointing me in the right direction. That was part of the problem. The main problem was the AD account I was using, back before I placed the server on the domain I created a local account with this same username on this server. So everytime I would log in with just the user name. It was using the local account. This account did not have access to the RD Web so I gave it access by placing it in the correct groups and now it works. I apreicate you help.

  20. Michael See says:

    I have added the code to allow me to not have to put the domain name but I get prompted that I have to enter a valid domain name still. I am using 2012R2 and have set up a certificate as well as I am using the Remote Desktop Gateway with autologon setup.

    • Same problem here. Anyone managed to modify the webfeeds to stop asking for the Domain?

    • Nick says:

      Not sure if this is the 100% correct method but here’s how I overcame this issue on 2012R2.

      Edit webscripts-domain.js near or about line 59 is the if statement causing the “valid domain name” error.

      I edited it to this, basically comment out the showElement and bStopSubmission lines and add your own, change ITW to your own domain obviously.

      else if ( strDomainName == null || strDomainName == “” || strDomainName == “.” )
      {
      //showElement(document.getElementById(“trErrorDomainNameMissing”));
      //bStopSubmission = true;
      strDomainName = “ITW”;
      }

      • Arjan Mensch says:

        Hi Nick,
        Quick and dirty, but if it works for you, there’s no harm here.
        Have you tried this in combination with the password change page / option?

  21. When I use the link to “Connect to a remote PC” it passes my username but not the domain so I have to click the button to connect as a different user and use domain\user in order for the remote connection to work.

    Is there a way to pass the domain to this link as well?

    Thanks!!

    • Arjan Mensch says:

      Hi again Darhl,
      In theory the Desktops.aspx file should then require the same sort of adjustments as the Default.aspx file, but I have never tested that.. The way the RDP file is generated and used in the Desktops.aspx file is slightly different.
      Non-tested fix for you:
      On line 130 in Default.aspx:
      strDomainUserName = objTSFormAuthTicketInfo.DomainUserName;

      Replace this with

      strDomainUserName = “NETBIOSDOMAINNAME\\”+ objTSFormAuthTicketInfo.DomainUserName;

      Of course replace NETBIOSDOMAINNAME with your domainname.

      Again, untested, but looking at the file this should work in theory.

      • Hi Arjan,

        Just got time to look at this and when I change:
        strDomainUserName = objTSFormAuthTicketInfo.DomainUserName;
        to:
        strDomainUserName = “MYDOMAIN\\” + objTSFormAuthTicketInfo.DomainUserName;

        then I sign in to my RDS web page. When i click the “Connect to a remote PC” link it flashes the desktop.aspx page then takes me back to the RDS login page. The error says:
        “Another user of your computer is currently using this connection. This user must disconnect before you can log on.”

        When I change it back to:
        strDomainUserName = objTSFormAuthTicketInfo.DomainUserName;
        it works fine (except I have to hit change user and put in the domain).

        Thanks again for your great work!!!

        Darhl

      • Arjan Mensch says:

        Hi Darhl,
        That problably means the authinfo is not in the state we’d expect.
        You’d need to check the contents of objTSFormAuthTicketInfo.DomainUserName to see if the domainname is already in there.
        I usually check this by creating a textbox and setting it’s contents to objTSFormAuthTicketInfo.DomainUserName in this case.
        Work from there would be my advice.

  22. Seb says:

    HI there, great post. The first part (removing the domain\ field) works great for domain-joined machine but not for workgroup machine, which should still connect with the domain\ field.
    Any fix for that ? Thank a lot !

  23. Brian D says:

    Hi I had sucessfully follow the procedure and it does work. But after logging out and then trying log back in it sends me the fallowing message “Another user of your computer is currently using this connection. This user must disconnect before you can log on.”.

    If I try to log in adding the domain name it logs in with no dificulties.Did I miss something?

    Thank you

    • Brian D says:

      I want to add that the issue only happens on ie I tested chrome and works fine. Currently I have ie 8 I will update and see if issue still happens.

      Thank you

      • Louis C says:

        I’m also experiencing the same problem. My RDWeb server is running Server 2012. Any idea as to what is causing this?

        Many thanks

      • Arjan Mensch says:

        Hi Louis and Brian.
        Does this happen as well if you close all internet explorer sessions before you try again? Looks like a cookie is malformed.

      • Greg says:

        Hi,

        I also receive this exact error message with IE 11 (my RDS Farm is on Server 2012 R2). Anyone know why chrome works but IE doesnt?

  24. Chris says:

    Hi,

    A great post! Thank you.

