Hello,
I setup Anywhere Access via Windows Server Essentials Dashboard on Windows Server 2016 Standard with a Let's Encrypt SSL Certificate using the Certify SSL/TLS Certificate Management (CertifyTheWeb) following Mariette Knap's tutorial "Get a free Let’s Encrypt SSL certificate for Access Anywhere and automatically renew it," which is absolutely outstanding by the way. Every step was successful, no errors, no problems, just great!
However, after no indication of any problem during setup, I can't access my "Anywhere Access" site (remote.mydomain.com). I get the webpage "Server Error, 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."
Can anybody help me with a clue as to what might be wrong?
Thanks! James
My health report was full of errors this morning, but I think they all have to do with this one problem. Here’s some of the details of the report (hopefully helpful) …
ActiveDirectory_DomainService Event ID: 1220 LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. Error value: 8009030e No credentials are available in the security package
DFSR Event ID: 6016 The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically. Object Category: msDFSR-LocalSettings Object DN: CN=DFSR-LocalSettings,CN=,OU=Domain Controllers,DC=,DC=local Error: 1355 (The specified domain either does not exist or could not be contacted.)
DNS-Server-Service Event ID: 4013 The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
ActiveDirectory_DomainService Event ID: 2886 The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
DNS-Server-Service Event ID: 414 The DNS server computer currently does not have a DNS domain name. Its DNS name is a single-label host name with no domain (for example: “host” rather than “host.microsoft.com”). You might have forgotten to configure a primary DNS domain for the server computer. Because the DNS server has only a single-label name, all zones created will have default records (SOA and NS) created using only this single-label name for the server’s host name. This can lead to incorrect and failed referrals when clients and other DNS servers use these records to locate this server by name. To correct this problem:
DFSR Event ID: 1202 The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues. Additional Information: Error: 1355 (The specified domain either does not exist or could not be contacted.)
I’m using the Essentials Dashboard role installed on Windows Server 2016 Standard and there are two users, the default Administrator and a “network administrator” that the Essentials setup has you setup during the process of setting up the server, but both are full administrators on the system. Maybe I need to be logged in to the network administrator instead of the default administrator when I run the Certify SSL/TLS Certificate Management app to create the SSL Certificate.
I’m new at this so any insight you can provide would be wonderful!
Thanks, James
Hello James,
The messages you see are probably all timing issues and can be ignored. Can you access https://remote.domain.com/remote? Please, also review this guide There is an error in your remote desktop services settings when you run the Repair Access wizard and rerun the Access Anywhere wizard.
Hi,
No, that's the problem. If I go to remote.mydomain.com/remote, I get the "Server Error, 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied." message.
Looks like something in IIS has been changed. Can you rerun the Access Anywhere wizard, disable VPN and RDP and after that enable those again?
Hi Mariette,
Thanks again for your reply, and thank you for the suggestion, but it didn't work. However, I realized that I could get to Microsoft's IIS splash page by going to remote.mydomain.com (w/o /remote on the end), so something must be working. Then I realized I was going to http://remote.mydomain.com/remote instead of https://remote.mydomain.com/remote, which would explain the "403 - Forbidden: Access is denied." error, wouldn't it? If I go to https instead of http, it works! I thought by going to http, it would automatically kick me over to https instead. Does that make sense?
Also, I think you might have been right about all the alerts I was receiving being timing issues, at least most of them didn't show up again on day two health report. I'm not sure, but I'm guessing that if an error persists, the health report will reflect that day after day. Maybe the errors only showed up in the first health report after I restarted the server. I could be wrong; maybe the error is only reported once, even though it is still there. Do you know by chance?
Thanks for responding/helping here! I really appreciate it!!
James
Yes, without SSL it should throw a 403 forbidden message. So, always use 'https' and you should be fine. Like I said, those errors only occur when the server is rebooted. No worries :)
Thanks again Mariette. I still have one other unrelated problem with my server backup. In my health report is says:
A scheduled backup did not finish successfully Alert details: The scheduled backup did not finish successfully and returned the following error code: 2155348020. Windows Backup failed to create the shadow copy on the storage location. Detailed error: The shadow copy provider had an error. Check the System and Application event logs for more information.
In the system event logs, I did find:
Source: Volsnap Even ID: 5 Level: Error Date and Time: The time of the server backup. Description: The shadow copy of volume \\?\Volume{e1364de5-be89-4c6e-a69c-2df67a265b04} could not be created due to insufficient non-paged memory pool for a bitmap structure.
In the application event logs, I found:
Source: VSS Date: The time of the server backup Event ID: 12289 Level: Error Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{e1364de5-be89-4c6e-a69c-2df67a265b04} - 0000000000000234,0x0053c008,000001CDC33F0110,0,000001CDC33F1120,4096,[0]). hr = 0x8007001f, A device attached to the system is not functioning.
Source: Microsoft-Windows-Backup Date: The time of the server backup Event ID: 517 Level: Error Description: The backup operation that started at '2018-07-08T05:00:26.178163000Z' has failed with following error code '0x80780034' (Windows Backup failed to create the shadow copy on the storage location.). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.
I did try manually starting the Volume Shadow Copy service and re-running the backup, but that didn't help; so I don't think that's an issue. I'm guessing it has to do with Volsnap error about not being able to create a shadow copy due to insufficient non-paged memory pool for a bitmap structure, but I'm not sure what that means.
Again, an insight on this would be greatly appreciated. Thanks again!!! James
In case anybody else reads this far and it is helpful, it turns out that the backup failure (see errors above) was due to the formatting of my Drobo drive. I didn't realize that Drobo has a set apart feature for backup space, as opposed to NTFS storage space. Once I enabled that and created a volume specific for Windows backup, the backup succeeded. :)
Thanks for letting us know James!
One more question that seems to pertain to this: After all was said and done, I have an alert in the Server Manager:
Post-deployment Configuration failed: Configuration required for DirectAccess and VPN (RAS) at <server-name>.
I clicked on "Open the Getting Started Wizard" and get the message:
"File C:\Windows\system32\RAMgmt.UI.exe is not available because the required management tools are not installed. Use the Add Roles and Features Wizard to install the Remote Server Administration Tools."
I went to the Add Roles and Features Wizard, but cannot find Remote Server Administration Tools to install.
I think I found where I could download Remote Server Administration Tools, but trying to run the installer results in a message that says "Windows Update Standalone Installer: The update is not applicable to your computer."
I also just noticed that I have two error/event on my server for Remote Desktop Services:
ID: 400, Severity: Warning, Source: Microsoft-Windows-TerminalServices-Gateway, Log: Microsoft-Windows-TerminalServices-Gateway/Operational, Details: The RD Gateway service is shutting down. This maybe voluntary administrator restart or a configuration driven restart due to RDG server certificate change. If the RD Gateway shutdown was not expected, kindly verify whether the following services are started: (1) Network Policy Server; (2) Remote Procedure Call (RPC); (3) RPC/HTTP Load Balancing Service; and (4) World Wide Web Publishing Service. Also, check Event Viewer for Network Policy Server (NPS) and IIS events that might indicate problems with NPS or IIS.
ID: 103, Severity: Critical, Source: Microsoft-Windows-TerminalServices-Gateway, Log: Microsoft-Windows-TerminalServices-Gateway/Operational, Details: The Remote Desktop Gateway service does not have sufficient permissions to access the Secure Sockets Layer (SSL) certificate that is required to accept connections. To resolve this issue, bind (map) a valid SSL certificate by using RD Gateway Manager. For more information, see "Obtain a certificate for the RD Gateway server" in the RD Gateway Help. The following error occurred: "2148073494".
Can anybody help please?