In the first post in the Customizing the RD Web Access 2012 R2 interface series I added a section that describes how to remove the Domain prefix in the login.aspx page.
Initially my customization only functioned for Domain joined machines, so the post required an update.
The updated customization fixed the initial problem: non Domain joined machines accessing the RD Web Access pages can now successfully log on using their username only, without prefixing it with the Domain Netbios name.
Until someone tested the Expired Password or Change Password functionality…
It turns out that this page uses different code to change the password, and this code requires a Domain prefix, or UPN.
I decided not to post another update, but instead dedicate a full post to this issue, and the solution to it.
If you now look at the original post you’ll see that I refer to this post when this customization is discussed.
So here goes, a full solution to properly remove the Domain Prefix requirement from the RD Web Access pages.
As always, backup the files in %windir%\Web\RDWeb\Pages, just in case..
I’m using the same environment I used in the original post, so for more info on that read that post.
The default Web Access interface login page looks like this:
As you can see, the interface by default expects the user to enter the username in the NT Account format, e.g. Domain\user name.
Removing the domain prefix requirement from the login page
If you publish the Web Access interface for a single domain infrastructure or if you want to define a default domain to logon to, you might want to consider to let the user just enter the username instead of the NT Account.
By default the Web Access application won’t let you do this:
Besides, even if it would, it still shows “Domain\user name:” on the label.
So we need to fix two things: the text on the label, and some code to accept just the username.
Open “login.aspx” and move to line number 19:
This line holds the text for the label.
Change this line to:
const string L_DomainUserNameLabel_Text = "User name:";
Or replace “User name:” with a custom text you prefer.
Save the file.
This changed the label text to just ask for a username, and not to enter a domain prefix.
Open “webscripts-domain.js” and move to line number 7:
This line tells the rest of the code that by default there’s no domain available and it needs to be extracted from whatever the user entered in the fields in the login page.
Change this line to:
var strDomainName = "ITW";
And of course replace “ITW” in this example with your own NETBIOS name for the domain.
Now move to line number 75 and insert the following code just before line 75:
if ( -1 == strDomainUserName.indexOf("\\") )
{
if ( -1 == strDomainUserName.indexOf("@") )
{
strDomainUserName = strDomainName+"\\"+strDomainUserName;
}
}
The result must look like this:
Now save the file.
Open “renderscripts.js”.
As the very first line, insert the following code:
var strDomainName = "ITW";
Replace “ITW” with your own NETBIOS domain name.
The result of adding this line must look like this:
Now move to line 334 and insert the following code there:
if ( ( -1 == strDomainUserName.indexOf("\\") ) && ( -1 == strDomainUserName.indexOf("@") ) )
{
strDomainUserName = strDomainName+"\\"+strDomainUserName;
}
The result must look like this:
Now save this file as well.
Removing the domain prefix requirement from the password page
If you decided to allow users to change their password, the user can click a link to open the password.aspx page when they log on, or when the pages detect the password has expired.
If you want to remove the Domain Prefix from the RD Web Access interface, you need to do some more editing.
Open “password.aspx” and move to line number 19:
This line, again, holds the text for the label.
Change this line to:
const string L_DomainUserNameLabel_Text = "User name:";
Or replace “User name:” with a custom text you prefer.
On line 36 add a new constant:
const string L_DefaultDomain = "ITW";
Again, replace “ITW” with your own NETBIOS domain name.
Goto line 112:
Add the following code after this line:
ShortUserName.Value = DomainUserName.Value;
if ( !(DomainUserName.Value.Contains("\\")) && !(DomainUserName.Value.Contains("@")) )
{
DomainUserName.Value = L_DefaultDomain+"\\"+DomainUserName.Value;
}
The result must look like this:
To prevent the UserName box to become empty if the user fails to enter correct values, this next piece is kind of nasty, but necessary ;)
Find line 174:
And change that line into
<form id="FrmLogin" name="FrmLogin" action="password.aspx?UserName=<%=ShortUserName.Value%>" method="post">
The result of that must look like this:
Really really dirty, but gets the job done.