    I think I followed your instructions properly, and I can login to the main RDWeb page successfully and see the published apps. However when I click on one of them, it asks me to login again (after asking which resources I want to allow, etc)… the credentials page that it pops up contains the user but not the domain… so fails to login.

    I’m on Windows 7, IE 11

    Is this something you have come across before?

    Cheers,

    Chris

    • Arjan Mensch says:

      Hi Chris,
      Not sure if you fixed this already. I cannot reproduce this behavior, and my guess is it might have to do with some Windows Update, since when I published this article there were hardly any problems reported, but now more and more people are having problems with this modification.
      When I find some time I will rebuild my lab for this and try it in a clean fully updated environment.

  25. Vicky Martin says:

    I am confused.

    I am deploying Server 2012 RDS. I have set up to use web access, works fine. It uses a connection broker and 2 RDCB Servers. There are currently 3 RDSH servers to connect to. I have set it up to not require the domain name when logging into the web console by changing C:\Windows\Web\RDWeb\Pages\webscripts-domain and adding the domain name into line 7 on both CB servers. Works like a charm.

    When opening “desktop” or an app it then requires authentication to log onto the server but passes through the username without the domain, so login fails. I have tried numerous things but cannot work out how either to pass through the domain name too or to add the domain name into the second login box.

    I have tried changing it via GP by enabling RD Gateway authentication method to locally logged on credentials, I’m sure this is for when logging on from a machine on the domain so wouldn’t work.
    I have tried setting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultdomainName in the registry.
    I have tried Assign a default domain for logon via GP.

    Still no luck. It tries to connect with the domain being the name of the server farm, or no domain at all depending which settings I have changed at the time.
    Has anyone got this working?

    Can anyone help?
    Thank you so much for reading about my issues.

  26. Anders Munksgaard says:

    Hi Arjan.

    It seems like it is working for me on the login Page, but cannot get it to work on the password change page. I need to put in the domain to get it to work.
    I have made the changes 5 times and with the same error.

    Can You help me?

    • Arjan Mensch says:

      Hi Anders,
      I have rebuilt my lab and testing this as it is intended: log on with a user who is forced to change his password (expired or set to change on next logon), I get presented with a link on the logon page which brings me to the password change, where I can successfully change my password.
      The changes described in this post are still valid after all.

  27. Antonio says:

    Thank you for this guide!

    In regards to the password page, why even leave the user name box there?
    I believe this may confuse users. There is a blank user name input field which would suggest to the user they are meant to type in their user name, but the field is disabled.

  28. JohnA says:

    Thanks for all the information on customizing RDWeb. However, I really JUST need the password change site. The majority of access will be from machines either standalone or joined to different, untrusted forests. I still have a few environments using the ancient Microsoft iisadmpwd code referenced in KB331834. I’m not sure where to start to extract the RDWeb password piece – I’m a complete .NET newbie.

    Hoping you can help.

    • JohnA says:

      … and it needs to support users with expired password (if that matters). I have separate scripts to notify users that their password and/or account is expiring, but we all know how well users follow directions.

  29. Harri says:

    Hi Arjan,
    I am having difficulties to get the password change without domain to work correctly. The problem is there is no user name ready neither can I add one. I tried to make the “user name” field editable but it just won’t work without domain name.

    After several tries I tried to make the changes step by step, saving after change and then testing. After adding:
    ShortUserName.Value = DomainUserName.Value;
    if ( !(DomainUserName.Value.Contains(“\\”)) )
    {
    DomainUserName.Value = L_DefaultDomain+”\\”+DomainUserName.Value;
    }

    I will get “Runtime Error”.

    Should the line 112 change work without the rest (nasty part + rest)? If I add the rest it wont work.

    What am I missing or doing wrong?

    • Harri says:

      Just if there is any help:
      After all the change I reloaded the page and viewed Source Code via browser:

       

      DOMAIN\user name:

      Any help?

      • Harri says:

        the missing html code from last post:

        {form id=”FrmLogin” name=”FrmLogin” action=”password.aspx?UserName=” method=”post”}
        {table width=”350″ border=”0″ align=”center” cellpadding=”0″ cellspacing=”0″}
        {tr}
        {td height=”20″} {/td}
        {/tr}
        {tr}
        {td}
        {table width=”350″ border=”0″ cellpadding=”0″ cellspacing=”0″}
        {tr}
        {td width=”180″ align=”right”}DOMAIN\user name:{/td}
        {td width=”7″}{/td}
        {td align=”right”}
        {input name=”ShortUserName” type=”text” id=”ShortUserName” class=”textInputField” size=”25″ autocomplete=”off” disabled=”disabled” /}
        {input name=”DomainUserName” type=”hidden” id=”DomainUserName” /}
        {/td}
        {/tr}
        {/table}

        The line “input name….” ends with “disabled” in password.aspx, not “disabled=”disabled” as it shows on Source Code via browser.

