none
RDS Gateway Issues (server 2012 R2)

    Question

  • We recently deployed an RDS environment with a Gateway. The RDWeb and Gateway certificates are set up and done correctly as far as we can see. Access is only being restricted to users in our domain.

    We are seeing this generic error on Windows when trying to connect:

    Remote Desktop can't connect to the remote computer...for one of these reasons:

    1) Your user account is not authorized to access the RD Gateway

    2) Your computer is not authorized to access the RG Gateway

    3) You are using an incompatible authentication method

    On Mac and iOS clients we see an error stating the access was denied due to a Connection Access Policy (TS_CAP).


    Our only workaround (which is probably not acceptable in production) is to set the Network Policy Server Connection request policy to accept users without validating credentials (under Forwarding Connection Request).


    In Server Manager the error states:


    The user "XXX", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

    Anyone have any ideas? We are at a complete loss.





    • Edited by BryanCP Tuesday, January 14, 2014 1:50 PM
    Tuesday, January 14, 2014 1:40 PM

Answers

  • We have decided to not implement the Gateway at this time. The plan is to implement it later. Because of this, we removed our testing system. I do know though that while we were experiencing the issues the NPS is was registered in Active Directory and was in the "RAS and IAS Servers" group. I think I stumbled upon the thread Johan referenced earlier so I had checked these things.

    I appreciate the help Jeremy/Johan—I will reference this thread in the future when we do set it up and will bump it if necessary.

    Thursday, January 23, 2014 12:30 PM

All replies

  • Hi Bryan,

    Did you edit the default policies in the Gateway Manager or added new policies? If so, can you list the changes that you made or the specifics of the policies you added?


    There's a new blog in town: http://msfreaks.wordpress.com

    Tuesday, January 14, 2014 4:23 PM
  • The policies were all standard. Any modifications to them (specifically adding which domain users had access to the collection) were done via the Server Manager front end.

    We suspect the issue might be blocked firewall ports for Kerberos between the gateway and the DCs—does that sound plausible?

    Wednesday, January 15, 2014 12:37 PM
  • Hi,

    I did some research, please check if the Log On account for the Remote Desktop Gateway Service is Network Service.


    Hope this helps.


    Jeremy Wu

    TechNet Community Support

    Saturday, January 18, 2014 5:29 PM
    Moderator
  • Hi Bryan,

    Have you tried the solution in http://blogs.technet.com/b/networking/archive/2010/01/14/remote-desktop-gateway-client-fails-authentication-with-your-user-account-is-not-authorized-to-access-the-rd-gateway.aspx?

    (The NPS is not registered in Active Directory/not in the "RAS and IAS Servers group")

    I guess that you are not using NAP to validate your clients health status?

    /Johan


    Microsoft Certified Trainer
    MCSE: Desktop, Server, Private Cloud, Messaging
    Blog: http://365lab.net


    Saturday, January 18, 2014 8:09 PM
  • Hi Bryan,

    How is the issue going now? Is there any update?

    Thanks.


    Jeremy Wu

    TechNet Community Support

    Thursday, January 23, 2014 9:20 AM
    Moderator
  • We have decided to not implement the Gateway at this time. The plan is to implement it later. Because of this, we removed our testing system. I do know though that while we were experiencing the issues the NPS is was registered in Active Directory and was in the "RAS and IAS Servers" group. I think I stumbled upon the thread Johan referenced earlier so I had checked these things.

    I appreciate the help Jeremy/Johan—I will reference this thread in the future when we do set it up and will bump it if necessary.

    Thursday, January 23, 2014 12:30 PM