TS Gateway and RADIUS problem
-
Friday, April 03, 2009 11:56 PM
I’ve got a Terminal Server Gateway and I’m trying to do RADIUS authentication. When I try to make a Remote Desktop connection, on the client I get
Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS Gateway, possibly due to one of the following reasons:
· You do not have permission to connection the TS Gateway server.
· You used password authentication but the TS Gateway server is expecting smart card authentication (or vice versa).
Contact your administrator for further assistance.
I don’t see anything in the CAP that would be an issue. My recollection is that I had no problem connecting with this account before I tried to implement RADIUS. It’s been a while since I worked on this so my recollection could be wrong. Anyway, I don’t think the first suggestion is correct. My CAP is set to use password authentication and I’m using a password to log on so, I don’t think the second suggestion is correct either.
On the radius server, in the security event log I get
-
EventData
SubjectUserSid
S-1-5-21-1863327766-1082353637-1606240830-500
SubjectUserName
ANSCI\Meyer
SubjectDomainName
ANSCI
FullyQualifiedSubjectUserName
ansci.ucdavis.edu/ANSCI Users/Meyer
SubjectMachineSID
S-1-5-21-1863327766-1082353637-1606240830-3495
SubjectMachineName
Curt-E4300.ansci.ucdavis.edu
FullyQualifiedSubjectMachineName
ANSCI\CURT-E4300$
MachineInventory
6.0.6001 1.0 x86 Domain Controller
CalledStationID
UserAuthType:PW
CallingStationID
-
NASIPv4Address
-
NASIPv6Address
-
NASIdentifier
-
NASPortType
Virtual
NASPort
-
ClientName
GW2
ClientIPAddress
169.237.28.2
ProxyPolicyName
Use Windows authentication for all users
NetworkPolicyName
Connections to other access servers
AuthenticationProvider
Windows
AuthenticationServer
Radius.ansci.ucdavis.edu
AuthenticationType
Unauthenticated
EAPType
-
AccountSessionIdentifier
-
ReasonCode
65
Reason
The connection attempt failed because network access permission for the user account was denied. To allow network access, enable network access permission for the user account, or, if the user account specifies that access is controlled through the matching network policy, enable network access permission for that network policy.
The above seems to indicate I need to enable network access permission to the user account. Where do I do that? Is that part of NPS? Is it in ADU&C?
Thanks for your help.
Curt
All Replies
-
Friday, April 10, 2009 5:30 AMDo you mean you are using Radius Authentication for authentication on TS Gateway? If yes, let me tell you that you can't do Radius Authentication for TS Gateway. TS Gateway supports only smartcard and password based authentication. If you need two factor authentication, you can use OTP in conjunction with ISA in front of TS Gateway. All these information can be found in the TS Gateway step by step guide at http://technet.microsoft.com/en-us/library/cc771530.aspx
Please post the question on Terminal services forum, in case what i understood above is incorrect. Please get back with proper configuration details as to where are you using Radius Authentication.
Thanks
Vikash -
Friday, April 10, 2009 6:33 PM
I thought what I could do was set up a TS Gateway and a RADIUS/NPS server and have the TS Gateway pass the credentials (username/password) to the RADIUS server for authentication. The idea was to put the RADIUS server in my private network and have the TS Gateway in the perimeter network. The thought was that this configuration is more secure. Is this not possible? Is it not more secure?
I've been able to get TS Gateway with NAP working without RADIUS but not with authentication as described above through a RADIUS server. On the TS Gateway, I have configured which server is my RADIUS server. On the RADIUS server I have configured the TS Gateway as a RADIUS client. Both are using the same shared secret. In the TS Gateway Connection Request Policy, I have it set to forward requests to my RADIUS server group. The TS Gateway was working before I tried to implement RADIUS. Do I need to recreate my Connection Request Policies, Network Policies, Health Policies and System Health Validators on the RADIUS server? I thought my RADIUS server was only doing authentication but now I'm beginning to question that. Is there a good/simple document that describes how to set this up?
My RADIUS and TS Gateways are running Server 2008. My Domain Controllers/Active Directory are Server 2003.
Thanks for your help.
Curt -
Tuesday, April 14, 2009 9:55 PMOwner Hi Curt,
The TS Gateway NAP step by step guide is here: http://technet.microsoft.com/en-us/library/cc771530.aspx
What the event is saying is that you have set the access permission on the network policy to Deny Access. Review events in event viewer under Custom Views\Server Roles\Network Policy and Access Services. You should see NPS event ID 6273: The Network Policy Server denied access to a user. This event will tell you what network policy was matched. Review this policy and you may find that it is set to "Deny Access" rather than "Grant Access." See http://technet.microsoft.com/en-us/library/dd348487.aspx for more information.
Another reason for denying access is if the client access request doesn't match any policy. If this is the case, you'll need to troubleshoot why no policy was matched. It may also be matching the *wrong* policy, such as a non-NAP-capable policy. This can happen in a TS Gateway scenario because of a certificate problem. See http://technet.microsoft.com/en-us/library/dd348494.aspx#napclientcomputersareevaluatedasnonnapcapable for more information about this.
I hope this helps,
-Greg- Proposed As Answer by Greg LindsayMicrosoft Employee, Owner Saturday, April 18, 2009 4:45 AM
- Marked As Answer by Greg LindsayMicrosoft Employee, Owner Sunday, April 19, 2009 12:56 PM
.png)
