none
TS Gateway and RADIUS problem

    Question

  • I’ve got a Terminal Server Gateway and I’m trying to do RADIUS authentication.  When I try to make a Remote Desktop connection, on the client I get

     

     Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS Gateway, possibly due to one of the following reasons:

     

    ·         You do not have permission to connection the TS Gateway server.

    ·         You used password authentication but the TS Gateway server is expecting smart card authentication (or vice versa).

     

    Contact your administrator for further assistance.

     

    I don’t see anything in the CAP that would be an issue.  My recollection is that I had no problem connecting with this account before I tried to implement RADIUS.  It’s been a while since I worked on this so my recollection could be wrong.  Anyway, I don’t think the first suggestion is correct.  My CAP is set to use password authentication and I’m using a password to log on so, I don’t think the second suggestion is correct either.

     

    On the radius server, in the security event log I get

     

    -

    EventData

     

       

    SubjectUserSid

    S-1-5-21-1863327766-1082353637-1606240830-500

     

       

    SubjectUserName

    ANSCI\Meyer

     

       

    SubjectDomainName

    ANSCI

     

       

    FullyQualifiedSubjectUserName

    ansci.ucdavis.edu/ANSCI Users/Meyer

     

       

    SubjectMachineSID

    S-1-5-21-1863327766-1082353637-1606240830-3495

     

       

    SubjectMachineName

    Curt-E4300.ansci.ucdavis.edu

     

       

    FullyQualifiedSubjectMachineName

    ANSCI\CURT-E4300$

     

       

    MachineInventory

    6.0.6001 1.0 x86 Domain Controller

     

       

    CalledStationID

    UserAuthType:PW

     

       

    CallingStationID

    -

     

       

    NASIPv4Address

    -

     

       

    NASIPv6Address

    -

     

       

    NASIdentifier

    -

     

       

    NASPortType

    Virtual

     

       

    NASPort

    -

     

       

    ClientName

    GW2

     

       

    ClientIPAddress

    169.237.28.2

     

       

    ProxyPolicyName

    Use Windows authentication for all users

     

       

    NetworkPolicyName

    Connections to other access servers

     

       

    AuthenticationProvider

    Windows

     

       

    AuthenticationServer

    Radius.ansci.ucdavis.edu

     

       

    AuthenticationType

    Unauthenticated

     

       

    EAPType

    -

     

       

    AccountSessionIdentifier

    -

     

       

    ReasonCode

    65

     

       

    Reason

    The connection attempt failed because network access permission for the user account was denied. To allow network access, enable network access permission for the user account, or, if the user account specifies that access is controlled through the matching network policy, enable network access permission for that network policy.

     

    The above seems to indicate I need to enable network access permission to the user account.  Where do I do that?  Is that part of NPS?  Is it in ADU&C?

    Thanks for your help.

    Curt

    Friday, April 03, 2009 11:56 PM

Answers

All replies

  • Do you mean you are using Radius Authentication for authentication on TS Gateway? If yes, let me tell you that you can't do Radius Authentication for TS Gateway. TS Gateway supports only smartcard and password based authentication. If you need two factor authentication, you can use OTP in conjunction with ISA in front of TS Gateway. All these information can be found in the TS Gateway step by step guide at http://technet.microsoft.com/en-us/library/cc771530.aspx

    Please post the question on Terminal services forum, in case what i understood above is incorrect. Please get back with proper configuration details as to where are you using Radius Authentication.

    Thanks
    Vikash
    Friday, April 10, 2009 5:30 AM
  • I thought what I could do was set up a TS Gateway and a RADIUS/NPS server and have the TS Gateway pass the credentials (username/password) to the RADIUS server for authentication.  The idea was to put the RADIUS server in my private network and have the TS Gateway in the perimeter network.  The thought was that this configuration is more secure.  Is this not possible?  Is it not more secure?

    I've been able to get TS Gateway with NAP working without RADIUS but not with authentication as described above through a RADIUS server.  On the TS Gateway, I have configured which server is my RADIUS server.  On the RADIUS server I have configured the TS Gateway as a RADIUS client.  Both are using the same shared secret.  In the TS Gateway Connection Request Policy, I have it set to forward requests to my RADIUS server group.  The TS Gateway was working before I tried to implement RADIUS.  Do I need to recreate my Connection Request Policies, Network Policies, Health Policies and System Health Validators on the RADIUS server?  I thought my RADIUS server was only doing authentication but now I'm beginning to question that.  Is there a good/simple document that describes how to set this up?

    My RADIUS and TS Gateways are running Server 2008.  My Domain Controllers/Active Directory are Server 2003.

    Thanks for your help.

    Curt

    Friday, April 10, 2009 6:33 PM
  • Hi Curt,

    The TS Gateway NAP step by step guide is here: http://technet.microsoft.com/en-us/library/cc771530.aspx

    What the event is saying is that you have set the access permission on the network policy to Deny Access. Review events in event viewer under Custom Views\Server Roles\Network Policy and Access Services. You should see NPS event ID 6273: The Network Policy Server denied access to a user. This event will tell you what network policy was matched. Review this policy and you may find that it is set to "Deny Access" rather than "Grant Access." See http://technet.microsoft.com/en-us/library/dd348487.aspx for more information.

    Another reason for denying access is if the client access request doesn't match any policy. If this is the case, you'll need to troubleshoot why no policy was matched. It may also be matching the *wrong* policy, such as a non-NAP-capable policy. This can happen in a TS Gateway scenario because of a certificate problem. See http://technet.microsoft.com/en-us/library/dd348494.aspx#napclientcomputersareevaluatedasnonnapcapable for more information about this.

    I hope this helps,
    -Greg
    Tuesday, April 14, 2009 9:55 PM