There is a published problem with EBS 2008 where Outlook prompts for a password all the time when connected over HTTP/RPC (Outlook Anywhere) – see the Microsoft EBS Team Blog. We have found that the same problem is also exposed in the Remote Web Workplace when trying to connect over Remote Desktop to your PC or to the servers.
The problem is that the authentication for the Remote Desktop is broken because Outlook has failed to connect based on the published issue mentioned above. The failure of Outlooks authentication breaks the DefaultAppPool is IIS. Recycling the application pool fixes the issue – but only for a short while. It breaks again at the next failed Outlook login. And because the breaks in authentication are due to Outlook it is difficult to see why Remote Desktop ceases to operate.
But apply the same fixes from the above blog and Remote Desktop begins to work and stays working.
To fix, run the following four commands from an elevated command prompt on the messaging server:
- %windir%\System32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/authentication/windowsAuthentication
- %windir%\System32\inetsrv\appcmd.exe set config “Default Web Site/ews” -section:windowsAuthentication -useKernelMode:False /commit:apphost
- %windir%\System32\inetsrv\appcmd.exe set config “Default Web Site/AutoDiscover” -section:windowsAuthentication -useKernelMode:False /commit:apphost
- %windir%\System32\inetsrv\appcmd.exe set config “Default Web Site/OAB” -section:windowsAuthentication -useKernelMode:False /commit:apphost
The above commands are probably wrapped for reading on your screen – each bullet point is a single command to be entered as one line. Instructions for making changes via the GUI can be seen on the above blog post.
A recent installation of a second SharePoint site on Small Business Server 2008 broke the Remote Web Workplace site for access from the internet. Intranet access to the site worked fine, but from the internet where the http request to the site is redirected to https had stopped working.
Opening up IIS 7 Manager and checking the bindings of the SBS Web Applications site showed that the site had two http bindings and a https binding. The https binding was for * under IP Addresses and port 443. Clicking the Edit button on this binding showed that the certificate was not correct. This was the reason the site was not working, as a https site requires a certificate.
So I selected the correct certificate and clicked OK. And got the following error:
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
The reason is that the installation of the SharePoint site, and the installation of the certificate to support that site broke the binding for the TS Gateway role on the Windows 2008 machine. The broken binding on the SBS Web Applications site was because of this broken TS Gateway configuration and to fix the above error in IIS required fixing the TS Gateway issue. Note that at no point in the configuration of the SharePoint application was the TS Gatway role configuration changed – the installation of another certificate on the server broke the TS Gatway which broke the Remote Web Workplace SBS Web Applications site.
Opening Server Manager and navigating to the Roles/Terminal Services/TS Gateway/Servername area showed a message in the middle pane of the Server Manager saying that configuration of the TS Gateway was not complete. Clicking this link brought up the TS Gateway SSL Certificate page of the Properties dialog. Click Browse Certificates and select the correct certificate. In SBS 2008 this will be the Remote Web Workplace certificate. Click OK to close the dialog and you will now be able to check the https binding on the SBS Web Applications website. The error will now not occur, and the https binding will be bound to the correct certificate.
If you are not running SBS 2008 then the above is possible, just it is more likely to be a problem with the Default Web Site bindinging instead.
Additionally, I noticed after I had written the above that this error also occurs if you delete the certificate used by the TS Gateway from the IIS box and as well as breaking TS Gateway (which would be expected) it also breaks the “Add a trusted certificate” wizard in the SBS Server Console. The Add a trusted certificate wizard crashes when started with just a failed application message and nothing in the event log. To fix make sure the SBS Web Application IIS site is bound to a valid digital certificate.