Failed to connect RDP “Your computer can’t connect to the Remote Desktop Gateway server”

Error: “Your computer can’t connect to the Remote Desktop Gateway server”

Solution: 

• Open Registry using regedit command
• Go to HKCU\Software\Microsoft\Terminal Server Client\
• Create a new DWORD (32-bit) called: RDGClientTransport
• Give it a Value of: 1

• After updating registry restart server

Windows 10 RDP CredSSP Encryption Oracle Remediation Error

Description:
You have noticed that after installed recent security updates in windows 10 users face an error during remote desktop connection.

Procedure:

Just a couple of days ago, the cumulative updates were released below for Windows 10 and Server 2016, etc.  These cumulative updates include the fix for the CredSSP encryption vulnerability.

May 8, 2018 – KB4103721 (OS Build 1803)
May 8, 2018 – KB4103727 (OS Build 1709)
May 8, 2018 – KB4103731 (OS Build 1703)
May 8, 2018 – KB4103723 (OS Build 1609 & Server 2016)

Once you have installed the patch on a “vulnerable” workstation and attempt to connect to an unpatched server, you will see the following error message that happens after you type in your password to authenticate to the RDP session.

• To Resolved this issue you need to configure security update in group policy in local system. 
• You can find this at Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> Encryption Oracle Remediation.  By default, this is set to not configured.
• To Fix the issue as a workaround, set the policy to Enabled and set the Protection Level to Vulnerable. This is not recommended by Microsoft, as making sure both the client and server is patched is best practice.  However, setting the policy to Vulnerable allows your workstation to now connect to the remote desktop session that was previously blocked by the mitigation.

SSL Certificate Installation - Tomcat Server

Procedure:

Create a New Keystore:

• You will be using the keytool command to create and manage your new Keystore file. You may need to add the java /bin/ directory to your PATH before the keytool command is recognized. When you are ready to create your keystore go to the directory where you plan to manage your Keystore and certificates. Enter the following command in command prompt:

           keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_site_name.jks

• You will be prompt to choose a password for your keystore. You will then be prompt to enter your Organization information.

• When it asks for first and last name, this is NOT your first and last name, but rather it is your Fully Qualified Domain Name for the site you are securing (example: www.yourdomain.com). If you are ordering a Wildcard Certificate this must begin with the * character. (example: *.yourdomain.com)

• After you have completed the required information, confirm that the information is correct by entering 'y' or 'yes' when prompted. Next, you will be ask for your password to confirm. Make sure to remember the password you choose. Your keystore file named your_site_name.jks is now create in your current working directory.

Generate a CSR from Your New Keystore:

• Next, you will use keytool to create the Certificate Signing Request (CSR) from your Keystore. Enter the following command:

         keytool -certreq -alias server -file csr.txt -keystore your_site_name.jks

• Type the keystore password that you chose earlier and hit Enter.

• Once CSR generated upload it to Certificate Authority and generate SSL certificate.
• Install Certificate on Tomcat Server
• Depending on the certificate format in which you received the certificate from the Certificate Authority, there are different ways of importing the files into the keystore. 

PKCS#:   

• If the certificate you received is in PKCS#7 format (the extension of the certificate file will be .p7b or .cer), it already includes the necessary intermediate and root certificates. Additionally, a certificate with .p7b extension can be download in the user account. Run the following command to import it into the keystore:

         keytool -import -trustcacerts -alias server -keystore example.jks -file example.p7b

• If the certificate was imported successfully, you will see the message 'Certificate reply was installed in keystore'. You can check the details of the certificate that was imported to the keystore with a command:

         keytool -list -keystore example.jks 

PEM: 

• If you received the certificate in the PEM format ( files will be with the .crt extension), you will need to import the root certificate, intermediate certificates and the certificate issued for your domain name to the keystore separately starting from a root certificate and ending with the certificate for your domain name. To import a root certificate, run the following command

        keytool -import -alias root -keystore example.jks -trustcacerts -file root.crt

• To import an intermediate certificate

        keytool -import -alias intermediate -keystore example.jks -trustcacerts -file intermediate.crt

• After the successful import you need to edit Tomcat configuration file. As a rule, it is called server.xml and usually can be found in Home_Directory/conf folder. Please change in configuration file as follow:

        <Connector port="443" protocol="HTTP/1.1"

          SSLEnabled="true"

          scheme="https" secure="true" clientAuth="false"

          sslProtocol="TLS" keystoreFile="/your_path/yourkeystore.jks"

          keystorePass="password_for_your_key_store" />

• Save the changes and restart Tomcat web service.

