Remove From My Forums

NAP+TS Gateway error

Question
0

Sign in to vote

PROBLEM:
-everytime trying to connect win2k8x64ts1 using RDP 6.1 through TS Gateway, it failed to connect with error message "Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS GAteway ..."
-in TS Gateway Event Viewer-Windows Logs-Security
SubjectUserName TEST\Administrator
SubjectDomainName TEST
FullyQualifiedSubjectUserName TEST\Administrator
SubjectMachineSID S-1-5-21-210235132-1586122489-365239878-1109
SubjectMachineName vista.test.local
FullyQualifiedSubjectMachineName TEST\VISTA$
MachineInventory -
CalledStationID UserAuthType:PW
CallingStationID -
NASIPv4Address -
NASIPv6Address -
NASIdentifier -
NASPortType Virtual
NASPort -
ClientName -
ClientIPAddress -
ProxyPolicyName NAP TS Gateway
NetworkPolicyName NAP TS Gateway Non NAP-Capable
AuthenticationProvider Windows
AuthenticationServer win2k8x64tsgw.test.local
AuthenticationType Unauthenticated

So basically TS Gateway always think VistaSP1 is not NAP Capable.
How to fix the problem

thanks
===========
SERVER INFO:
1. AD+DNS+TS License+TS Session Broker
-win2008
-ip 10.0.4.92
-hostname win2k8
2. TS
-win2008
-ip 10.0.4.93
-hostname win2k8x64ts1
3. TS
-win2008
-ip 10.0.4.94
-hostname win2k8x64ts2
4. TS Gateway+NAP
-win2008
-ip 10.0.4.95
-hostname win2k8x64tsgw

CLIENT INFO:
1.
-vista ultimate sp1
-ip 10.0.4.96
-hostname vista

DOMAIN NAME: test.local

-In Network Policy and Access Server-Policies-Network Policies, I create 3 policies
1. NAP TS Gateway Compliant
Condition: Health Policy: NAP TS Gateway Compliant
Access Permission: Grant Access
Authentication Method: Perform Machine Health Check Only
NAP Enforcement: Allow full network access

2. NAP TS Gateway Noncompliant
Condition: Health Policy: NAP TS Gateway Noncompliant
Access Permission: Deny Access
Authentication Method: Perform Machine Health Check Only
NAP Enforcement: Allow limited network access

3. NAP TS Gateway Non NAP-Capable
Condition: NAP Capable: Computer is not NAP Capable
Access Permission: Deny Access
Authentication Method: Perform Machine Health Check Only
NAP Enforcement: Allow limited network access

-In Network Access Protection-System Health Validators
Only check "A firewall is enabled for all network connections"

-in CLIENT Vista
C:\Users\administrator>netsh nap client show config
NAP client configuration:
----------------------------------------------------
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled
Name            = Remote Access Quarantine Enforcement Client
ID              = 79618
Admin           = Disabled
Name            = IPSec Relying Party
ID              = 79619
Admin           = Disabled
Name            = TS Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Enabled
Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Disabled
Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

C:\Users\administrator>netsh nap client show group
NAP client configuration (group policy):
----------------------------------------------------
NAP client configuration:
----------------------------------------------------
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled
Name            = Remote Access Quarantine Enforcement Client
ID              = 79618
Admin           = Disabled
Name            = IPSec Relying Party
ID              = 79619
Admin           = Disabled
Name            = TS Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Enabled
Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Disabled
Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

Sunday, August 31, 2008 7:19 PM

Answers

0

Sign in to vote
Hi,

You only appear to have one condition (the health condition) in your compliant and noncompliant network policies. I'm not terribly familiar with the TS Gateway scenario, but the step by step guide indicates that a user group condition is required. Did you follow the step by step guide at http://technet.microsoft.com/en-us/library/cc732172.aspx?

-Greg
- Proposed as answer by Greg LindsayMicrosoft employee Friday, September 19, 2008 12:22 AM
- Marked as answer by Greg LindsayMicrosoft employee Tuesday, September 23, 2008 7:36 AM
Wednesday, September 17, 2008 10:03 PM

All replies

0

Sign in to vote

Hi,

Can you please provide results of netsh nap client show state on the client?

The results of netsh nap client show group tell me that you have the correct enforcement client settings, but the show state command tells whether or not it is initialized and if NAP agent is running.

