A recent installation of a second SharePoint site on Small Business Server 2008 broke the Remote Web Workplace site for access from the internet. Intranet access to the site worked fine, but from the internet where the http request to the site is redirected to https had stopped working.
Opening up IIS 7 Manager and checking the bindings of the SBS Web Applications site showed that the site had two http bindings and a https binding. The https binding was for * under IP Addresses and port 443. Clicking the Edit button on this binding showed that the certificate was not correct. This was the reason the site was not working, as a https site requires a certificate.
So I selected the correct certificate and clicked OK. And got the following error:
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
The reason is that the installation of the SharePoint site, and the installation of the certificate to support that site broke the binding for the TS Gateway role on the Windows 2008 machine. The broken binding on the SBS Web Applications site was because of this broken TS Gateway configuration and to fix the above error in IIS required fixing the TS Gateway issue. Note that at no point in the configuration of the SharePoint application was the TS Gatway role configuration changed – the installation of another certificate on the server broke the TS Gatway which broke the Remote Web Workplace SBS Web Applications site.
Opening Server Manager and navigating to the Roles/Terminal Services/TS Gateway/Servername area showed a message in the middle pane of the Server Manager saying that configuration of the TS Gateway was not complete. Clicking this link brought up the TS Gateway SSL Certificate page of the Properties dialog. Click Browse Certificates and select the correct certificate. In SBS 2008 this will be the Remote Web Workplace certificate. Click OK to close the dialog and you will now be able to check the https binding on the SBS Web Applications website. The error will now not occur, and the https binding will be bound to the correct certificate.
If you are not running SBS 2008 then the above is possible, just it is more likely to be a problem with the Default Web Site bindinging instead.
Additionally, I noticed after I had written the above that this error also occurs if you delete the certificate used by the TS Gateway from the IIS box and as well as breaking TS Gateway (which would be expected) it also breaks the “Add a trusted certificate” wizard in the SBS Server Console. The Add a trusted certificate wizard crashes when started with just a failed application message and nothing in the event log. To fix make sure the SBS Web Application IIS site is bound to a valid digital certificate.
Remote Web Workplace (RWW) is a feature of Windows Essential Business Server 2008 (WEBS) and Small Business Server 2008 (SBS). Both of these operating systems provide a web portal to view internal resources such as Outlook Web Access (OWA), SharePoint and Remote Desktop to your own PC.
I have noticed on a number of installations the following error:
There is a problem in Remote Web Workplace. A logon error occurred: There is a problem communicating with the Outlook Web Access server.
There are two reasons for this that I know about. The outcome of this for the user is a popup with the above error in it when clicking the E-Mail or SharePoint link within RWW.
The first is if you have changed the URL of your RWW site then the Single Sign-On (SSO) functionality is configured to connect to the old URL and so fails. The second reason is if the external URL for RWW is not accessible internally (for example if the internal Active Directory DNS name is the same internally and externally and the internal DNS zone does not have an A record for the RWW URL).
To fix the first issue you need to make a backup of the web.config file located in “c:\program files\Windows Essential Business Server\Bin\webapp\Remote” and then edit this file (using Notepad or the like) so that the ssoApplications node reads as follows:
Where the serverName value is correct for your environment. Note also that if SharePoint is installed and the Company Web link appears on RWW, this XML node will contain some Sharepoint information that will need changing too.
To fix the second issue you need to add an A record to your internal DNS that points to your RWW site and to use the external IP address of this site. If your internal AD/DNS zone is the same as your external zone (i.e. fabrikam.com in the above example) then create a new A record for remote.fabrikam.com on an internal DNS server that has the external IP address of the site as IP address. If you internal and external DNS zones are separate ensure that the SBS server or the WEBS Messaging Server resolve the external value correctly.
If neither of these solve your problems with RWW then the place to look is the RWW debug log file. This is located in “c:\program files\Windows Essential Business Server\Logs\WebWorkplace\w3wp” and you need to read the bottom of the file to find the most recent login error (search the file from the bottom upwards for the word “error”).
The above two problems where solved based on the errors found in this debug log file.
If when you log into Remote Web Workplace on Small Business Server 2008 or Essential Business Server 2008 as a non-administrator user you get the following error messages:
Cannot connect to the Remote Web Workplace site. To continue, contact your network administrator.
Event Viewer/Application Log/ASP.NET 2 Warning: Event ID 1309
ArgumentOutOfRangeException “Index was out of range. Must be non-negative and less than the size of the collection.” Request URL: https://server:443/remote/menu.aspx
You need to do the following to fix this error. On the server you need to modify the permissions of the RWWConfig.xml file. This file is located in “C:\Program Files\Windows Small Business Server\Data” or “C:\Program Files\Windows Essential Business Server\Data” depending upon the product that you are running.
- Ensure the permissions on the above file are
Authenticated Users – Read (not inherited)
NETWORK SERVICE – Read (not inherited)
SYSTEM – Full Control (inherited from parent folder)
Administrators – Full Control (inherited from parent folder)
- Make sure the Authenticated Users group is a member of the Pre-Windows 2000 Compatible Access group.
- Run iisreset from the command line on the server
- Attempt the login again, but first close any copy of Internet Explorer that was running (or attempting to run) RWW.