IIS Common Issues and solutions

Below are some common IIS issue in its solutions

1. "User is not recognized using Windows Authentication"

• Open Internet Information Service Manager
• Find the application pool for Pronestor (pronestor)
• Right click and choose advanced settings
• Ensure that "Identity" is set to Network Services
• Recycle application pool
   

2>     "HTTP 502 - Bad gateway"

• Open Internet Information Service Manager
• Find the application pool for Pronestor (pronestor)
• Right click and choose advanced settings
• Ensure that "Identity" is set to Network Services
• Recycle application pool
   

3>     "HTTP 500 internal server error" / "HTTP 500.19 internal server error" / "HTTP 500.21"

• Open a command prompt
• Go to the folder for the .NET Frame (C:\Windows\Microsoft.NET\Framework64\v4.0.30319)
• aspnet_regiis.exe –i

And

• Make sure .NET is enabled as a feature ("add/remove Programs" -> "Turn Windows features on or off")

And

• Make sure ASP.NET is enabled as a role("add/remove Programs" -> "Turn Windows features on or off")

And

• Ensure that "IIS_IUSRS" has full permissions on the PRONESTORDISPLAY folder

And (if "Handler" is showing MVCScriptMap64)

• Ensure the handler mapping for MvcScriptMap64 is set to use .NET 4.0 framework
• "PageHandlerFactory-Integrated" bad module "ManagedPipelineHandler in IIS7..."
• Open a command prompt
• Go to the folder for the .NET Frame (C:\Windows\Microsoft.NET\Framework64\v4.0.30319)
• aspnet_regiis.exe -i
   

4>     "Absolute physical path "C:\inetpub\custerr" is not allowed in....

• Please open the Event Viewer and look for Warning/Errors in the "Application" log.
• Choose an Warning/Error and look for stack trace in the "General tab"
   

5>     "HTTP 404 when call http://localhost/pronestor"

IIS 7/7.5 (Windows 2008 Server)

• " Open Internet Information Service Manager
• Find the application pool (pronestor)
• Right click and choose advance
• Ensure that "Load user profile" is set to "true

IIS 6 (Windows 2003 Server)

• Open Internet Information Service Manager
• Make sure ASPNET 4.0 is allows as a Web Service Extension 

6>     "HTTP 404 when calling http://localhost/pronestor/Booking.NET/Home.mvc"

• IIS 7/7.5 (Windows 2008 Server)
• Ensure that the Role "HTTP Redirection" is enable
   

1. "Can't install Pronestor Display due to missing ASP.NET Role"

• IIS 6 - the role is installed but the Pronestor Display still argues that ASP.NET isn't
• Check that ASP.NET role enabled (see article here from Microsoft)
• Run the installation from a command prompt using:
• "msiexec /i proNestor.Display.Setup.msi /l*v logfile.txt BYPASS_PREREQUISITES=1"
   

1. "PronestorWebAdmin.Models.PnbDataContext...ctor()"

• With notepad open the connectionstrings.config located in Configuration folder
• Ensure that the name of the connection string is equal to:
• <add name="dbConnectionString" connectionstring="......
   

1.  "Unable to generate a temporary class (Result=1)"

• It is due to a lack of permissions on the temporary folder which is used by the IIS.
  The easist way to fix it to do as follows:
• Right click the folder c:\windows\temp
• Choose permission
• Ensure that the "NTAUTHORITY\NETWORK SERVICE" has the following minimum permissions on the folder - ("List folder"/"Read Data"/"Write"/"Delete")
• Open the IIS
• Locate the Pronestor application pool and recycle the application pool
   

1.  "HTTP Error 400. The size of the request headers is too long"

• When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size.  If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.
• There are two ways to solve this issue
• Decrease the number of Active Directory groups that the user is a member of.
• Try increasing the MaxRequestBytes and MaxFieldLength values as per note (you will need to restart http service (or reboot the machine) for it to take effect.)