none
Android MS RDP - RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).

    Question

  • I love iTap Mobile.  Paid for the app.  Sorry to see them discontinue it, but now I know why.  Microsoft bought them out!  But even though free, I am getting an error: RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).  I worked with iTap to fix this so I guess they sold Microsoft their older buggy code...  Microsoft, please fix!

    PS: This is the Android version.  Mac and iOS are both okay.


    • Edited by Guy Techie Thursday, November 07, 2013 10:14 PM
    Thursday, October 17, 2013 9:34 PM

All replies

  • I am getting this on the Mac OS X version.

    I have it running on OS X Maverick but it does not work and I get the above error on OS X Mountain Lion 10.8.4.

    Sunday, October 20, 2013 7:44 AM
  • Try to use an ip-adress to connect to no hostname.

    Yesterday i got this error an i just try to use an ip-adress to connect to the machine this works for me.

    Sunday, October 20, 2013 8:52 AM
  • Tried IP address and no luck.  I still get the same error.  Why is it working on Maverick but not ML??
    Sunday, October 20, 2013 10:59 PM
  • After stepping back from this I realised the problem, it was ME!

    I was putting in the external network address in the server details!  Once I realised that it is working fine for me.

    Sunday, October 20, 2013 11:05 PM
  • Hi,

    Based on my research, this error may occur if that a Resource Authorization Policy on the Gateway server prevents your username from connecting to the remote PC. This could be the case:

    • You have provided the same name for the remote PC as for the gateway.
    • You are then trying to connect to the RD Gateway server itself which is probably not allowed for your username.
    • Your Windows user account is not a member of the user groups for remote access on the Remote Desktop server.

    If you indeed want to connect to the gateway server itself via the gateway, do not use the external gateway name as PC name, use “localhost” or “127.0.0.1” or the internal server name for the remote desktop.  If the entries are correct, ask your system administrator to view the event log on the Terminal server and to check if your user account is a member of the required user groups.

    Hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Tuesday, October 22, 2013 8:21 AM
  • This does not explain why it works for iTap on android but not MSRDP on Android.

    Also works on both iTap andMSRDP on iOS and Mac OS X just fine.

    And our RDG host name is the same as the RDWeb portal.  And we cannot use the IP address because that is not on the certificate.

    And this is not to connect to a single remote PC.  We have a RDG and RDWeb role server accessible externally.  We also have a RDCB server that load balance to 3 host session servers.

    All users are having the problem with just the android MSRDP app.  All domain users are in the correct group and have permissions to the resources.  If they didn't, they wouldn't be able to get in at all, which is not the case.

    This is only a problem with the MSRDP app for Android.

    • Edited by Guy Techie Monday, October 28, 2013 5:41 AM
    Monday, October 28, 2013 5:29 AM
  • And while I have your ATTN, please add back itap mobile's pinch to zoom in/out feature back.  It makes using it on a phone more difficult without it.  To activate the zoom is not intuitive in its current implementation.  Also does not let you set your zoom (one zoom level does not fit all).
    Monday, October 28, 2013 5:43 AM
  • Any updates to this?
    Wednesday, November 06, 2013 10:20 PM
  • Jermey, is this a lost cause?  If so, are there any instructions for my users to obtain the older working iTap Mobile?
    • Edited by Guy Techie Thursday, November 07, 2013 10:13 PM
    Thursday, November 07, 2013 10:11 PM
  • I agree with Guy, a helpful answer would be welcome. Especially because it works perfect on the Itap version I have installed on my android tablet.  
    Friday, November 08, 2013 7:03 AM
  • Hi,

    i tryed it on my Windows 2008R2 envieronment with an Android Nexus 7 and it's works.

    So please tell us more about your Environment. whi hServer Version you are using. Can you share screenshot from your RD Gateway seeting? The Policy from the "Resource Autoriazion Policies".

    What is in the Log from Remote Desktop for Android? Please shared it to.

    cheers Stephan

    Monday, November 11, 2013 3:31 PM
  • I have 3 RAP.  Which one are you looking for in particular?

    Two of them say Windows group (policy location), and one says local.

    Again, I don't know believe it's the RAP because this was an issue with ITAP previously.  They fixed the issue on their end.

    Again, no other problems with other clients (iOS MSRDP or Mac MSRDP, or even Window's built-in RDP).

    It's only the Android MSRDP (and ITAP for all platform works fine - including Android).

    • Edited by Guy Techie Monday, November 11, 2013 7:13 PM
    Monday, November 11, 2013 7:11 PM
  • Hi Guy Techie,

    Please share your eventlog from your RD Gateway. there you can find why there is no Connection is possible.

    cheers Stephan


    cheers Stephan

    Tuesday, November 12, 2013 3:24 PM
  • The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".