Thanks,
-Greg

Saturday, September 6, 2008 2:54 PM
0

Sign in to vote

Here is the result:
thanks

C:\Users\administrator>netsh nap client show state

Client state:
----------------------------------------------------
Name                   = Network Access Protection Client
Description            = Microsoft Network Access Protection Client
Protocol version       = 1.0
Status                 = Enabled
Restriction state      = Not restricted
Troubleshooting URL    =
Restriction start time =
Extended state         =

Enforcement client state:
----------------------------------------------------
Id                     = 79617
Name                   = DHCP Quarantine Enforcement Client
Description            = Provides DHCP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79618
Name                   = Remote Access Quarantine Enforcement Client
Description            = Provides the quarantine enforcement for RAS Client
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79619
Name                   = IPSec Relying Party
Description            = Provides IPSec based enforcement for Network Access Pro
tection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79621
Name                   = TS Gateway Quarantine Enforcement Client
Description            = Provides TS Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79623
Name                   = EAP Quarantine Enforcement Client
Description            = Provides EAP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

System health agent (SHA) state:
----------------------------------------------------
Id                     = 79744
Name                   = Windows Security Health Agent

Description            = The Windows Security Health Agent checks the compliance
of a computer with an administrator-defined policy.

Version                = 1.0

Vendor name            = Microsoft Corporation

Registration date      =
Initialized            = Yes
Failure category       = None
Remediation state      = Success
Remediation percentage = 0
Fixup Message          = (3237937214) - The Windows Security Health Agent has fi
nished updating its security state.

Compliance results     =
Remediation results    =

Ok.

Monday, September 8, 2008 1:54 AM
0

Sign in to vote

Hi,

It appears that the TS Gateway enforcement client is not initialized, which can be one cause of a client appearing to be non NAP-capable. Can you please check and see if there are any errors in the event log? This is under Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational

I'll need to look into requirements for the TS Gatway enforcement client to initialize. Did you execute this command while connected? One thing you might also try is restarting NAP agent service and see if this helps.

-Greg

Wednesday, September 10, 2008 5:04 AM
0

Sign in to vote

P.S. Change your noncompliant network policy and non NAP-capable policy from "Deny Access" to "Grant Access." You must grant access in order to allow limited access. Denying access will drop the connection.

Wednesday, September 10, 2008 5:08 AM
0

Sign in to vote

Hi Greg

Thank you for your respond.
Here is the Event Viewer result when I restart NAP service in TS Gateway.
IN CLIENT VISTA SP1 NAP EVENT VIEWER
Event ID: 39
"The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from. A network change or if GP is configured a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made"

IN TS GATEWAY NAP EVENT VIEWER
Event ID: 39
"The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from. A network change or if GP is configured a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made. Contact the HRA administrator for more information"

Event ID: 13
"The Network Access Protection Agent failed to load the peripheral component MSSHA. The error code was 2147942526. See the administrator for more information"

FYI
-client VISTASP1, TS, AD, TSGateway are in same subnet
-I open RDP in VISTA and point it to TS farm name and in Advanced-Settings-Use these TS Gateway server settings
-"Use my TS Gateway credentials for the remote computer" checked

I purposely want NON NAP CAPABLE to be denied from my network for this testing. Later I can allow them.

thanks

Friday, September 12, 2008 2:56 AM
0

Sign in to vote

Hi,

You can ignore error event 39 for this setup because you aren't using IPsec enforcement.

Error event 13, however, is a problem. This is what I'm sure is causing the enforcement client to not initialize and resulting in your client appearing non NAP-capable. This not an error I've ever seen before. Please try restarting NAP agent and tell me if you consistently get this error. Meanwhile, I will investigate the error code. Also, is there anything special about the Vista SP1 client, or is it just a fresh install?

Restart NAP agent on the command line from an administrator prompt with net stop napagent && net start napagent.

Thanks,
-Greg

Saturday, September 13, 2008 4:21 PM
0

Sign in to vote

1. Please try restarting NAP agent and tell me if you consistently get this error.
I always got Event 13 every time I restart NAP agent in TS Gateway

2. anything special about the Vista SP1 client, or is it just a fresh install?
The client is Vista Ultimate that previously didn't have SP1, then I download and install SP1

thanks

Monday, September 15, 2008 2:34 AM
0

Sign in to vote

Hi,

Hmm this might be a silly question, but are you running NAP agent on the TS Gateway or the Vista client, or both? You shouldn't be using NAP agent on the Server 2008 computer. That will always show the error you have above. What we need to review are errors on the Vista client.

