The connect to a computer feature in SBS 2008 is one of the most popular features of RWW. The connect to a computer feature in SBS 2008 utilizes TS-Gateway behind the scenes, however, when there is a misconfiguration or a problem, RWW may only provide partial information to help isolate the root issue. This post will discuss most of the known issues, how to identify them and steps to resolve them.

What we will cover:

1. Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
2. VBScript Error: 50331676
3. Connection Authorization Policies and Resource Authorization Policies.
4. Authentication Failures
5. Client Machine Requirements
6. Internal DNS Considerations
7. External DNS Considerations
8. TS Gateway Service Known Issues

1.  Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

For certificate related errors, please review the issues discussed in this article: http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

2.  VBScript Error: 50331676

When you try to connect to a server or machine you get the following error:

You must have a certificate installed in TS Gateway Manager. This is handled by the “Set up your Internet Address Wizard” or the “Add a Trusted Certificate Wizard” in the SBS 2008 Console. To verify you have a certificate installed for TS Gateway do the following:

1. Open TS Gateway Manager from Administrative Tools — Terminal Services
2. Select Properties on the Server Object, and choose the SSL Certificate tab from within properties. You should see a screen similar to the one below stating which certificate TS Gateway is using.

As stated beofre, you should not see this problem If you have completed the Internet Address Management Wizard, if for any reason no certificate is selected, make sure you click on Browse Certificates and select the proper certificate, for example “remote.contoso.com”.

3.  Connection Authorization Policies and Resource Authorization Policies.

You must pass the connection authorization policy to make a connection, and the resource authorization policy for the machine you are trying to connect to. This error may also display the VBSCRIPT error 50331676.

We have seen a few cases where the connection authorization policy was modified manually to only allow domain computers to make connections. This means that any machine outside the domain (e.g. their home machine) would not be able to connect. This is shown below. To access this policy:

1. Open TS Gateway Manager from Administrative Tools – Terminal Services
2. Expand your computer object
3. Expand Policies
4. Select Connection Authorization Policies
5. Right-Click on the General Connection Authorization policy on the right hand side and choose properties
6. Make sure the Client computer group membership is blank if you want non-domain joined machines to be able to use the RWW Connect To Computer feature.

4.  Authentication Failures

You must have Windows Authentication enabled on the IIS /RPC virtual directory under the SBS Web Applications web site. If it is missing, you will see a looping prompt for authentication when you try to connect.

Since both Outlook Anywhere and TS Gateway share this Virtual Directory modifying authentication settings in Exchange for Outlook-Anywhere within the Exchange Management Console can disable Windows Auth. To make sure Windows-Auth is enabled in Exchange Management Shell (Run as admin) perform the following command:

Get-OutlookAnywhere

(Ignore the warning)

Check the value for the IISAuthenticationMethods Parameter.

You can also check in IIS Manager under the RPC virtual directory, authentication.

Changing the authentication here may only help for a few minutes as Exchange will reset the settings again. You need to complete the proper Exchange configuration steps to resolve this.

If the output of the Exchange Management Shell shows that you are missing NTLM, you need to reset the Exchange setting for outlook anywhere from the Exchange Management Shell (run as admin) perform the following command (ignore the warning):

Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm

After you make this change, the settings in IIS will not immediately change, it might take up to 15 minutes for this change to happen. You can safely make the change in IIS, under the authentication for RPC to enable Windows Authentication and Basic Authentication and they should remain set as expected.

If you still cannot authenticate to the TS gateway prompt, the following resources discuss some known issues:

• http://blogs.technet.com/sbs/archive/2009/02/20/the-network-policy-server-service-ias-fails-to-start-or-be-installed.aspx
• http://blogs.technet.com/sbs/archive/2009/05/18/bits-ias-vss-and-rras-may-stop-responding-on-sbs-2008-with-a-particular-nic-driver.aspx

5.  Client Machine Requirements

The client machine you are trying to connect to must have RDP enabled and listening on the default port of 3389. You must also verify that any firewalls present on the workstation are allowing the traffic inbound on TCP/3389.  Additionally, the client machine you are making the connection from must allow the ActiveX Control to run.  The easiest way to ensure that ActiveX will be enabled is by adding your remote web workplace site to your list of trusted sites in Internet Explorer.

6.  Internal DNS Considerations

You might connect to an unexpected machine when trying to connect to the remote machine.  If this happens you should verify that the DNS records for the clients on the SBS 2008 server hosting RWW are correct.  To do this open the DNS Management console from Start, Administrative Tools, DNS.  Expand the forward lookup zones, and your local active directory zone.  Verify that the host (A) records for the clients are correct.