    The user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource "localhost". The following error occurred: "23002".

    Names and IPs changed to protect the innocent. :)

    I think the MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".  It should be the RD Connection Broker's hostname, I believe.

    EDIT: Here's what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):

    The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".

    The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource authorization policy requirements and was therefore authorized to connect to resource "hostname.domain.com".

    The user "DOMAIN\testuser", on client computer "10.x.x.x", connected to resource "hostname.domain.com".


    • Edited by Guy Techie Tuesday, November 12, 2013 9:45 PM
    Tuesday, November 12, 2013 9:25 PM
  • Stephan,

    Does any of the Event Logs help you?

    It certainly looks like a problem with the Android MSRDP app, no?  

    Monday, November 18, 2013 3:17 PM
  • Hi Guy Techie,

    sorry for delay. please tell me what Windows Server you are using.

    cheers Stephan


    cheers Stephan

    Monday, November 18, 2013 3:35 PM
  • Hi, 

    we got it to work by changing the Allowed Resources for our user group to "Access allowed to all network resources" in the RD Gateway Manager. Nevertheless with Itap it worked without changing this setting.


    • Edited by pproost Tuesday, November 19, 2013 9:21 AM
    Tuesday, November 19, 2013 9:19 AM
  • @Stephan - Windows Server 2008 R2 SP1

    @pproost - That would allow all users to access resources, wouldn't it?  We are restricting it to a group of users.

    An yes, those users who are getting the error on Android are in the security group.

    Wednesday, November 20, 2013 10:08 PM
  • Hi Guy TechieToday a new update of our Remote Desktop Client is
    available. Please install it and test it again.

    You can check the TS_RAP Policy under Networkresources


    cheers Stephan

    Thursday, November 21, 2013 10:29 AM
  • @Stephan, sorry for the delay.  I just returned from vacation.

    As for the new version, are you referring to the one dated Nov 20, 2013 version 8.0.2?  That is the version I have and I am still getting the same error.  (About says 8.0.2.24261)

    I did not change the setting to "Allow users to connect to any network resource (computer)" for security reasons.  This is a live production environment.

    It's currently set to "Select an existing RD Gateway-managed group or create a new one" and we're using a RDG-managed group that lists our RDS host servers and farm name - both netbios names and FQDN.

    EX: RDG-managed group name - RDS Farm

    RDG-managed group members:

    connectionbroker

    connectionbroker.domain.com

    sessionhost1

    sessionhost1.domain.com

    sessionhost2

    sessionhost2.domain.com

    sessionhost3

    sessionhost3.domain.com

    rdsfarm

    rdsfarm.domain.com

    As pproost stated, ITap never needed us to change the setting.  And the "fix" shouldn't require us either, as all other RDP clients that works with RDG are logging in fine.  This include other mobile platforms using the official Microsoft RDP app (formerly iTap), including the now defunct Android iTap app.



    • Edited by Guy Techie Monday, December 02, 2013 4:01 PM
    Monday, December 02, 2013 3:51 PM
  • Hi Guy Techie,

    welcome back, hope your vacation was soothing.

    The current Version for Android is 8.0.0.24101, I assume that you have used this. so I can help you I need a couple of information. so far I can only guess where the problem might be.


    cheers Stephan

    Monday, December 02, 2013 4:03 PM
  • Hi Stephan,

    Vacation was much needed, thanks.

    The version on Google Play Store says 8.0.2.24261 (Nov 20, 2013).  That's the version I have.  The one you listed as "current" looks to be older (8.0.0.24101)?  Am I mistaken?

    Looking at the Event Log, it seems clear the Android client is trying to connect to "localhost" and not "rdsfarm.domain.com" like Windows RDP client.  From the public network, this domain should resolve to the RDG server.  We run the RDWeb service on the same server (we only wanted a single server exposed to the public), but in this context I believe the Android client should be connecting to the RDG server (not RDWeb or "localhost").

    Thanks for looking into this.  Please let me know if you need any further info from me.



    • Edited by Guy Techie Monday, December 02, 2013 6:03 PM
    Monday, December 02, 2013 6:01 PM
  • Hi Guy Techie,

    what mean you with connect to localhost....?

    I share you a Picture how it works by me.

    But the best way is use the Remote Resources like here.


    cheers Stephan


    Tuesday, December 03, 2013 12:52 PM
  • Yes, I get to see the icons, but when you click on anything, that's when you get the error.

