Windows server 2016 datacenter vpn installation fails - remote-access

I have a VPS with Windows Server 2016 Datacenter, which I access through Remote Desktop. I would like to access it through VPN, so I tried to repeat the working configuration I have in another VPS with Windows Server 2008 Standard.
Both servers have a single Network Interface with a public address and a second internal address (10.1.0.1/255.255.255.248). As I said, VPN works perfectly on 2008.
The procedure I followed is described perfectly with screenshots in an article by Thomas Mauer
http://www.thomasmaurer.ch/2016/10/how-to-install-vpn-on-windows-server-2016/
So, briefly, I added the Remote Access role with the Remote Access and Routing features. The role and features get installed without any problem and then I am directed to a wizard, though which I try to initialize the VPN-only feature with a custom configuration. When I finally get into the "old" Routing and Remote Access Management console and try to right-click on the server node to "Configure and Enable Routing and Remote Access" this procedure never ends. A rotating clock icon stays there forever, so I have to kill the management console from the task manager.
When I reopen the management console, either with or without restarting the server, the server looks like running. Then I right-click on the server and select "Properties" in order to define the tunneling protocol for VPN as well as the internal address range that will be provided to the connected clients. The problem here is that this properties popup never gets saved. The "Apply" button does nothing, the "OK" button does not close the form and only the "Cancel" button closes the form without changing anything.
Has anybody seen this behaviour? Am I missing something?
Best regards,
Alex

I don't know why, but for this service to work the user "Network Service" needs to have "Logon as Service" permission, other services do not seam to require that...
You can grant this permission either by using secpol.msc or by just switching the service to run as e. g. "Local System" and back to "Network Service" (empty password fields).

To answer my question, it turned out that, for reasons I don't know, when the routing and remote access was being installed, the "Remote Access Management Service" was not starting. And after the server's restart it was always at "Starting" status.
This service is installed to run under the "Network Service" credentials with an Automatic (Delayed start) start type. When I changed to "Local Service" and manual, I was able to install the Role and initialize it without any problem. And then when I went back to Network Service and Automatic it runs without any more problems.
Strange ...
Alex

Related

HTTP error 503. service unavailable when trying to run local host

HTTP error 503. service unavailable when trying to run local host.
Default application pool is getting stopped everytime when trying to run local host.
IIS-->Application pools-->Default application pool-->advancedsettings-->Generate process model log entry-->identity has been set propwerly to corect credentials.
Also tried restarting the IIS.
Tried all solutions suggested in below link.
https://windowsreport.com/http-error-503-service-unavailable/#:~:text=If%20HTTP%20error%20503%20the,it%20would%20resolve%20the%20issue.&text=Right%2Dclick%20on%20DefaultAppPool%20to,service%20is%20unavailable%20is%20gone.
can anyone help me on this?
There are many reasons for this error, you can try the following solutions:
Click on application pools under the tree with your machine name, on the right side, click on advanced settings, in Process Model change the "Load User Profile" to false, Start your apllication and restart your IIS.
In IIS go to the Application Pools under the Server, then find the correct application pool for your web site, and click on it. On the advanced settings menu to the right, select Identity and change it and enter new user and password. Click on your application pool again, and select recycle to restart it.

Serve static files from network share as gmsa

I am trying to serve static files from a file server running Windows Server 2016. I would like to use a group managed service account for the connection.
I have attempted configuring IIS on Windows Server 2012 to use the gmsa. The Test-ADServiceAccount cmdlet returns True for the gmsa I am attempting to use on the IIS host. I have gone under the basic settings option of the IIS site configuration and used the "connect as" button and set it to the gmsa account with no password. The prompt then says "Connect as 'gmsa-foo$'". However, when I attempt to press "ok", I get an error that the specified password is invalid.
Can I use a gmsa to allow access to the remotely hosted static files that I want to serve? Do I need to use a particular version of Windows Server to do so?
Make sure you added the gMSA account in the application pool identity.
It should be noted that this account may show unexpected behavior in IIS manager. For example, if you click on “Basic Settings” for an application that uses this account for its application pool, “Test Settings” may give you an error indicating “the user name or password is incorrect”. Usually, this can be ignored. Browsing any page in the application would be a better test – as long as you don’t receive a 503 response, the application pool username/password is fine.
You could get more information from the below document:
Windows Server 2012: Group Managed Service Accounts

Remote Desktop Services error on WS 2012

I have Remote Desktop Services running on Windows Server 2012 R2. This feature is still working just fine. I can log into the RD Web page, and access all of my remote applications that I have published.
However, I can no longer manage the deployment. When I launch server manager, and navigate to Remote Desktop Services, I see a message "A Remote Desktop Services deployment does not exist in the server pool. To create a deployment, run the Add Roles and Features Wizard and select the Remote Desktop Services installation option."
When I click manage > Add Roles and Features. The RD Web components are showing as installed. This just started happening recently. Does anyone know why?
I fixed it! I'm not sure why this fixed it, but disabling the options for IPv6 worked. Basically, go into your NIC adapter properties, and uncheck the box next to IPv6.

