Solving a strange Remote Desktop Gateway authentication problem

I recently deployed a new Remote Desktop Gateway server but when I authenticated it would tell me the logon failed even though I knew the policies were valid for the user (because I could logon from a different computer) and I knew the credential was correct.

There were no logs under TerminalServices-Gateway\Operational which meant the problem was not a policy issue as the connection was not getting this far.

To start the troubleshooting Kerberos logging was enabled on the client machine:

On connecting again I could check the System event log and examined Kerberos logs. Sure enough there were Kerberos errors. The problem seemed to be on my machine the authentication did not fallback to NTLM which it did on the machines where it worked.

The solution was to add an SPN for the public facing name which solved the problem.

Easily configure Remote Desktop Gateway firewall rules

When you install Remote Desktop Gateway which enables RDP to be encapsulated in HTTPS a number of firewall exceptions are required which are enabled automatically. This also means the RDG has a public and private IP address.

There are many other firewall exceptions that are normal for Windows functionality that by default are enabled for the Any profile which when you have a public IP address on a NIC means they are also enabled to the Internet. What you really need is for those exceptions to be bound to the domain profile, i.e. the internal NIC. This is easy to do with PowerShell. Firstly you can list all the exceptions that are enabled for Any.

This will list a lot of exceptions. Next we want to change them to a profile of Domain except for the two required for RDG, the RDG UDP and HTTPS rules. This can be done with the following:

Done!

Note, you could change the rules to be excluded for other requirements you may have for other types of server.