# RemoteApp giving 'access is denied'



## ufodisko (Apr 29, 2013)

I've setup a RemoteApp (calculator) for testing purposes and when I try to access it through the browser I get 'Access is Denied'.

I'm on a domain controller with an administrator privileges. I added my username to the Remote Desktop Users group and TS Web Access group and a bunch of other groups too.

I also disabled the 'allow single logon to terminal' in the policy settings but still I'm getting access is denied.

I'm on a windows server 2008 r2
What must I do to get this working?


----------



## Tomshawk (Jan 23, 2013)

These should get you going

Remote Desktop Web Access (RD Web Access)

Mainly

Checklist: Make RemoteApp Programs Available Through Remote Desktop Web Access

I'm not positive but I think you should not diable "allow single logon to terminal" but enable it


----------



## ufodisko (Apr 29, 2013)

I have done that already and the apps are appearing in RD Web Access. It's when I try to open the app that I get 'access is denied'.

I'm also getting a certificate error in IE whenever I launch RD Web Access. Could that be the problem?


----------



## Tomshawk (Jan 23, 2013)

The Certificate error should not be a problem

check out this tutorial
Configuring Windows Server 2008 RD Web Access - Techotopia

If that does not work, try this

Start the WmiMgmt.msc MMC snap-in.  2. Right-click the *WMI Control* node, and then click *Properties*. 
3. Click the *Security* tab, click *Root*, click *CIMV2* , and then click *TerminalService*. 

4. Select the *TerminalServices* node, and click Security. 
5. Click *Add*, type inside the object name for the "TS Web Access Computers" local security group, and then click *OK*: 
<server machine name> \ *TS Web Access Computers* 
6. In the list of the *Permission* check boxes, click to select the *Execute Methods*, *Enable Account*, and *Remote Enable* check boxes. 
7. Click *OK*, and then close the *Properties* dialog box for TerminalServices. 

If the WMI permissions are added properly and the issue is not resolved, please confirm if the Distributed COM is enabled:

1. Enable DCOM on the RD Session Host:

a. Run Dcomcnfg.exe

b. Expand Component Services.

c. Expand the Computers folder, right-click the computer for which you want to enable DCOM, and then click Properties.

d. Click the Default Properties tab.

e. Select the Enable Distributed COM on this computer check box. 

f. Click OK.
2. Reboot the RD Session Host computer.


----------



## Tomshawk (Jan 23, 2013)

BTW

Have you added IUSR with Read and Execute privilege on the application folder?


----------



## ufodisko (Apr 29, 2013)

> 5. Click Add, type inside the object name for the "TS Web Access Computers" local security group, and then click OK:


It was already added.



> e. Select the Enable Distributed COM on this computer check box.


It was already checked.

I checked the tutorial, I've seen it before and followed it to the letter. Still getting 'Access is denied'.


----------



## ufodisko (Apr 29, 2013)

Tomshawk said:


> BTW
> 
> Have you added IUSR with Read and Execute privilege on the application folder?


That I have not done, I don't think so.

Where can I do that from?


----------



## Tomshawk (Jan 23, 2013)

https://support.gearhost.com/KB/a443/how-to-give-write-access-to-files-for-iusr.aspx


----------



## ufodisko (Apr 29, 2013)

> 1. Right click on the *directory* that you which to apply anonymous access to or write access and select properties.


I don't understand, what directory? It's an application, calculator.


----------



## Tomshawk (Jan 23, 2013)

Sorry, you meant the built in calculator.

I was thinking a custom apps

I assume you did but, have you done this?



 Log on to the desired server with local administrator privileges.
 Click Start, and then click Run.
 In the Run dialog box, type in ServerManager.msc and click OK.
 After the Server Manager console is displayed, select the Configure Remote Desktop task.
 In the Systems Properties dialog box, on the Remote tab, and in the Remote Desktop section, click the Select Users button.
 Next, click the Add button, and in the Select Users or Groups dialog box, choose to find the users or groups you want to grant access to, and click OK.
 Click OK, and in the System Properties dialog box, click OK.