    What do I mean by "localhost"?  Please see this previous post when you asked for my Event Log for Remote Gateway:

    Log when using Android client:

    The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This is most likely for logging into RD Web - icons shows up).

    The user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost". The following error occurred: "23002".  (This is after clicking on any of the icons).

    I think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".  It should be the RD Connection Broker's hostname, I believe.

    EDIT: Here's what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):

    The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".

    The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".

    The user "DOMAIN\testuser", on client computer "10.x.x.x", connected to resource "rdsfarm.domain.com".






    • Edited by Guy Techie Tuesday, December 03, 2013 9:48 PM
    Tuesday, December 03, 2013 9:22 PM
  • I know tis the season, but any updates?
    Monday, December 23, 2013 5:15 PM
  • Happy New Year!  Have you had a chance to read my previous posts?
    Thursday, January 02, 2014 7:29 PM
  • Stephan? Please respond. This is still an issue. Thanks.
    Monday, January 13, 2014 6:38 PM
  • Bump.
    Thursday, January 23, 2014 6:53 PM
  • I'm not sure why the silence in the matter. In either case, we took it upon ourselves to do more investigating.

    We still do not want to set our RD Gateway to "Allow users to connect to any network resource (computer)" for security reasons.  Instead, we added "localhost" as one of the hostnames.  This is because the Android MSRDP app is trying to connect to "localhost" rather than to our rdsfarm dns name.  We determined this by looking at our RD Gateway server's Event Viewer (please read my previous posts to see the event viewer log).

    After adding "localhost" as one of the "Alowed network resource", we were able to connect to a desktop using the Android MSRDP app.  However, we celebrated too early... we found out we connected to the desktop of our RD Gateway, and not to the Session Host server!!!  Not good.

    @pproost - when you said you were able to connect when you set your RD Gateway to "Access allowed to all network resources", did you connect to the session host server or to the RD Gateway server?

    I verified this with a colleague of mine.  We both agree that the Android MSRDP app is flawed.  We're betting there's a variable there that's hardcoded to "localhost" instead of using the server name inputted by the user.

    Between then and now, other RDP apps now support connections through RD Gateway with varying success.  After several trials, we found that Remote Desktop Client by Xtralogic, Inc working flawlessly.  Several of our users paid for iTap Mobile (for which Microsoft bought out and now iTap discontinued), and now I have to tell them to shell out more money for another app (Remote Desktop Client by Xtralogic, Inc.).

    iTap Mobile responds quickly to their users.  I was afraid tech support and customer service would be gone once Microsoft took their product over, and my fears were proven correct.

    For now, we will recommend the new app to users on Android until Microsoft cleans up their act.



    • Edited by Guy Techie Wednesday, January 29, 2014 2:34 PM
    Tuesday, January 28, 2014 8:55 PM
  • Hi Guy,

    I found this thread after posting here:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/bba293ab-cb41-4497-b33b-9145a4d31c17/new-microsoft-rd-client-for-android-and-apple?forum=winRDc&prof=required

    I also ended up adding "localhost" to my RD Gateway local managed group in order to get the Android client to connect.  This works fine for me as the server is the Gateway/RDWeb/Session Host, but I agree, it's a bug.  I have also disabled HTTP Redirect on the Default Website in my efforts to get Android/iOS/Mac/WinXP clients to work (Win7 always worked), but I'm not sure yet if both of those changes are necessary for each of those clients to work.

    I presume you haven't heard anything else on this?  Not all of our deployments will be single-server so it would be good to get ahead of this one before we really need it to work.

    Monday, March 31, 2014 3:42 AM
  • Hi Guy,

    I found this thread after posting here:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/bba293ab-cb41-4497-b33b-9145a4d31c17/new-microsoft-rd-client-for-android-and-apple?forum=winRDc&prof=required

    I also ended up adding "localhost" to my RD Gateway local managed group in order to get the Android client to connect.  This works fine for me as the server is the Gateway/RDWeb/Session Host, but I agree, it's a bug.  I have also disabled HTTP Redirect on the Default Website in my efforts to get Android/iOS/Mac/WinXP clients to work (Win7 always worked), but I'm not sure yet if both of those changes are necessary for each of those clients to work.

    I presume you haven't heard anything else on this?  Not all of our deployments will be single-server so it would be good to get ahead of this one before we really need it to work.

    You are the only post after mine.  Nothing but crickets.  Even after a couple of app updates, they did not fix the problem.  Our Android users either have to shell out more money for another app or find another way to log in on the road.

    Give the paid users the old iTap Mobile app!!!

    Friday, May 16, 2014 5:23 AM