        Any help?

      • Arjan Mensch says:

        Hi Harri,
        Are you testing this with a logged in user, or are you opening the password page without logging in?
        The page should work, but only for users that are logged in already.

        If so, try changing the line 112 code to this:

        ShortUserName.Value = DomainUserName.Value;
        DomainUserName.Value = L_DefaultDomain+”\\”+DomainUserName.Value;

        And see what that does for you?

  30. Harri says:

    I am testing with a logged in user. The username field is blank and it is not-editable.

    I have copied some of the pages / files from older version of IIS because that was the fastest and easiest way to keep the appearance / layout as it has been earlier.

    I am pretty sure I have tried to restore all the RDweb-pages / files but the result was the same. I have tested quite a lot of different kind of solutions.

    So Line 112 from:
    DomainUserName.Value = SecurityElement.Escape(objQueryString[“UserName”]);

    to:
    ShortUserName.Value = DomainUserName.Value;
    DomainUserName.Value = L_DefaultDomain+”\\”+DomainUserName.Value;

    instead of:
    ShortUserName.Value = DomainUserName.Value;
    if ( !(DomainUserName.Value.Contains(“\\”)) )
    {
    DomainUserName.Value = L_DefaultDomain+”\\”+DomainUserName.Value;
    }

    Am I right?

    “Runtime error” so something is missing.

    • Arjan Mensch says:

      Hi Harri,
      This has been mentioned several times now. My guess is some Windows Update broke this modification, but I would have to rebuild my lab to test it.
      Don’t hold your breath though, focusing on Windows 2016 at the moment..

      • Arjan Mensch says:

        Hi again Harri,
        I have rebuilt my lab and testing this as it is intended: log on with a user who is forced to change his password (expired or set to change on next logon), I get presented with a link on the logon page which brings me to the password change, where I can successfully change my password.
        The changes described in this post are still valid after all.

  31. Moses says:

    Hi,
    I followed this guide step by step and it doesn’t work for me.

    When I try to change the password WITHOUT the domain suffix I get the error:
    “The user name or password that you entered is not valid. Try typing it again.”

    When I try to change the password WITH the domain suffix (domain\username) I get the error:
    “Your password cannot be changed. Please contact your administrator for assistance”

    With no particular order these are the files I modified:
    Pages/renderscripts.js
    Pages/webscripts-domain.js
    Pages/en-US/login.aspx
    Pages/en-US/password.aspx

    I made all the changes you wrote in this guide, and verified it for the 3rd time.

    Thanks a lot!

    • Arjan Mensch says:

      Hi Moses,
      It’s said in the comments a few times now. I think somewhere in the past year a Windows Update or something broke this procedure. When I find some time I’ll dive into it again.

      • Arjan Mensch says:

        Hi Moses,
        I just rebuilt the lab and tested this setup and it works as intended:
        If I log on with a user that needs to change his password (expired or set to change), I can click the password change link from the login page, and I can change the password on the password change page.
        How are you accessing the password.aspx page? A link after the user is logged on, or like I describe, after trying to log on and clicking the link that is presented?

  32. Mark Jesiel says:

    I’ve just gone through your guide twice with the same results. When I try to log on without using the domain name it appears to log on but I do not see any of the Published applications, if I logon with the domain name it logs me in and I see the Published Apps. What am I missing here?

  33. ECornwell says:

    Hello,

    First, thanks for the great article! Second, at the bottom of the post you mention a way to make the NetBios name an application setting. I didn’t see another post with that information. One of the 3 files was pretty straight forward, can you give some hints on how to cover it in the .js files?

    Thank you!

    • Arjan Mensch says:

      Hi ECornwell,
      I haven’t really looked in to it yet, but I would start by investigating if it is possible to use a global javascript variable for this and declare that in the .aspx pages. Any other solution would be a nasty solution I think :)

  34. Peo says:

    Great post, thanks!

    I think that line 112 of password.aspx file should be modified like this:

    ShortUserName.Value = DomainUserName.Value;
    if (!DomainUserName.Value.Contains(“\\”) && !DomainUserName.Value.Contains(“@”))
    {
    DomainUserName.Value = L_DefaultDomain + “\\” + DomainUserName.Value;
    }

  35. Alex Martin says:

    I added a custom tab and pointed it to the password page but I am not able to change the password. Does the user’s password need to be expired for it to work? Is there a way around this? Also, it appears that I can’t change my password if i use the upn instead of just the UPN. Did I miss something? Is there a way to display number of days before password expires once a user logs into the portal?

