Remote Desktop Gateway Service
- Hi,
I'm having some trouble with Remote Desktop Gateway services in Windows 2008 R2 RTM Standard. TS Gateway worked perfectly in Win 2008 but it is not working in R2. I have the following logged. It seems like the Network Policy server cannot find the domain controllers. We are running windows 2003 AD and there are no connectivity issues. As I said, Windows 2008 TS Gateway worked perfectly. any help is appreciated!
Log Name: System
Source: NPS
Date: 18/08/2009 15:18:33
Event ID: 4402
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: computer.mydomain.internal
Description:
There is no domain controller available for domain mydomain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="49152">4402</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-18T14:18:33.000000000Z" />
<EventRecordID>936</EventRecordID>
<Channel>System</Channel>
<Computer>computer.mydomain.internal</Computer>
<Security />
</System>
<EventData>
<Data>mydomain</Data>
</EventData>
</Event>
Answers
- Hi,
Well it works now!
I added the RDS server to the RAS and IAS Servers group. It is now able to successfuly connect and authenticate. The technet articles on remote desktop gateway services deployment did not mention anything about adding the RDS server to this group.
The wierd thing is that I have been able to successfuly deploy a Windows 2008 Terminal Services Gateway server and connect through it without any issues. It did not need itself to be added to the RAS and IAS Servers group either. Do you know what has changed in R2 ?
Thanks for your help.- Marked As Answer byPaulm187 Wednesday, August 19, 2009 4:21 PM
All Replies
- Hi,
Can you please provide more information by answering the following questions:
1. Is RD Gateway server and NPS server are same ? Or RD Gateway server points to a central NPS server ?
2. What is the AD DS model used in the DMZ network deployment. Is it one-way trust model between DMZ AD DS and Internal network AD DS ?
Regards,
Rajesh.
Regards, Rajesh. - Do you have a cross forest scenario involved? If yes, then following can be the issue:
This issue occurs if you as the RD Gateway administrator has added cross forest user or cross forest user group in a domain local user group which is authorized through the RD Gateway Connection Authorization Policy (RD CAP). As for example, suppose you have two mutually trusted domains Dom1 and Dom2. Further Dom1 has a domain local user group named Dom1LclGrp. Dom2 has a domain universal group named Dom2UnvGrp and a domain user named Dom2User. This issue will occur in either of the following two cases:
1. You have included Dom1\Dom1LclGrp as the authorized user group in the RD Gateway CAP Policy and added Dom2\Dom2UnvGrp as a member of Dom1\Dom1LclGrp. All the users included in Dom2\Dom2UnvGrp will receive the CAP error.
2. You have included Dom1\Dom1LclGrp as the authorized user group in the RD Gateway CAP Policy and added Dom2\Dom2User as a member of Dom1\Dom1LclGrp. The User Dom2\Dom2User will receive a CAP error in this case.
Please let me know if this is the case for you.
Thanks
Vikash Hi All,
Thanks for taking the time to answer my question.
We have a one AD 2003 domain on a single site. We have two Windows 2003 Standard servers as DCs and there are no cross forests or domain trusts.
The RD Gateway server and the NPS server is the same Windows 2008 Standard R2 (RTM) server. All Remote Desktop Services roles (Connection Manager, Gateway, Web, Broker, Session Host, RemoteApp) installed on one box.
I followed the instructions on http://technet.microsoft.com/en-us/library/dd983941(WS.10).aspx to install the Gateway services.
I have a public trusted Certificate from Thawte which is installed on the RDS server and selected as the SSL cert for the gateway service.
I created the RD_CAP policy to allow a Domain Group RDS Clients access to the Gateway and the RD_RAP policy to allow users to connect to any network source. I added myself to the RDS Clients global group for testing.
I have a published a rule on our ISA Server 2006 firewall to allow HTTPS requests to the public name of the gateway server to be sent to the RDS server. The rule tests & works correctly.