Next, find line 189:
Delete this line, and replace it with the following code:
<input id="ShortUserName" name="ShortUserName" type="text" class="textInputField" runat="server" size="25" autocomplete="off" disabled /> <input id="DomainUserName" name="DomainUserName" type="hidden" runat="server" />
The result must look like this:
Save the file.
The password.aspx file is only meant to be accessed if the user is already authenticated. The password.aspx file is not meant to be used to allow users to change their password without being authenticated first. Examples of this include adding a link on the login.aspx page to password.aspx, or simply using the aspx files to allow domain users to just change their password, not using the RD Web Access at all.
If you do want to add a link to password.aspx to allow password change, I suggest you add a link on the toolbar. I describe how to do that in the Customization series.
To conclude:
This added “ITW” as the default authentication domain in both the login page as the password change page. Nothing changed in the rest of the code, so if your Web Access is intended for multiple domains, the user can still enter “CHILDDOMAIN\user name” or “TRUSTEDDOMAIN\user name” or even “ITW\user name” if the user wanted to do that.
We’ve also not destroyed the possibility to logon using UPN instead of NT Account logon.
These changes are instant, there’s no need to restart IIS. Just (re)load the Web Access page and test the changes.
Unfortunately, with this customization you need to enter the NETBIOS name hardcoded in three different files. In a future post, which will cover a full customization package with application settings in IIS I will show how to eliminate this and make Domain NETBIOS name an application setting which works across the complete RD Web Access interface.
Until next time,
Arjan
30+ years experience in Microsoft powered environments. Enjoy automating stuff using powershell. In my free time (hah! as if there is any) I used to hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). Recently I picked up my Lego addiction again.
Arjan Mensch
msfreaks 
I put in the code below in RDS 2016 webscripts file
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = strDomainName +“\\” + objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
But get you must enter a valid domain name
Hi Chris, it works thank you sooo much, all i had to do was change the quotes;
The boxes didn’t load up because of the quotes
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = “EMAS\\” + objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
Hi Chris, it works thank you sooo much, all i had to do was change the quotes;
The boxes didn’t load up because of the quotes
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = “EMAS\\” + objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
Hello guys,
i have a question. I set up a 2012R2 RD Farm and now i will customize the WebAccess.
All Servers are inside our domain also the RD Gateway. Everything works well inside the company network, also Single-Sign-On. Form the outside starting applications is fine, too.
The problem is, if i use the “connect to a remote computer” from outside the network (from a non-domain client) i get an authentication dialogue:
Is it possible to remove the whole dialog? Or at least specify the deault domain name?
Ive found a posting on the net to modify the BtnConnect () in Desktops.aspx, but it dont work.
http://developers-club.com/posts/194122/
I think its totally crap to remove the domain name from the whole WebAccess – but at this Point the user has to know and type the domain name!
Sorry for the bad language :)
If the ‘external’ computer is a member of the domain – AND you are using a PKI infrastructure. Then the PC you are creating an RDP session to (using: connect to remote pc), will need a PKI assigned RDS certificate.
In addition to that, you will need to approve the thumbprint of the RD Service on both the gateway and the redirected desktop as trusted for single-sign on.
Hope that is enough to guide you in the right direction.
Hi, does anyone have full instructions for 2016 RDS. I tried the text above but didn’t work
Hi David,
It’s quite simple. In the %windir%\Web\RDWeb\Pages\ directory, update webscripts-domain.js ONLY:
Just before Line 42, add the below code, replacing DOMAIN with your default domain name:
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = “DOMAIN\\” + objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
NOTE: If you copy and paste this, make sure the double quotes come across OK and aren’t invalid smart quotes.
Chris
Hi Chris
Thanks for this! It was the quotes that didn’t paste correctly.. works perfectly after amending them :)
David
Hello Chris,
That fix :
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = “MYDOMAIN”\\” +
objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
Dosen’t really seem to work for me..
Can i skip everything in this article and ONLY do this little thing ?
