RemoteApps for non-domain clients

Question

I would like to have a Remote Desktop farm's RemoteApps silently added to the RemoteApp and Desktop Connections control panel of Windows 7 machines.

The general procedure of subscribing to an RSS feed served by the RD Web Access server via rundll32 tsworkspace seems to be the way to go, but the clients in question are in a separate, non-trusting domain than the RD farm. And the https://rdbroker/RDWeb/FeedLogin/WebFeedlogin.aspx URI requires authentication, so it simply does not work.

I have tried enabling Anonymous Authentication (using IUSR, Application pool identity or even a privileged domain user as the identity) for the RDWeb/FeedLogin folder in IIS' site tree, but an attempt to retreive the feed returns Server Error in '/RDWeb/FeedLogin' Application. IIS logs an unhandled NullReference exception:

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 26.05.2014 14:50:08 
Event time (UTC): 26.05.2014 12:50:08 
Event ID: 66cc347cf8884a4fa0567b5e7c378d61 
Event sequence: 4 
Event occurrence: 1 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/1/ROOT/RDWeb/FeedLogin-6-130455822088289842 
    Trust level: Full 
    Application Virtual Path: /RDWeb/FeedLogin 
    Application Path: C:\Windows\Web\RDWeb\FeedLogin\ 
    Machine name: rdbroker 

Process information: 
    Process ID: 1016 
    Process name: w3wp.exe 
    Account name: IIS APPPOOL\RDWebAccess 

Exception information: 
    Exception type: NullReferenceException 
    Exception message: Object reference not set to an instance of an object. 

Request information: 
    Request URL: https://rdbroker:443/RDWeb/FeedLogin/WebFeedlogin.aspx?ReturnUrl=An unhandled exception has occurred.fRDWebAn unhandled exception has occurred.fFeedAn unhandled exception has occurred.fwebfeed.aspx 
    Request path: /RDWeb/FeedLogin/WebFeedlogin.aspx 
    User host address: 192.168.8.70 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: IIS APPPOOL\RDWebAccess 

Thread information: 
    Thread ID: 6 
    Thread account name: IIS APPPOOL\RDWebAccess 
    Is impersonating: False 
    Stack trace:    at ASP.webfeedlogin_aspx.Page_Load(Object sender, EventArgs e)
   at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
   at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
   at System.Web.UI.Control.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)


Custom event details: 

Ideas?

Answer 1

I have finally "solved" this by automating the tsworkspace dialogs using an AutoITv3 script. I have populated the employeeID attributes with the users' RemoteApp usernames and made the script query this attribute, using it to pre-fill the security dialog for the RemoteApp web feed as well as the UsernameHint registry values for the RD client itself. So in the best case the user would just need to run the executable and enter her password into an authentication dialog pre-filled with her user name.

The script is below. Please note that the WinWait calls are waiting for windows with specific titles or message texts to appear, you will want to change this according to your clients' localization and Windows version.

#include <AD.au3>

Dim $WCXPath = "\\fserver2\RemoteAppFeed$\rdcb.wcx"
Dim $FeedAddress = "rdcb.ad.contoso.com"
Dim $WizardWinHandle
Dim $SecurityWinHandle
Dim $CallResult
Dim $aProperties[1][2]
Dim $UserName

$UserName="AD\<YourADLogin>"

; Open Connection to the Active Directory
_AD_Open()

; Write UsernameHint values with the user's RD server authentication name
$aProperties = _AD_GetObjectProperties(@UserName, "employeeID")
;_ArrayDisplay($aProperties, "Active Directory Functions - Example 2 - Properties for user '" & @UserName & "'")
If IsArray($aProperties) Then
   If UBound($aProperties,2)=2 and UBound($aProperties,1)=2 Then
      If $aProperties[1][0]="employeeID" and StringLen($aProperties[1][1])>1 Then
         $UserName = "CIT-AD\" & $aProperties[1][1]
         RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\rdfarm.ad.contoso.com", "UsernameHint", "REG_SZ", $UserName)
         RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\ts13.ad.contoso.com", "UsernameHint", "REG_SZ", $UserName)
      EndIf
   EndIf
EndIf

Run ("C:\Windows\System32\xwizard.exe RunWizard /u {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z" & $WCXPath)
$WizardWinHandle = WinWait("Neue Verbindung mit RemoteApp", $FeedAddress)
;MsgBox(0, "Debug", "RemoteApp Window appeared with handle " & $WizardWinHandle)
WinActivate($WizardWinHandle)
$CallResult = ControlClick($WizardWinHandle, "", "Button1")
;MsgBox(0, "Debug", "Clicked "Next" with result" & $CallResult)
$SecurityWinHandle = WinWait("Windows-Sicherheit")
;MsgBox(0, "Debug", "Windows Security Window appeared with handle " & $SecurityWinHandle)
WinActivate($SecurityWinHandle)
$CallResult = ControlSend($SecurityWinHandle, "", "Edit1", $UserName)
;MsgBox(0, "Debug", "Sent username data with result" & $CallResult)
$CallResult = ControlClick($SecurityWinHandle, "", "Button1")
;MsgBox(0, "Debug", "Clicked to remember credentials with result" & $CallResult)
$CallResult = ControlFocus($SecurityWinHandle, "", "Edit2")
;MsgBox(0, "Debug", "Focused password field with result" & $CallResult)