The client is a Windows Xp pro SP3 workstation which is not in the domain.
Whenever I try to RDP to one of our servers using the gateway (inside or outside the corporate lan), I get the following error:
"The Terminal Services authorization policy (TS_CAP) is preventing connection to the remote computer through TS Gateway, possible due to one of the following reasons. You do not have permission to connect to the TS Gateway server. You used password authentication but the TS Gateway server is expecting smart card authentication (or vice versa)."
The following errors are also logged.
Security Logs
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 19/08/2009 12:39:56
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: RDSGBLND01.mydomain.internal
Description:
Network Policy Server discarded the request for a user.Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: MYDOMAIN\USER
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\USERClient Machine:
Security ID: NULL SID
Account Name: WSDGBLND035.mydomain.internal
Fully Qualified Account Name: MYDOMAIN\WSDGBLND035$
OS-Version: -
Called Station Identifier: UserAuthType:PW
Calling Station Identifier: -NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -RADIUS Client:
Client Friendly Name: -
Client IP Address: -Authentication Details:
Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: RDSGBLND01.mydomain.internal
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: -
Reason Code: 5
Reason: The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6274</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2009-08-19T11:39:56.739609200Z" />
<EventRecordID>1463</EventRecordID>
<Correlation />
<Execution ProcessID="528" ThreadID="5748" />
<Channel>Security</Channel>
<Computer>RDSGBLND01.mydomain.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">MYDOMAIN\USER</Data>
<Data Name="SubjectDomainName">MYDOMAIN</Data>
<Data Name="FullyQualifiedSubjectUserName">MYDOMAIN\USER</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">WSDGBLND035.mydomain.internal</Data>
<Data Name="FullyQualifiedSubjectMachineName">MYDOMAIN\WSDGBLND035$</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">UserAuthType:PW</Data>
<Data Name="CallingStationID">-</Data>
<Data Name="NASIPv4Address">-</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">-</Data>
<Data Name="NASPortType">Virtual</Data>
<Data Name="NASPort">-</Data>
<Data Name="ClientName">-</Data>
<Data Name="ClientIPAddress">-</Data>
<Data Name="ProxyPolicyName">TS GATEWAY AUTHORIZATION POLICY</Data>
<Data Name="NetworkPolicyName">-</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">RDSGBLND01.mydomain.internal</Data>
<Data Name="AuthenticationType">Unauthenticated</Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">5</Data>
<Data Name="Reason">The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.</Data>
</EventData>
</Event>
System Log
Log Name: System
Source: NPS
Date: 19/08/2009 12:39:56
Event ID: 4402
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: RDSGBLND01.mydomain.internal
Description:
There is no domain controller available for domain MYDOMAIN.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="49152">4402</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-19T11:39:56.000000000Z" />
<EventRecordID>1518</EventRecordID>
<Channel>System</Channel>
<Computer>RDSGBLND01.mydomain.internal</Computer>
<Security />
</System>
<EventData>
<Data>MYDOMAIN</Data>
</EventData>
</Event>
Terminal Services Gateway Logs
Log Name: Microsoft-Windows-TerminalServices-Gateway/Operational
Source: Microsoft-Windows-TerminalServices-Gateway
Date: 19/08/2009 12:39:56
Event ID: 201
Task Category: (2)
Level: Error
Keywords: Audit Failure,(16777216)
User: NETWORK SERVICE
Computer: RDSGBLND01.MYDOMAIN.internal
Description:
The user "MYDOMAIN\USER", on client computer "192.168.0.189", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The following authentication method was attempted: "NTLM". The following error occurred: "23003".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" />
<EventID>201</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>30</Opcode>
<Keywords>0x4010000001000000</Keywords>
<TimeCreated SystemTime="2009-08-19T11:39:56.739609200Z" />
<EventRecordID>19</EventRecordID>
<Correlation />
<Execution ProcessID="4612" ThreadID="5296" />
<Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
<Computer>RDSGBLND01.MYDOMAIN.internal</Computer>
<Security UserID="S-1-5-20" />
</System>
<UserData>
<EventInfo xmlns="aag">
<Username>MYDOMAIN\USER</Username>
<IpAddress>192.168.0.189</IpAddress>
<AuthType>NTLM</AuthType>
<Resource>
</Resource>
<ErrorCode>23003</ErrorCode>
</EventInfo>
</UserData>
</Event>
Thanks for your help.Can you please provide the NPS logs? Here are instructions on how to take them:
1. On a command prompt, execute the command "netsh ras set tracing * enable"2. Repro the issue from the client so that client sees the CAP error.