-Greg

Monday, September 15, 2008 2:46 AM
0

Sign in to vote

1. but are you running NAP agent on the TS Gateway or the Vista client, or both?
Before NAP Agent run on both, but now I already disabled NAP Agent in TSGateway
In TSGateway, I think NAP agent installed by default after install NAP role

After I disabled NAP Agent in TSGateway. I try to launch RDP to farm1.test.local using TSGateway as its gateway, but I still got this error in TSGateway event viewer
in TS Gateway Event Viewer-Windows Logs-Security
SubjectUserName TEST\Administrator
NetworkPolicyName NAP TS Gateway Non NAP-Capable

2. What we need to review are errors on the Vista client.
There is no Event 13 error in Vista client

thanks

Monday, September 15, 2008 3:12 AM
0

Sign in to vote

Hi,

We should review your NPS policies and make sure there isn't an issue here, but I still think the problem might be that the TS Gateway enforcement client has not initialized. You said there is no error 13 on the client, but what about other events? Specifically, I am wondering which of these events you see.

To review policies, please provide the output of "netsh NAP show config" on your NPS.

Thanks,
-Greg

Monday, September 15, 2008 3:20 AM
0

Sign in to vote

1. what about other events? Specifically, I am wondering which of these events you see
I see on Vista
EventID 9: The enforcement client 79871 successfully initialized
EventID 26: The NAP service has started.
NAP has the following information for this computer:
Computer name is vista.test.local.

2. output of "netsh NAP show config" on your NPS.
C:\Users\administrator.TEST>netsh NAP show config

NAP client configuration:
----------------------------------------------------

Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Prov
ider, keylength = 2048

Hash algorithm = sha1RSA (1.3.14.3.2.29)

Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled

Name            = Remote Access Quarantine Enforcement Client
ID              = 79618
Admin           = Disabled

Name            = IPSec Relying Party
ID              = 79619
Admin           = Disabled

Name            = TS Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Disabled

Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Disabled

Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

Health Registration Authority (HRA) configuration:
----------------------------------------------------
The system cannot find the file specified.

Monday, September 15, 2008 3:27 AM
0

Sign in to vote

Oops, sorry. I meant to say "netsh NPS show config" my apologies. NAP and NPS have too many of the same letters =)

Please provide output from netsh NPS show config.

Monday, September 15, 2008 3:30 AM
0

Sign in to vote

C:\Users\administrator.TEST>netsh nps show config|more

Connection request policy configuration:
---------------------------------------------------------
Name             = Use Windows authentication for all users
State            = Disabled
Processing order = 3
Policy source    = 0

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Auth-Provider-Type                      0x1025      "0x1"

Connection request policy configuration:
---------------------------------------------------------
Name             = NAP TS Gateway
State            = Enabled
Processing order = 1
Policy source    = 1

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Auth-Provider-Type                      0x1025      "0x1"
Override-RAP-Auth                       0x1fb0      "FALSE"

Connection request policy configuration:
---------------------------------------------------------
Name             = TS GATEWAY AUTHORIZATION POLICY
State            = Disabled
Processing order = 2
Policy source    = 1

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x3d        "^5$"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Auth-Provider-Type                      0x1025      "0x1"

Event log configuration:
---------------------------------------------------------
Accepted authentication requests = Enabled
Rejected authentication requests = Enabled

File log configuration:
---------------------------------------------------------
Accounting                     = Enabled
Authentication                 = Enabled
Periodic accounting status     = Enabled
Periodic authentication status = Enabled
Directory                      = C:\Windows\system32\LogFiles
Format                         = ODBC formatting
Delete old logs                = Enabled
Frequency                      = Monthly logs
Max size                       = 10 MB

Ports configuration:
---------------------------------------------------------
Accounting ports     = 1813,1646
Authentication ports = 1812,1645

Network policy configuration:
---------------------------------------------------------
Name             = Connections to other access servers
State            = Disabled
Processing order = 1000000
Policy source    = 0

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"

Network policy configuration:
---------------------------------------------------------
Name             = Connections to Microsoft Routing and Remote Access server
State            = Disabled
Processing order = 999999
Policy source    = 0

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1033      "^311$"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Allowed-EAP-Type                     0x100a      "0D000000000000000000000000000000"
NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
MS-Filter                               0x102f

