The other day, I posted here with some tips and a really basic overview of setting up an RDS gateway and session host. While this worked for the first site, I ran into some trouble when trying to make it work in my own office. As I was troubleshooting, our sales guy called and said that his Outlook Anywhere wasn’t working. Related? Hmm…

Went into the IIS console on the RDS Gateway/Exchange server. The Rpc folder was set to allow Basic authentication but not Windows auth. Enabled Windows auth, IISRESET, problem solved… for now.

So the bug? Here goes.

Create two users: give one permission to use the RDS gateway and but don’t give them permission to login to the RDS Session Host. Give the other permission to only login to the Session Host but not use the gateway. The first user is misconfigured, but this is a common mistake that is very easy to make by failing to put your user in the right group. On the session host, add a link to an app, any app. I used Wordpad for my test. Now from an external system, login to your RDS Web Access page as the first user and follow the RDP link on the page to try launching that remote app. What happens? You click the Options button and see an error that the user doesn’t have permission to login to the server, as if they were RDP’ing directly into the server. Click OK, click Switch User, and login as your user who is not allowed to access from the outside. You just broke in.

In the real-world, this requires two things to be exploited: your first user is misconfigured and your second user knows their password. This isn’t that impossible, though; after all, I found this in the first place because I misconfigured a test user — it’s easy to put someone in the wrong group, not test, and give them their login info. If the two users are friendly, it’s totally reasonable to think that one might mention it to the other. There should be an option on the session host to immediately terminate sessions for users who cannot login when using a web app. The error message should be shown to the user from their desktop, not the server’s login screen!