3. Send us the all the log files in %windir%\tracing directory. Also please send us all the event logs generated this time again with these traces.
Thanks
Vikash- Just to be doubly sure, have you specified any group in the "Client Computer group" in the CAP Policy on RD Gateway?
Thanks
Vikash - No, there are no groups specified on the "Client Computer Group" in the CAP policy. On another note, our Network GPO policy for domain contollers is
Network security: LAN Manager authentication level Send NTLMv2 response only\refuse LM
Could this be a problem?
Where do I send the log files? Do I post them here?
Thanks - Hi,
Here are the RAS logs. I have changed the names of domains etc and only provided logs for which there was an entry.
IASHLPR
[2352] 08-19 13:44:25:352: Response=5, Reason code=5
[2352] 08-19 13:44:25:352: Number of attributes = 0
IASHLPR_AUX
[1480] 08-19 13:44:25:055: Sending DoRequestAsync
IASNAP
[2352] 08-19 13:44:25:352: Response type is 5, so disable Quarantine State
[2352] 08-19 13:44:25:352: WARNING: No SHV Session Handle
[2352] 08-19 13:44:25:352: The request is given quarantine state 3
IASSAM
[2352] 08-19 13:44:25:055: Opening LDAP connection to dc1.mydomain.internal.
[2352] 08-19 13:44:25:055: The registry value DisableLdapEncryption does not exist. Using default 0
[2352] 08-19 13:44:25:055: Trying to set LDAP encryption = 1
[2352] 08-19 13:44:25:055: Setting localServerName.User to RDSGBLND01$
[2352] 08-19 13:44:25:102: Access denied -- purging Kerberos ticket cache.
[2352] 08-19 13:44:25:118: Retrying LDAP connection to dc1.mydomain.internal.
[2352] 08-19 13:44:25:118: The registry value DisableLdapEncryption does not exist. Using default 0
[2352] 08-19 13:44:25:118: Trying to set LDAP encryption = 1
[2352] 08-19 13:44:25:118: Setting localServerName.User to RDSGBLND01$
[2352] 08-19 13:44:25:165: LDAP connect failed: Access is denied.
[2352] 08-19 13:44:25:165: Failed to connect to the cached DC, try DC locator ...
[2352] 08-19 13:44:25:274: DC dc1.mydomain.internal is in the avoidance table.
[2352] 08-19 13:44:25:274: Failed to connect to the DC discovered by DC locator, try DC enumerator ...
[2352] 08-19 13:44:25:274: DC dc1.mydomain.internal is in the avoidance table.
[2352] 08-19 13:44:25:274: Opening LDAP connection to dc2.mydomain.internal.
[2352] 08-19 13:44:25:274: The registry value DisableLdapEncryption does not exist. Using default 0
[2352] 08-19 13:44:25:274: Trying to set LDAP encryption = 1
[2352] 08-19 13:44:25:274: Setting localServerName.User to RDSGBLND01$
[2352] 08-19 13:44:25:305: Access denied -- purging Kerberos ticket cache.
[2352] 08-19 13:44:25:305: Retrying LDAP connection to dc2.mydomain.internal.