7.  External DNS Considerations

The hostname section of the PTR record for the remote client machine’s public IP address cannot match the NetBIOS hostname of the SBS 2008 server. If these names match the RWW will not use TS proxy and the connection will fail or connect to an unexpected target.

The only fix is the change the PTR record for the client pc’s external IP address.

Example: Suppose you are using a Windows Vista machine on the Internet. The public IP for this client is 65.53.x.x. The PTR record for this IP is server01.contoso.com. If the SBS 2008 server this machine is trying to connect to has a NetBIOS hostname of Server01, the connection will fail. Ideally your PTR record should match your MX record and your MX record should not be the NetBIOS hostname of your server.

Note: This is a very RARE issue.

8.  TS Gateway Service known issues

TS Gateway Service Not Started After Restart in IIS Manager.

This issue is discussed on this post: http://blogs.technet.com/sbs/archive/2009/04/20/ts-gateway-service-not-started-after-restart-in-iis-manager.aspx

The Terminal Services Gateway service is not running, Contact your network administrator to resolve this issue.This error can happen due to a number of different issues other than the TS Gateway service not running or the role service not being installed.

• If IPv6 has been unproperly unbound from the network interface you might get an error that states that the TS Gateway service is not installed.  Check the following link for issues related to improperly disabling IPv6:http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx
• If Client certificates has been set to Accept or Require under the SSL setttings on the Rpc virtual directory. This must be set to Ignore.
• In general, this error will happen when we cannot properly access the /RPC virtual directory or its settings have been changed from default.

Additional RWW related links:

• http://blogs.technet.com/sbs/archive/2009/02/12/how-to-enable-drive-mapping-through-sbs-2008-remote-web-workplace.aspx
• http://blogs.technet.com/sbs/archive/2009/01/09/sbs-2008-how-to-make-terminal-servers-in-application-sharing-mode-appear-in-remote-web-workplace.aspx
• http://blogs.technet.com/sbs/archive/2009/06/15/how-to-configure-the-rww-timeout.aspx
• http://blogs.technet.com/sbs/archive/2008/09/26/can-i-use-terminal-services-in-sbs-2008.aspx

Source: http://blogs.technet.com/b/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-computer-issues-in-sbs-2008.aspx

You may experience SharePoint Search issue when browsing http://companyweb on SBS 2008 server and specifically, you are seeing below 2436 errors in your Application event log every several minutes.

Log Name:      Application
Source:        Windows SharePoint Services 3 Search
Date:          4/29/2009 4:20:05 PM
Event ID:      2436
Task Category: Gatherer
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      server.domain.local
Description:
The start address <sts3s://remote.Domain.com:987/contentdbid={d4078aab- ce82-4581-8d4f-973e1e6eac23}> cannot be crawled.

Context: Application ‘Search index file on the search server’, Catalog ‘Search’

Details:
Access is denied. Check that the Default Content Access Account has access to this content, or add a crawl rule to crawl this content.   (0x80041205)

Cause

You receive above warning events because WSS3.0 Search service is trying to crawl the WSS content via the URL – remote.domain.com, which is mentioned in above event. Windows Server 2008 includes a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, Kerberos authentication on Default Content Access Account fails if this URL does not match the local computer name and is not registered in system as additional Service Principle Name (SPN).

Resolution

To resolve this issue, it is recommended to manually register the URL in your system, or even disable the Loopback check feature. To register this URL, please use the following steps,

Note: We recommend that you use this method.

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3. Right-click MSV1_0, point to New, and then click Multi-String Value.
4. Type BackConnectionHostNames, and then press ENTER.
5. Right-click BackConnectionHostNames, and then click Modify.
6. In the Value data box, type the URL mentioned in the above warning event, and then click OK.
7. Quit Registry Editor, and then restart the IIS service.

If you want to disable Loopback Check feature to work around this issue, please refer to the Method 2 in the following KB article

896861 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

More Information

WSS3.0 Search service crawls the WSS content by default Alternate Access Mapping Zone. Not like normal WSS 3.0 website, which uses http://SiteName as the default Alternative Access Mapping, SBS 2008 server uses https://remote.domain.com:987as the default Zone. This is by design, and we do not recommend changing it to http://companyweb, as it may break the SBS specific settings.

Additionally, changing the Default Content Access Account for content crawl is NOT officially supported method to work around this issue, as it has not been tested and can cause other potential issues.

Source : http://blogs.technet.com/b/sbs/archive/2009/05/07/event-2436-for-sharepoint-services-3-search.aspx