----------



## ufodisko (Apr 29, 2013)

Tomshawk said:


> Sorry, you meant the built in calculator.
> 
> I was thinking a custom apps
> 
> ...


Yes, I have done that too


----------



## Tomshawk (Jan 23, 2013)

OK, When the certificate comes up, I assume you agree to it and install it?


----------



## ufodisko (Apr 29, 2013)

Nothing is coming up, when I launch the browser it says that the security certificate presented by this website was issued for a different website's address.

I simply click on 'continue to this website'


----------



## Tomshawk (Jan 23, 2013)

different website?

I'm 99% sure that is the problem and doesn't make sense.

How are you browsing to the Server?

Servername from inside your network? http://servername
or an outside name like http://www.websitename.com


----------



## ufodisko (Apr 29, 2013)

I'm browsing it using https://localhost/RDWeb/


----------



## Tomshawk (Jan 23, 2013)

When you get the certificate, what does it say the servername is supposed to be?
does it match the above?


----------



## ufodisko (Apr 29, 2013)

In the browser I have a certificate error at the top, when I click on it and goto view certificates, I can see the server name: ALFA.PRIXIMPORT.LOCAL

That's the actual server name and it is part of a domain.

Also, could the problem be a permission issue from IIS?


----------



## Tomshawk (Jan 23, 2013)

ufodisko said:


> In the browser I have a certificate error at the top, when I click on it and goto view certificates, I can see the server name: ALFA.PRIXIMPORT.LOCAL
> 
> That's the actual server name and it is part of a domain.
> 
> Also, could the problem be a permission issue from IIS?


If it was an IIS permission issue the links and instructions above should fix it

Do you get a cert issue if you just browse to https://ALFA or https://localhost ?

what happens when you try http://ALFA or http://localhost ?


----------



## ufodisko (Apr 29, 2013)

> Do you get a cert issue if you just browse to https://ALFA or https://localhost ?


Yes



> what happens when you try http://ALFA or http://localhost ?


No, I just get the .NET blue error page "server error in application 'default website'"


----------



## Tomshawk (Jan 23, 2013)

And if you type the entire servername in the address bar does the cert error go away

https://ALFA.PRIXIMPORT.LOCAL

edit: You should get the cert message and when you click continue it should go away


----------



## Tomshawk (Jan 23, 2013)

Check out this link

SSL Certificate Name Mismatch Error


----------



## ufodisko (Apr 29, 2013)

> And if you type the entire servername in the address bar does the cert error go away
> 
> https://ALFA.PRIXIMPORT.LOCAL


Yes, the error went away when I accessed the full server name but I have a new error now.

*ActiveX Control not enabled.*

Even though I went to internet options and made sure that activex is enabled.


----------



## Tomshawk (Jan 23, 2013)

Now add /RDWeb to the end, does it work?

How To Enable ActiveX Controls on Windows Server 2008 - The Agileer - Site Home - MSDN Blogs


----------



## ufodisko (Apr 29, 2013)

Yes, it still gets in if I add /rdweb but I'm still getting the ActiveX Control error even after going to *Configure IE ESC*


----------



## ufodisko (Apr 29, 2013)

Ok, I got in now without the certificate error and I fixed the ActiveX Control error too.

Tried to open the calculator and boom *'access is denied'*


----------



## Tomshawk (Jan 23, 2013)

Are there any errors in the event log of the server or workstation that you are trying to open this app from?


----------



## ufodisko (Apr 29, 2013)

I was working on a coworker's workstation, the problem was at his desk.

So I used VMWare, installed Windows Server 2008, Installed DNS & Active Directory, Install RD License Manager, RD Host Session Manager, RemoteApp Manager.

Did the right configuration and it worked without any problems.

My guess is that my coworker did something to mess up his settings. But it all worked like a charm on a fresh installation.

Thank you *Tomshawk*, you're awesome.


----------



## Tomshawk (Jan 23, 2013)

Excellent, Glad you got it working though sorry you had to rebuild to get it working

Well done


----------