Cause i’ve tried everything now it feels like.
it still says “You must enter a valid domain name”
There is a line at 42 like this :
if ( -1 != strDomainUserName.indexOf(“\\”) )
{
strDomainName = strDomainUserName.substring( 0, strDomainUserName.indexOf(“\\”) );
}
Should this line be replaced with the line you wrote ? or how do i get this to work.. i really can’t get this to work it seems.. :(
or should i just pase it underneath this line ?
And the “Renderscripts.js” dosen’t need any of the configurations that is mentioned in this article or ??
Cause it sounds like the only thing i have to do is.. just add this line at line 41 in Webscripts-domain.js :
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = “MYDOMAIN”\\” +
objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
and it works.. but dosen’t seem to work for me – and yes i did fix the “double quotes” :)
Hope to hear from you soon :)
Marco
Hi Marco,
Don’t replace any lines, just add it before Line 42 like I mentioned. And yes this all you need to do.
It looks like you’re problem is an extra double quote after MYDOMAIN (between MYDOMAIN and \\), it should be:
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = “MYDOMAIN\\” +
objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
Chris
Hello Chris,
Thank you for a fast reply! really appreciate it :)
I acutally have no idea how that “extra” double quote went in between there.. but in my original webscripts-domain.js there were no double quote at that position :)
But thank you for pointing that out tho.
I tried again to add theese couple of lines before line 42, and it kept saying “You must enter a valid domain name.
So i tried a couple of things.. “MYDOMAIN” has to be the NETBIos name (like mentioned in this article) but i tried with NETBIOSNAME.com, netbiosname and NETBIOSNAME but neither of em worked..
So this time.. i was happy that i had a complete backup of this folder, cause i’ve done some changes here and there while following the guide in this article – so i replaced EVERYTHING with the backup and then tried to copy the lines you mention
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = “NETBiosName\\” +
objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
but i had to write the NetBiosName with BIG letters, or else it won’t work… :)
So it acutally works now.. and thank you so much Chris! :)
Works like a charm now!! :)
Thank and have a nice day,
– Marco
Thank you for this! what a fantastic article. This worked perfectly.. for a few hours last night
This morning however the behaviour I’m seeing is that I can log into the RDweb page successfully however when I click on the Remote Desktop session collection I get an Authentication box pre-populated with the username and prompting me for password. I was able to repliacte this behaviour with several different user accounts. I needed to click “More Choices” then “Use a Different Account” and manually specify DOMAIN\Username and it logged me in successfully.
Then I signed out and closed Internet Explorer and tried again but this time after clicking the Remote Desktop session collection it took me straight through to the desktop, I was then able to replicate with different users and they all worked.
Any idea what may be happening?
Cheers!
I’m doing this on Server 2016 and I’m only adding the content below to my web scripts file and it’s not working. Can someone please review and let me know what I’m doing wrong please? I would greatly appreciate it.
if ( -1 == strDomainUserName.indexOf(“\\”) && -1 == strDomainUserName.indexOf(“@”))
{
objForm.elements[“DomainUserName”].value = “paranet\\” + objForm.elements[“DomainUserName”].value;
strDomainUserName = objForm.elements[“DomainUserName”].value;
}
Let me clarify too…I made sure to change out the quote marks and my domain name is in all caps so it reads “PARANET\\”. Still no joy so was hoping someone would review text above and let me know what I missed. Thanks
Yeah, it doesn’t work on w2016 for me either :( Tells me “The user name or password that you entered is not valid. Try typing it again.”
This works great! BUT now all my published applications are giving a double authentication in order to launch.
How do I fix this?
When i rever the to the original files, this does not happen.
Hi John, double auth prompts are relatively normal. The RDS Gateway is the first, and then the RDS Broker is the second.
If your gateway is under the public DNS record ‘RDS.company.com’ then make sure internally, your internal DNS resolves ‘RDS.company.com’ as the broker IP address.
This will reduce auth prompts internally within your network to just 1x.