[2352] 08-19 13:44:25:305: The registry value DisableLdapEncryption does not exist. Using default 0
[2352] 08-19 13:44:25:305: Trying to set LDAP encryption = 1
[2352] 08-19 13:44:25:305: Setting localServerName.User to RDSGBLND01$
[2352] 08-19 13:44:25:352: LDAP connect failed: Access is denied.
[2352] 08-19 13:44:25:352: Could not open an LDAP connection to domain MYDOMAIN.
[2352] 08-19 13:44:25:352: NTDomain::getConnection failed: No more data is available.
[2352] 08-19 13:44:25:352: Retrying LDAP search.
[2352] 08-19 13:44:25:352: Could not open an LDAP connection to domain MYDOMAIN.
[2352] 08-19 13:44:25:352: NTDomain::getConnection failed: No more data is available.
[2352] 08-19 13:44:25:352: No AUTHORIZATION extensions, continuing - Hi,
Well it works now!
I added the RDS server to the RAS and IAS Servers group. It is now able to successfuly connect and authenticate. The technet articles on remote desktop gateway services deployment did not mention anything about adding the RDS server to this group.
The wierd thing is that I have been able to successfuly deploy a Windows 2008 Terminal Services Gateway server and connect through it without any issues. It did not need itself to be added to the RAS and IAS Servers group either. Do you know what has changed in R2 ?
Thanks for your help.- Marked As Answer byPaulm187 Wednesday, August 19, 2009 4:21 PM
- Great that the issue is resolved now.
Did you mean adding RDS server or the RD Gateway server to be added to the RAS and IAS server group?
Thanks
Vikash - Hi
Well all Remote Desktop Services are running on one box in my environment. I guess it would have to be the server running the RD Gateway Service that should be added to this group. - after spending hours on this with no resolution I finally just happened along this post. Everything is working fine now thanks Paul.
Shame on Microsoft for putting 0 references to needing the server to be in the RAS/IAS servers group. All you have to do is say "If your RD Gateway is not running on a domain controller and not using a central store, then you need to add it to the RAS and IAS server group"
I can't believe the lack of documentation there is out there for TS/RDS in 2008/2008R2. I have had an easier time setting up App-V in my environment than I have implementing RDWeb Access using a RD Gateway. I have a Gateway server setup and it is working fine without being added to the RAS/IAS server group. So, in order to reach the crux of the problem, can you please answer the below questions for me?
1. Can you please tell me the exact CAP policy that you have? You can get me the CAP summary from the RD Gateway Manager.
2. Did you do any changes to the CAP policy on the NPS Snapin (Network policies under it)?
3. What other roles/feaures do you have running on the same server?
Thanks, Vikash- 1.
If the user is a member of any of the following user groups: CHRONICNET\Domain Users, CHRONICXCHG\test If the client computer is a member of any of the following computer groups: Not applicable (no computer group is specified) If the user uses the following supported Windows authentication methods: Password Allow the user to connect to this RD Gateway server and disable device redirection for the following client devices: Not applicable (device redirection is allowed for all client devices) After the idle timeout is reached: - Not applicable (no idle timeout) After the session timeout is reached: - Not applicable (no session timeout)
2. No just created the policy in RDS GW manager.
3. Exchange 2010 - CAS,MBX, Hub, Web / RD Web Access are the only other things / and of course the RSAT AD Snap-ins since Exchange requires them (i know it doesn't but it makes life easier when deploying exchange to have them on the server). Though I did have this role originally installed on just my terminal services server which has all the RDS roles, minus GW now because the GW role is over on the exchange server since that way I can run OWA and RDWeb on the same outside IP.
I have the same results no matter where the GW server is, if it is on the RDS box I get the same error, if it is on the Exchange box I get the same error, when I add the server to the RAS/IAS group it works fine.
FL: 2008 R2
DL: 2008 R2
- Thank you very much. This solved my issue!
I feel this should have been mentioned in the deployment guide i downloaded from microsoft.
/Michael
