403 - Forbidden: Access is denied. on Anywhere Access

Hello,

I setup Anywhere Access via Windows Server Essentials Dashboard on Windows Server 2016 Standard with a Let’s Encrypt SSL Certificate using the Certify SSL/TLS Certificate Management (CertifyTheWeb) following Mariette Knap’s tutorial “Get a free Let’s Encrypt SSL certificate for Access Anywhere and automatically renew it,” which is absolutely outstanding by the way. Every step was successful, no errors, no problems, just great!

However, after no indication of any problem during setup, I can’t access my “Anywhere Access” site (remote.mydomain.com). I get the webpage “Server Error, 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.”

Can anybody help me with a clue as to what might be wrong?
Thanks!
James

I also just noticed that I have two error/event on my server for Remote Desktop Services:

ID: 400, Severity: Warning, Source: Microsoft-Windows-TerminalServices-Gateway, Log: Microsoft-Windows-TerminalServices-Gateway/Operational, Details: The RD Gateway service is shutting down. This maybe voluntary administrator restart or a configuration driven restart due to RDG server certificate change. If the RD Gateway shutdown was not expected, kindly verify whether the following services are started: (1) Network Policy Server; (2) Remote Procedure Call (RPC); (3) RPC/HTTP Load Balancing Service; and (4) World Wide Web Publishing Service. Also, check Event Viewer for Network Policy Server (NPS) and IIS events that might indicate problems with NPS or IIS.

ID: 103, Severity: Critical, Source: Microsoft-Windows-TerminalServices-Gateway, Log: Microsoft-Windows-TerminalServices-Gateway/Operational, Details: The Remote Desktop Gateway service does not have sufficient permissions to access the Secure Sockets Layer (SSL) certificate that is required to accept connections. To resolve this issue, bind (map) a valid SSL certificate by using RD Gateway Manager. For more information, see “Obtain a certificate for the RD Gateway server” in the RD Gateway Help. The following error occurred: “2148073494”.

Can anybody help please?

Thanks,
James

HI James, I’m not familiar with the Access Anywhere parts or the tutorial content, but the real issue is probably the "Remote Desktop Gateway service does not have sufficient permissions to access the Secure Sockets Layer (SSL) certificate ". I’m guessing the RD Gateway serivice is shutting down message is just because the script your run is restarting it after updating the certificate.

I don’t know what steps you are being asked to follow but when you work with certificates on windows you need to make sure the certificate is imported into the “Local Machine” store rather than the user specific store (both are called My/Personal but one is User specific and the other is Machine specific). You also need to make sure the Private Key is set to be Exportable. If you do this with a script in Certify using the already imported certificate that the app creates then that normally works OK because you are working under the Local System user, but you have to be careful if any part the script you are using re-imports the certificate. You also need to be careful if you are working with scripts as a different user (especially if the user is not administrator). If your service is running under a specific user, that user needs to be able to access the private key for the certificate, which is not always simple (see http://paulstovell.com/blog/x509certificate2)

I think I’d need a bit more info one the exact process you are following.

Hi webprofusion! Thanks for the reply!!

My health report was full of errors this morning, but I think they all have to do with this one problem. Here’s some of the details of the report (hopefully helpful) …

ActiveDirectory_DomainService
Event ID: 1220
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
Error value:
8009030e No credentials are available in the security package

DFSR
Event ID: 6016
The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
Object Category: msDFSR-LocalSettings
Object DN: CN=DFSR-LocalSettings,CN=,OU=Domain Controllers,DC=,DC=local
Error: 1355 (The specified domain either does not exist or could not be contacted.)

DNS-Server-Service
Event ID: 4013
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

ActiveDirectory_DomainService
Event ID: 2886
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

DNS-Server-Service
Event ID: 414
The DNS server computer currently does not have a DNS domain name. Its DNS name is a single-label host name with no domain (for example: “host” rather than “host.microsoft.com”).
You might have forgotten to configure a primary DNS domain for the server computer.
Because the DNS server has only a single-label name, all zones created will have default records (SOA and NS) created using only this single-label name for the server’s host name. This can lead to incorrect and failed referrals when clients and other DNS servers use these records to locate this server by name.
To correct this problem:

1. Click Start, and then click Control Panel.
2. Open System and Maintenance , and then open System.
3. Click Change Settings, and then click Change. 4) Click either Domain or Workgroup, and then type the name of the domain or workgroup you want the computer to join; the domain or workgroup name will be used as your DNS domain name.
4. When prompted, restart the computer.
   After the computer restarts, the DNS server will attempt to fix up default records, substituting the new DNS name of this server for the old single-label name. However, you should review the zone’s SOA and NS records to ensure that they now use the correct domain name of this server.

DFSR
Event ID: 1202
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 1355 (The specified domain either does not exist or could not be contacted.)

I’m using the Essentials Dashboard role installed on Windows Server 2016 Standard and there are two users, the default Administrator and a “network administrator” that the Essentials setup has you setup during the process of setting up the server, but both are full administrators on the system. Maybe I need to be logged in to the network administrator instead of the default administrator when I run the Certify SSL/TLS Certificate Management app to create the SSL Certificate.

I’m new at this so any insight you can provide would be wonderful!

Thanks,
James

Hi James, sorry it’s not very helpful but a 403 error means access denied, whereas a problem with your SSL certificate would result in either a browser error (not secure etc) or an error 500 (problems using the certificate etc).

Can you try accessing your system over http instead of https? That would rule out the certificate as a problem.

If you use RD Gateway Manager, can you manually choose the certificate and if so does it work? If not can you try manually re-importing the certificate: from Certify open your managed certificate details, and look under Advanced for the path to the PFX file, that will lead you to the certificate file which you can manually import (to local machine, allow private key to be exportable).

Well, it turns out that I was trying to go to http://remote.mydomain.com instead of https://remote.mydomain.com. It works! I feel so stupid, but thankful it was that easy. Thank you for following up with me; helping me figure this out!!!

Hello, I am the author of the above-mentioned tutorial. Larson is correct that the URL to reach Access Anywhere on a Windows Server 2016 Essentials should be https://remote.domain.com/remote. Anything else does not work.
It is interesting to see on this board that there is a discussion going on for refreshing the certificate on RDS and restarting the service, see Post-renewal script for binding new certificate to Remote Desktop Gateway. This is definitely needed on a Windows Server 2016 Essentials but hopefully v4 is released that has this included if I understand it correctly

Hi Mariette,

I’m currently running v.3.0.11. Does that mean I could install v.4.0.4 over the top (update) and this would be taken care of?

Thanks,
James

Generally with scripting you need to adapt it to your own requirements however v4 enables various new deployment workflows and no longer has a direct dependency on IIS websites for domain validation. We do bundle an RDP Gateway script but it doesn’t restart the server (on purpose) but you can copy the script and uncomment that line if you like. Alternatively you may prefer to periodically restart the RDP Gateway service as a scheduled task within a standard maintenance window (to pick up the refreshed certificate when it renews).

If you upgrade to v4 (you need to uninstall v3 first) your settings will be upgraded and any existing certificates you have would be renewed as normal.

Thanks webprofusion! James, let me do some testing with v4 and restarting that service within the script. That seems to me the appropriate way of doing things. I will update the guide on my site after testing. Big thanks to Certify the Web and Team for making this tool available!

Great! Thank you Mariette!! And yes, thanks again to the Certify The Web Team!!!