Then you can set up single sign on… have a read of these:
https://anandthearchitect.com/2014/01/20/rds-2012-r2single-sign-on-using-windows-authentication-for-rdweb-page/amp/
http://www.rdsgurus.com/windows-2012-r2-how-to-create-a-mostly-seamless-logon-experience-for-your-remote-desktop-services-environment/
I also was hit with the “Another user of your computer is currently using this connection. This user must disconnect before you can log on.” and this caused various issues depending on if the user was on Chrome or IE11.
I found that it was easier to configure SSO for internal users and just have external users utilize their email address to access. Easy training, no errors.
Would be nice if MS would do the backend work and make this a feature that they support (like Citrix does)
Doesn’t seem to work on 2012 R2 RDS anymore – it lets me login but unfortunately none of the apps are displayed. However, if I login using the domain\username format, the apps show up.
Turns out this is working. I was hitting a unique scenario where my RDS server had a LOCAL user account that was identical (username & password) to the domain account I was trying to login as. The login was working and taking me to the apps the LOCAL user account had access to, which was none. adding the domain\username was logging in as the DOMAIN user account and was showing me the apps. Therefore, this fix is working as expected on RDS 2012 R2 and my specific scenario was unique and causing the correct but unexpected behavior. Side note: the LOCAL user was to be purged and was from the original install of Windows OS prior to joining to the domain.
On the password change page, it will not let the user input an email. All we want is the password portion so we don’t want the user to log in. Is there a way to make that happen?
Hello,
Does anyone have a solution for the double password prompt on Server 2016? My users are able to log in fine with just the username, however they get prompted for a password again when clicking on a published app. If the user logs in with their UPN, everything works fine as it seems to carry the domain name across for the app.
Does anyone know how to fix this so that users can log in with their username only without having to use the full UPN?
By now MS Windows should have this implemented contexless and not require the Domain prefix at all. It work sometimes.
Thanks
Jeff
Hello,
I am happy with this article.
But I have one issue.
In the article you stated: “To prevent the UserName box to become empty if the user fails to enter correct values, this next piece is kind of nasty, but necessary ;)”
If I go to the new link for the password change the field for user name is already empty and not editable, it’s blank and I can’t put the cursor in it.
Please help anybody.
Just like to mention: I have linked the password site in the navbar next to help.
Everything went fine except when I change edit the password.aspx file. I cannot enter my user name as the textbox doesn’t seem to be active (it was before).
I’m also assuming you forgot to enter the code for Line 112: “The result must look like this:”
&& !(DomainUserName.Value.Contains(“@”)) )
My site: https://remote.cou.ca/RDWeb/Pages/en-US/password.aspx
It seems that now on my password change page that the user name field is now disabled and I cannot type into it. Is there a reason we disable the ShortUserName field?= and nto leave it enables so someone can type in the name of their user? Aso if the user has to be authenticated already can you not just pre-populate this field with the authenticated user name?
Yes, you can ‘direct’ people with “&username=John.smith” added to the URL. Meaning we can invite staff to reset their password over emails/SMS messages or other mechanism. I’ve used this in the past.
>
I just figured out why this box is blank. We don’t authenticate to get to this page.. The page is locked down to our internal IP addresses so the user has never logged in therefor the box does not have the users name in it. so i just need to enable the box
Hi Caspan,
May I ask how you can reopen the authenticate box? I still encountered the problem that user name field is disabled.
Just remove the “disabled” HTML from the input field. Disabled means you can’t type in it.
I had SSO working. When I did this configuration I was presented with a second sign on. This is fine for the RDWeb screen but if you have SSO setup it will ask you to log in twice if you use this configuration. Anyone know how to do this and still keep the single sign on?
Hey Arjan,
can u make this Tutorial for Server 2016/2019? If i use this How to, it doesnt works with password.aspx
Hi Sebastian. Since my focus is not with 2016/2019 RDS at the moment, I will put it on my backlog, but don’t hold your breath ;)
Hi Sebastian, move to the RDWeb HTML5 client and this is a non-issue. Now, all you have to do is to setup a redirection from /RDWeb to /RDWeb/webclient/index.html and VOILA!! :)
Here are the steps to installing the HTML5 client. https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin
Great Post! I followed your directions exactly and it worked like a charm. Thanks for the great write up.