    • Arjan Mensch says:

      Hi Alex,
      If you made no other modifications to the pages, this should work, whether you logged on using NTUsername or UPN. I know the password page is a bit tricky if you have removed for example the need for entering the domain name.
      There is a way to display the number of days before a password expires, but you need to make this yourself.
      The posts about hiding a tab for groups of users can help with that. It shows how to query active directory and respond to the results. That’s the way to go if you want to find out how long a password is still valid.

  36. Jeff King says:

    Arjan,

    I have followed this article and made the changes you suggested. I log in without a domain and I get to the RDWEB page but none of my published apps show. If I do use the domain, then the published apps show as expected. I have tried re-publishing an app but that does not help. Any other things you can suggest I try?

    Thanks,

    Jeff King

  37. Brian Blasko says:

    I just fixed an issue related to this and wanted to leave a comment for anyone who is having the same issue. In fact, some of the above comments look similar to my issue, so they might even be in the same boat.

    I originally had an internal domain name of domainA.contoso.com. I made all the changes as described by Arjan and everything was working great! Then, I had to change my internal domain name, so I rebuilt the entire configuration from the ground up, but used domainB.contoso.com. After making Arjan’s changes, users were once again able to log into RDWeb without issue. However, once they clicked on any one of the published apps, they were presented with a new “Windows Security” window, prompting them to “Enter Credentials”. The username was pre-populated with the user’s correct name, but the user was unable to authenticate after entering the password. BUT…if the user clicked “Use another account”, and changed the username to domainB\username, they could authenticate.

    This silly prompt kept pre-poulating the form with the old domainA\username!

    After hours of searching the Internet and the registry, I finally discovered the fix. On the user’s PC, you have to Reset Internet Explorer [Tools–>Internet Options–>Advanced–>Reset…–>Ensure “Delete personal settings” is ticked]

    I’m not positive, but I think the remember that little ActiveX control that you instell the first time you go to RDWeb? It’s the Microsoft Remote Desktop Services Web Access Control ActiveX Add-In. I think it might be somehow responsible for remembering previous credentials. Resetting IE also resets that Activex Control’s settings as well.

  38. Bruce Heard says:

    Do you have the same instructions for a 2008 R2 deployment? We had all of this working and then realized our app was suffering performance on 2012.

  39. CT says:

    Thank you for this blog! Great amount of detailed info that is very helpful. Although, once I made changes to add my Domain and hide the text so users don’t have to enter it, it seems I am now being prompted to auth twice to open a RemoteApp (Remote Desktop) when before I was only being prompted once at the main login page. No other chnages were made to the Collection or IIS and all Certs are valid and show ok. Or I made an inadvertent change somewhere that I need to fix. Any help is appreciated!

    • Arjan Mensch says:

      Hi CT,
      I have noticed thet WordPress changed some things to the way code is displayed in a post.
      Please check the code modification screenshots to see if all modifications were done correctly.
      Also make sure your clients use the most recent RDP version to connect. Older versions are prone to generate more authentication popups.

  40. CT says:

    I verified the code and all looks correct. Thanks again for your post.
    Still getting prompted to auth twice. Added url to Trusted Sites.
    Windows Auth is enabled on RDWeb. Using latest version of RDC on Win10.
    Out of ideas…

  41. CT says:

    Still having issues. Now, when any user logs in, they are immediately logged back off and sent back to the main login page. You briefly see the Remote Desktop icon for about a second before being logged off. I didn’t make any other changes, I just reviewed your code to see if it matched mine.

    All I really wanted to do was to change the Workspace Name and eliminate need for using a Domain prefix.

  42. Jag says:

    Hello Arjan,

    Great Post. Everything works great except user is prompted to enter the credentials again. I have gone through all the the posts above but nobody seems l have posted any fix. Did you ever found fix for 2nd prompt after customizing the page.
    Thanks
    Jag

  43. Hi,

    thank you very much for great article. I made this changes, but it works for every situation, except Internet Explorer on machine, which is joined to another domain (Chrome works fine also on other domain joined machine). Do you think, that is possible to “fix” it? I getting a message “You must enter a valid domain name.”

    Anyway – it’s not so important, maybe you can just make a short note in your article, that this specific situation require workaround in specifiing domain.

    Have a nice day!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog Authors
Donate Button

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 322 other followers

Blog Stats
  • 1,913,769 hits
%d bloggers like this: