none
RD Gateway NPS issue (error occurred: "23003") RRS feed

  • Question

  • I setup a RD Gateway on both Windows server 2016 and Windows server 2019. That should be a strainght forward process following Microsoft doc and multiple other website (https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure).

    When I try to connect I received that error message Event Log Windows->TermainServices-Gateway

    The user "DOMAIN\Username", on client computer "IP", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

    I found many documentation that claim that registering the NPS server (https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-register) should fix that issue, I register the server. Both are now in the "RAS and IAS Servers" Domain Security Group. But We still received the same error. Can in the past we broke that group effect?

    I continue investigating and found the Failed Audit log in the security event log:

    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
     Security ID:   NULL SID
     Account Name:   DOMAIN\Username
     Account Domain:   DOMAIN
     Fully Qualified Account Name: 
    DOMAIN\Username
    Client Machine:
     Security ID:   NULL SID
     Account Name:   LM-G710-8.0.0
     Fully Qualified Account Name: -
     Called Station Identifier:  UserAuthType:PW
     Calling Station Identifier:  -
    NAS:
     NAS IPv4 Address:  -
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Virtual
     NAS Port:   -
    RADIUS Client:
     Client Friendly Name:  -
     Client IP Address:   -

    Authentication Details:
     Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
     Network Policy Name:  -
     Authentication Provider:  Windows
     Authentication Server:  SERVER.FQDN.com

    Authentication Type:  Unauthenticated
     EAP Type:   -
     Account Session Identifier:  -
     Logging Results:   Accounting information was written to the local log file.
     Reason Code:   7
     Reason:    The specified domain does not exist.

    I have then found that thread which claim that I should disabled NPS authentifaction

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/f49fe666-ac4b-4bf9-a332-928a547cff77/remote-desktop-gateway-denying-connections

    I try it but disabling the NPS authentification leave me a bad impression...

    Did anyone have a clue why I cannot resolve the domain.

    For the testing/debuging purpose and I install The RD Gateway on a AD member server in main network, no other firewall than the windows one.

    The only thing I can suspect is that we broke the "RAS and IAS Servers" AD Group in the past.


    Wednesday, February 20, 2019 12:01 AM

Answers

All replies

  • Hi,

    I want to confirm with you if you had configured single RD Gateway for your RDS deployment? Or, two RD Gateways for HA(high availability) configuration?

    If it is RD Gateway, please check “RDS 2012 – Configuring a RD Gateway Farm” for detail configuration steps:
    https://ryanmangansitblog.com/2013/03/31/rds-2012-configuring-a-rd-gateway-farm/comment-page-1/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Besides, if possible, please disable one of the gateways and check the connection result. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 20, 2019 6:47 AM
    Moderator
  • Hi,

    I have configure a single RD Gateway for my RDS deployment. Both Gateway were not confiture and up at same time, when I try the server 2016, I already decommissions the Server 2019. I want to validate that the issue was not with the Windows 2019 server.

    Currently I only have the server 2019 configure and up. And I still need to bypass the NPS authentification have the RD Gateway fonctionnal.

    Regards,

    Thursday, February 21, 2019 10:25 PM
  • Hi,

    >Reason Code:   7. Reason:    The specified domain does not exist.
    We may try to narrow down the problem from communication between NPS and DC. Please reference below link and check the details:
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735393(v=ws.10)

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 22, 2019 2:19 AM
    Moderator
  • Hi,

    The log file countain data, I cross reference the datetime of the event log 2019-02-19 6:06:05 PM:

    The user "DOMAIN\Username" on client computer "IP", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

    I found to log entry at the same time:

    "RDGW01","RAS",02/19/2019,18:06:05,1,"DOMAIN\Username","DOMAIN\Username","UserAuthType:PW",,,,,,,,,,,,5,,,12,7,,0,"311 1 172.18.**.** 02/18/2019 21:02:56 6",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"TS GATEWAY AUTHORIZATION POLICY",1,,,,
    "RDGW01","RAS",02/19/2019,18:06:05,3,,"
    DOMAIN\Username",,,,,,,,,,,,,,,,,7,,7,"311 1 172.18.**.** 02/18/2019 21:02:56 6",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"TS GATEWAY AUTHORIZATION POLICY",1,,,,

    Based on the article that mean the RDGateway/NPS server can communicate with the DC but cannot identify my user?


    Friday, February 22, 2019 1:07 PM
  • Hi,

    Yes, as you mentioned. If domain controllers are available and NPS has received and processed connection requests, recent log file entries will appear in the file.

    Please open RD Gateway Manager – Properties – RD CAP Store, by default, it uses local server running NPS. Please confirm this configuration.

    Then, open Network Policy Server – Policies, if possible, please disable/enable them one by one to narrow down the problem, confirm that if it is specific policy relate problem. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 25, 2019 8:32 AM
    Moderator
  • Hi Eve,

    This is the default RD Gateway CAP configuration:

    If the user is a member of any of the following user groups:
    DOMAIN\Domain Users
    If the client computer is a member of any of the following computer groups:
    Not applicable (no computer group is specified)
    If the user uses the following supported Windows authentication methods:
    Password
    Allow the user to connect to this RD Gateway server and disable device redirection for the following client devices:
    Not applicable (device redirection is allowed for all client devices)
    After the idle timeout is reached:
     - Not applicable (no idle timeout)
    After the session timeout is reached:
     - Not applicable (no session timeout)

    The RD CAP Store properties is set to "Local server running NPS"

    The default configurated "TS GATEWAY AUTHORIZATION POLICY" in setting I need to change under Authentication from "Authenticate request on this server" to "Accept users without validating credentials" to allo w access. When I chose "Authenticate request on this server". I again received:

    The user "DOMAIN\Username", on client computer "XXX.XXX.XXX.XXX", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

    In the security Audit event log I foundthe following 4 event:

    A logon was attempted using explicit credentials.
    Subject:
     Security ID:  SYSTEM
     Account Name:  RDGW01$
     Account Domain:  
    DOMAIN
     Logon ID:  0x3E7
     Logon GUID:  {00000000-0000-0000-0000-000000000000}
    Account Whose Credentials Were Used:
     Account Name:  Username
     Account Domain:  DOMAIN
     Logon GUID:  {84d60808-b433-ce9d-df52-61b3c848ac15}
    Target Server:
     Target Server Name: localhost
     Additional Information: localhost
    Process Information:
     Process ID:  0x4
     Process Name:  
    Network Information:
     Network Address: -
     Port:   -
    This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

    An account was successfully logged on.
    Subject:
     Security ID:  SYSTEM
     Account Name:  RDGW01$
     Account Domain:  
    DOMAIN
     Logon ID:  0x3E7
    Logon Information:
     Logon Type:  8
     Restricted Admin Mode: -
     Virtual Account:  No
     Elevated Token:  No
    Impersonation Level:  Impersonation
    New Logon:
     Security ID:  
    DOMAINM\Username
     Account Name:  Username
     Account Domain:  DOMAIN
     Logon ID:  0x346346F
     Linked Logon ID:  0x0
     Network Account Name: -
     Network Account Domain: -
     Logon GUID:  {84d60808-b433-ce9d-df52-61b3c848ac15}
    Process Information:
     Process ID:  0x4
     Process Name:  
    Network Information:
     Workstation Name: RDGW01
     Source Network Address: -
     Source Port:  -
    Detailed Authentication Information:
     Logon Process:  HTTP   
     Authentication Package: Kerberos
     Transited Services: -
     Package Name (NTLM only): -
     Key Length:  0
    This event is generated when a logon session is created. It is generated on the computer that was accessed.
    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The impersonation level field indicates the extent to which a process in the logon session can impersonate.
    The authentication information fields provide detailed information about this specific logon request.
     - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Group membership information.

    Subject:
     Security ID:  SYSTEM
     Account Name:  RDGW01$
     Account Domain:  
    DOMAIN
     Logon ID:  0x3E7
    Logon Type:   8
    New Logon:
     Security ID:  
    DOMAIN\Username
     Account Name:  
    Username
     Account Domain:  
    DOMAIN
     Logon ID:  0x346346F
    Event in sequence:  1 of 1
    Group Membership:   
      DOMAIN\Domain Users
      Everyone
      BUILTIN\Users
      NT AUTHORITY\Authenticated Users
      NT AUTHORITY\This Organization
      etc...
    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
    This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
     Security ID:   NULL SID
     Account Name:   DOMAIN\Username
     Account Domain:   
    DOMAIN
     Fully Qualified Account Name: 
    DOMAIN\Username
    Client Machine:
     Security ID:   NULL SID
     Account Name:   LM-G710-8.0.0
     Fully Qualified Account Name: -
     Called Station Identifier:  UserAuthType:PW
     Calling Station Identifier:  -
    NAS:
     NAS IPv4 Address:  -
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Virtual
     NAS Port:   -
    RADIUS Client:
     Client Friendly Name:  -
     Client IP Address:   -
    Authentication Details:
     Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
     Network Policy Name:  -
     Authentication Provider:  Windows
     Authentication Server:  RDGW01.DOMAIN.com
     Authentication Type:  Unauthenticated
     EAP Type:   -
     Account Session Identifier:  -
     Logging Results:   Accounting information was written to the local log file.
     Reason Code:   7
     Reason:    The specified domain does not exist.

    The user get authenticated, but for a unknown reason, the policy block it.

    I review the default policy configuration: and everything was created by the server manager :

    Overview

    • Policy enabled
    • Type of network access server: Remote Desktop Gateway

    Conditions

    • NAS Port Type: virtual (VPN)

    Settings: Authentication

    • Authenticate request on this server

    I am a bit confuse on what is going on!

    Regards,

    Jonathan

    Monday, February 25, 2019 4:31 PM
  • Hi,

    In order to narrow down the problem, detail tracing/monitoring/log files are necessary. I am afraid that we are unable to provide more detail log analyzing on the forum.

    I would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue. 

    Global Customer Service phone numbers:
    https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

    Thank you for your understanding.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 26, 2019 8:42 AM
    Moderator
  • Thank will do
    Tuesday, February 26, 2019 1:51 PM
  • Hi,

    Thank you for update.

    Please feel free to post on the forum if there is any more questions/concerns. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 27, 2019 3:20 AM
    Moderator
  • We encountered this issue and it ended up being an error with our Firewall (we use Dell Sonicwall). Since we had not made any recent changes or updates, a simple reboot of the firewall and it's failover device resolved the problem.
    Wednesday, August 21, 2019 1:49 PM
  • In our case the problem is that the Pre-Windows 2000 name (NETBIOS) is also a possible DNS suffix which create issue. Support recommand that we create a new AD and migrate to user and computer to it. Which is a lot of work...
    Wednesday, August 21, 2019 8:08 PM