How do I connect Release Management 2013 client on a non-domain Windows 10 box?

I've got 2 machines:
A corporate desktop machine which is running Windows 7 SP1 which resides on the corporate domain and which I log into using a corporate domain account.
A personal laptop that I use when working from home via the Cisco VPN client but presently sits on my desk connected to the corporate WiFi (though I had it connected to the wire and on the same subnet as my desktop machine today also). This machine is not on the corporate domain; I log into this machine with a Microsoft Account.
I need to run Visual Studio 2013 Release Management Client from both machines. The machine on my desktop works fine when entering either the IP address or the URL into the Release Management Server URL entry field and everything hooks up and all is glorious.
On my Windows 10 laptop however, it's a different story. Every attempt to connect is met with the error:
The server specified could not be reached. Please ensure the
information that is entered is valid (please contact your Release
Management administrator for assistance). <-- I'm the admin
I can ping the machine both with IP address and with hostname, ruling out DNS issues. Both client machines are on the same subnet. Both machines are using the same outbound port.
Checking the event log I see a bunch of Message: The remote server returned an error: (401) Unauthorized.
Checking with Fiddler, on my desktop machine, I can walk through the handshake of each of the stages of startup and all is good. But in Fiddler on my laptop I see 3 401 Unauthorized errors before Release Management Client bombs and returns the rather uninformative message I posted above.
I've attempted to create a shadow account on my laptop and do the Shift-Right Click-Run As Different User dance, but I must be missing something because I can't get this to run.
I've talked to the network administrator who suggests that I should be able to access all of the same resources from both machines and that it must be a Release Management issue.
Is this an incompatibility between VS2013 Release Management & Windows 10 or something else? Has anyone else had this issue and overcome it? I have access to be able to administer the Release Management environment if there's changes that need to be made there and I'm a local administrator on both machines. I'm not however a domain administrator if changes need to be made there.
I would bet you simply have a security issue as the workstation is not domain-joined and the WPF client is using Integrated Authentication.
Often creating a local "shadow" user with same username and password, and running the client app under that account (run as) works.
Another option is to join the workstation to the domain or use a domain-joined VM.
After fully investigating the situation, it appears to have been a combination of factors. I am posting a response because this appears to be a relatively common problem:
The workstation was sending an unexpected credential to the server. To get around this, you have to configure the user account on the server without a domain in the username and create a shadow account on your local machine. When running the client application, you must either log into this shadow account on the local machine or you must SHIFT+RIGHT CLICK and choose "Run as" entering your local shadow credentials. This will then pass the shadow account to the server which will now authenticate without referencing the domain. OR
Create a user account on the server that matches the credentials on your local machine including MACHINENAME\LocalUsername
There appeared to be a network issue when attempting to connect to the Release Management Server from the non-domain machine when connected inside the network. When connecting via the VPN from home, this situation was resolved, but only after we'd ensured the account and local machine accounts were correctly configured. The domain connected machine always connected properly.

Windows Azure RDP / FTP

Using the new interface for Windows Azure, how do I enable RDP? I am using a cloud service and my site is mysite.cloudapp.net. In my publish settings, I enabled RDP. Where do I find my RDP credentials? How do I enable FTP, if possible? Here are the instructions that I followed:
https://www.windowsazure.com/en-us/develop/net/common-tasks/remote-desktop/
I see no hosted services tab in the new layout.
When I try to RDP, I receive an instant failure message that I cannot connect. I am using Windows 8 and I tried Windows 7.
For RDP, assuming you've followed all the steps and the configuration is right, you need to use the management portal, click on cloud services on the left and select the service whose instance you want to RDP into, select instances in the menu at the top and then pick the instance you want to RDP into.
The bottom toolbar should include a connect option, clicking on it should download an RDP file you can open to RDP into the machine, this will prompt you for the credentials you need to provide (as provided in your project configuration).
You can actually save this RDP file and re-use it for the deployment, but it may become invalid if you re-deploy as port numbers change.
As for FTP, much has been written about it, for example this, but you really need to consider the note in this article, for example - files you upload to the role instance will disappear if the role needs to be recycled for whatever reason.

Resources