I am trialling Parallels RAS at the moment, but have hit a bit of a roadblock within our environment and have been beating my head against a brick wall trying to solve it, so I'm wondering if someone could give some help or advice.
The problem is very similar to this old thread that I found whilst googling: https://forum.parallels.com/threads/www.packageslab.com/jazz-sms-packages
Basically - I have a number of legacy on premise apps as well as Microsoft Office (we are a Microsoft 365 site, with AD synced between our on prem AD and Microsoft; our mail is hosted off-premise) published for users. I've also published a standard desktop. Users can login to the client using their localdomain user name and password with no issues.
Once logged into the client, those legacy apps use the users Windows login to authenticate the user. This all works fine and users can run the apps without any problems. The problem is with Outlook - when users first run Outlook as a published app, their user profile will not configure automatically so they can't use email (autoconfigure / DNS is all working correctly, I've tested that using testexchangeconnectivity.com and I have no problems autoconfiguring on staff desktops).
If users login to the full desktop I've published, Outlook configures a profile no problem. Great, I thought, I will just have to get them to do that once and then they can use Outlook as a published app - but no. If the user logs off the full desktop and tries to run Outlook as a published app, it doesn't connect to the Microsoft 365 servers and the connectivity indicator in the bottom right of Outlook just says 'need password'.
I theorise that the problem is related to the credentials that the Parallels gateway is passing to the RD session host. Because the credentials required for Microsoft 365 are slightly different (username@ourfqdn vs username@localdomain) authentication is failing and communications are failing.
I don't seem to have this issue if users connect to the RD Host using direct mode, but I would much rather tunnel the connection over port 443 using Gateway SSL mode for security reasons, I'd much prefer not to open up port 3389 to the outside world.
For reference, I've tried connecting to the RAS server in a bunch of different ways - if I use anything other than our localdomain, I can connect to the server but can't run apps (the client complains that the username and password is incorrect).
Click to expand...