Some people are heroes and others are legends… You sir are both!
Great write-up and very easy to implement.
Five years later and we STILL have to change or remove the domain prefix this way? Wow… just wow.
great Post! Thank you so much.
if you simply need the password.aspx to work (without login to login.aspx first), just add the following:
line174 (after ):
function addDefaultDomain() {
if ( -1 == document.getElementById(‘ShortUserName’).value.indexOf(‘\\’))
{
if ( -1 == document.getElementById(‘ShortUserName’).value.indexOf(‘@’) )
{
document.getElementById(‘DomainUserName’).value = ‘\\’ + document.getElementById(‘ShortUserName’).value;
}
else
{
document.getElementById(‘DomainUserName’).value = document.getElementById(‘ShortUserName’).value;
}
}
else
{
document.getElementById(‘DomainUserName’).value = document.getElementById(‘ShortUserName’).value;
}
document.getElementById(‘FrmLogin’).action = document.getElementById(‘FrmLogin’).action + ‘?UserName=’ + document.getElementById(‘ShortUserName’).value;
}
and remove the original tag.
Hi So I have now implemented the HTML5 page for my 2016 rdweb users. How can I add this to the login page after I setup this MS set of steps https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin
Hi,
Thanks for your post. But this doesn’t work for me. in which file do you added this?
Can you post some code before and after your code, so its easier to find for the case that the line number is different from mine.
Thank you :)
Hi Steffen ,
Can you provide more details about where should I add these lines ?
Sorry my comment refers to the Post from Steffen.
9; 锟?5m fee with Monaco for midfield star Tiemoue Bakayoko on lucrative five-year dealinter and outInter Milan may be worst team ever for selling players before they reached their prime PA:Press Association3Chris Coleman has made sure Rabbi Matondo has pledged his furture to WalesChelsea were also said to be keeping an eye on the youngster but were beaten to his signature by Prem rivals City.
[…] 9. Properly Removing the domain prefix requirement from RD … […]
This is so very nearly there!! BUT YOU NNED TO EDIT AND STATE THAT THIS BREAKS GATEWAY SSO… if you implement you will get a second login prompt for gateway access…
Can you please elaborate on that? Do you know why it breaks or what could be done to unbreak it? I’m very interested.
After spending hours trying to get it to work on Server 2016, I failed: BUT:
I found a workaround for me. I simply edit the (default) URL:
https://password.company.de/RDWeb/Pages/de-DE/password.aspx?UserName=DOMAIN
This pre-fills the domain and the employee just has to enter their username.
Background: We have 80% employees who are not fit on the PC.
And most of them don’t know the difference between / and \.
In addition, on the German keyboard \ is written awkwardly via ALT GR + ß. None of them would ever find it.
Translated with http://www.DeepL.com/Translator (free version)
where did the “\” go after DOMAIN?
It should be: …password.aspx?UserName=DOMAIN\
Hello, I’ve tried to use RDweb to allow our users to change their passwords but on our Windows 2019 with no AD domain, it always fails with this message « your password cannot be changed. please contact your administrator for assistance ». So, is it still possible with Windows 2019 and no AD domain?
Is there workaround for WIndows Server 2019? This method isn’t working on Server 2019.
Hi, we want to use RD website only for user password change. Users will change it themselves. Please, how to edit password.aspx so that the domain does not have to be entered. according to this instruction, the field will remain gray. Thank you
Not working in Windows Server 2019 but one workaround you can do is pre populate the Domain details in the Domain\Username field so the user only has to enter their username.
In password.aspx line 184 add in the following –
value=”MYDOMAIN\”
So the line looks like this.
Not the same solution but it’s a workaround.
input id=”DomainUserName” name=”DomainUserName” type=”text” class=”textInputField” runat=”server” size=”25″ autocomplete=”off” value=”MYDOMAIN\”
Won’t let me add the full line in here for some reason. Add the value to the end of the autocomplete details so it looks like below –
autocomplete=”off” value=”MYDOMAIN\”