    ===============================================================
    IPFILTER_IPV4INFILTER    Action: DENY
    ---------------------------------------------------------------
    Address . . . . . : 0.0.0.0
    Mask. . . . . . . : 0.0.0.0
    Protocol. . . . . : 0
    Source Port . . . : 0
    Destination Port. : 0
    ---------------------------------------------------------------

MS-MPPE-Encryption-Policy               0xffffffa7 "0x2"
MS-MPPE-Encryption-Types                0xffffffa6 "0xe"

Network policy configuration:
---------------------------------------------------------
Name             = -- TSG Marker Policy {985F7B54-FCE8-4f55-AEBF-DF8827A44068} --
State            = Disabled
Processing order = 8
Policy source    = 1

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x3d        "^5$"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Authentication-Type                  0x1009      "0x7"

Network policy configuration:
---------------------------------------------------------
Name             = DHCP Compliant
State            = Disabled
Processing order = 6
Policy source    = 3

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbd      "NAP TS Gateway Compliant"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x0"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

Network policy configuration:
---------------------------------------------------------
Name             = DHCP Noncompliant
State            = Disabled
Processing order = 7
Policy source    = 3

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbd      "NAP TS Gateway Noncompliant"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
MS-Extended-Quarantine-State            0x1fd9      "0x0"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x1"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"

Network policy configuration:
---------------------------------------------------------
Name             = NAP TS Gateway Compliant
State            = Enabled
Processing order = 2
Policy source    = 1

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbd      "NAP TS Gateway Compliant"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x0"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"
TSG-Device-Redirection                  0x1fe6      "0x40000000"

Network policy configuration:
---------------------------------------------------------
Name             = NAP TS Gateway Noncompliant
State            = Enabled
Processing order = 1
Policy source    = 1

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbd      "NAP TS Gateway Noncompliant"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x1"
Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"
TSG-Device-Redirection                  0x1fe6      "0x40000000"

Network policy configuration:
---------------------------------------------------------
Name             = NAP TS Gateway Non NAP-Capable
State            = Enabled
Processing order = 3
Policy source    = 1

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1fbb      "^1$"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
Ignore-User-Dialin-Properties           0x1005      "TRUE"
NP-Allow-Dial-in                        0x100f      "FALSE"
NP-Authentication-Type                  0x1009      "0x7"
MS-Quarantine-State                     0x1faf      "0x1"
Quarantine-Update-Non-Compliant         0x1fc8      "FALSE"
Saved-Machine-HealthCheck-Only          0x1fdc      "0x1"
TSG-Device-Redirection                  0x1fe6      "0x40000000"

Server registration:
---------------------------------------------------------
Status = Un-registered

SHV configuration:
---------------------------------------------------------
Id                             = 79744
Name                           = Windows Security Health Validator

Vendor                         = Microsoft Corporation

Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.

Version                        = 1.0

Policy server unreachable      = Noncompliant
Remediation server unreachable = Noncompliant
System Health Agent failure    = Noncompliant
NAP server failure             = Noncompliant
Other errors                   = Noncompliant

Health policy configuration:
---------------------------------------------------------
Name          = NAP TS Gateway Compliant
Configuration = All must pass
Id            = 79744

Health policy configuration:
---------------------------------------------------------
Name          = NAP TS Gateway Noncompliant
Configuration = One or more must fail
Id            = 79744

SQL log configuration:
---------------------------------------------------------
Connection                     =
Description                    =
Accounting                     = Enabled
Authentication                 = Enabled
Periodic accounting status     = Enabled
Periodic authentication status = Enabled
Max sessions                   = 2

Ok.

Monday, September 15, 2008 3:37 AM
0

Sign in to vote
Hi,

You only appear to have one condition (the health condition) in your compliant and noncompliant network policies. I'm not terribly familiar with the TS Gateway scenario, but the step by step guide indicates that a user group condition is required. Did you follow the step by step guide at http://technet.microsoft.com/en-us/library/cc732172.aspx?

-Greg
- Proposed as answer by Greg LindsayMicrosoft employee Friday, September 19, 2008 12:22 AM
- Marked as answer by Greg LindsayMicrosoft employee Tuesday, September 23, 2008 7:36 AM
Wednesday, September 17, 2008 10:03 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

NAP+TS Gateway error

Question

Answers

All replies