locked
NAP+TS Gateway error RRS feed

  • Question

  • PROBLEM:
    -everytime trying to connect win2k8x64ts1 using RDP 6.1 through TS Gateway, it failed to connect with error message "Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS GAteway ..."
    -in TS Gateway Event Viewer-Windows Logs-Security
    SubjectUserName TEST\Administrator
      SubjectDomainName TEST
      FullyQualifiedSubjectUserName TEST\Administrator
      SubjectMachineSID S-1-5-21-210235132-1586122489-365239878-1109
      SubjectMachineName vista.test.local
      FullyQualifiedSubjectMachineName TEST\VISTA$
      MachineInventory -
      CalledStationID UserAuthType:PW
      CallingStationID -
      NASIPv4Address -
      NASIPv6Address -
      NASIdentifier -
      NASPortType Virtual  
      NASPort -
      ClientName -
      ClientIPAddress -
      ProxyPolicyName NAP TS Gateway
      NetworkPolicyName NAP TS Gateway Non NAP-Capable
      AuthenticationProvider Windows  
      AuthenticationServer win2k8x64tsgw.test.local
      AuthenticationType Unauthenticated

    So basically TS Gateway always think VistaSP1 is not NAP Capable.
    How to fix the problem

    thanks
    ===========
    SERVER INFO:
    1. AD+DNS+TS License+TS Session Broker
    -win2008
    -ip 10.0.4.92
    -hostname win2k8
    2. TS
    -win2008
    -ip 10.0.4.93
    -hostname win2k8x64ts1
    3. TS
    -win2008
    -ip 10.0.4.94
    -hostname win2k8x64ts2
    4. TS Gateway+NAP
    -win2008
    -ip 10.0.4.95
    -hostname win2k8x64tsgw

    CLIENT INFO:
    1.
    -vista ultimate sp1
    -ip 10.0.4.96
    -hostname vista

    DOMAIN NAME: test.local

    -In Network Policy and Access Server-Policies-Network Policies, I create 3 policies
    1. NAP TS Gateway Compliant
    Condition: Health Policy: NAP TS Gateway Compliant
    Access Permission: Grant Access
    Authentication Method: Perform Machine Health Check Only
    NAP Enforcement: Allow full network access

    2. NAP TS Gateway Noncompliant
    Condition: Health Policy: NAP TS Gateway Noncompliant
    Access Permission: Deny Access
    Authentication Method: Perform Machine Health Check Only
    NAP Enforcement: Allow limited network access

    3. NAP TS Gateway Non NAP-Capable
    Condition: NAP Capable: Computer is not NAP Capable
    Access Permission: Deny Access
    Authentication Method: Perform Machine Health Check Only
    NAP Enforcement: Allow limited network access

    -In Network Access Protection-System Health Validators
    Only check "A firewall is enabled for all network connections"

    -in CLIENT Vista
    C:\Users\administrator>netsh nap client show config
    NAP client configuration:
    ----------------------------------------------------
    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
    Hash algorithm = sha1RSA (1.3.14.3.2.29)
    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Disabled
    Name            = Remote Access Quarantine Enforcement Client
    ID              = 79618
    Admin           = Disabled
    Name            = IPSec Relying Party
    ID              = 79619
    Admin           = Disabled
    Name            = TS Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Enabled
    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Disabled
    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    C:\Users\administrator>netsh nap client show group
    NAP client configuration (group policy):
    ----------------------------------------------------
    NAP client configuration:
    ----------------------------------------------------
    Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
    Hash algorithm = sha1RSA (1.3.14.3.2.29)
    Enforcement clients:
    ----------------------------------------------------
    Name            = DHCP Quarantine Enforcement Client
    ID              = 79617
    Admin           = Disabled
    Name            = Remote Access Quarantine Enforcement Client
    ID              = 79618
    Admin           = Disabled
    Name            = IPSec Relying Party
    ID              = 79619
    Admin           = Disabled
    Name            = TS Gateway Quarantine Enforcement Client
    ID              = 79621
    Admin           = Enabled
    Name            = EAP Quarantine Enforcement Client
    ID              = 79623
    Admin           = Disabled
    Client tracing:
    ----------------------------------------------------
    State = Disabled
    Level = Disabled

    Sunday, August 31, 2008 7:19 PM

Answers

All replies