none
Domain Admins cannot use RDS, but Domain Users can RRS feed

  • Question

  • We have a WS2016 running RDS.

    Everyone that has access can open the web page and sign in through the https://...../RDWeb site.

    Once in, ALL USERS not in an AD administrative group can then click on an icon, sign in to the second prompt and use the apps.

    If I, or any admin, tries to click on an icon on the webpage, it prompts us to sign in, then it gives us an error with the three reasons you need to check for.

    All admins can RDP into the same server running RDS, but none of us can go through the web page to do it.

    I found something online saying to change the local GP, which we did, but that didn't work either (and yes, I forced the GP to update on the server).

    Any thoughts would be helpful.

    Thanks beforehand, because this is a tad annoying that no one in IT can use the services, but all regular users can.


    Alert from Microsoft Forum

    Saturday, October 12, 2019 9:47 AM

All replies

  • HI
    1 when this problem fist happen,did any IT admin change web settings or domain policy recently?
    2 "If I, or any admin, tries to click on an icon on the webpage, it prompts us to sign in, then it gives us an error with the three reasons you need to check for."
    what's the reasons when the problem happen ,can you share here ?
    3 is your problematical web server only serve for RDweb and not used to other website ?
    4 when the problem happen ,can we find more event log about this issue,on other RDS related server(RDCB,RDWEB,RDgateway,RDSH) ?
    event viewer\windows logs\
    application
    security
    system
    Event Viewer – Applications and Services Logs – Microsoft – Windows –remote desktop management service
    Event Viewer – Applications and Services Logs – Microsoft – Windows – RemoteDesktopServices-****
    Event Viewer – Applications and Services Logs – Microsoft – Windows-remoteapp and desktop connections
    Event Viewer – Applications and Services Logs – Microsoft – Windows-remoteapp and desktop connection management
    Microsoft-Windows-TerminalServices-Gateway/Operational
    Event Viewer – Applications and Services Logs – Microsoft – Windows – TerminalServices-****

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, October 14, 2019 2:55 AM
    Moderator
  • HI
    Is there any progress on your question?

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 16, 2019 9:52 AM
    Moderator
  • HI
    Is there anything to help you?

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, October 20, 2019 10:10 PM
    Moderator
  • My apologies for not getting back in a more timely manner.

    The only logs we can find to the issue are in the Security logs, which state that

    Event ID 6273

    Network Policy Server denied access to a user.

    Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY

    Reason Code:   65
     Reason:    The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

    I've gone into the Network Policy Server console > NPS (Local) > Polices > Network Policies > RDG_CAP_AllUsers

    and made sure that the correct groups were in the list, but it doesn't work.

    I also went into certain users AD account > Dial-in tab > and made sure their NPS settings were set to Allow access, but that doesn't work either.

    Any help is appreciated.  Hopefully I'm looking in the wrong place to change the policy.


    Alert from Microsoft Forum

    Thursday, November 21, 2019 9:05 PM
  • To make it worse, when we added a group (not removed any) to the NPS policy to allow access, no one could get access after that.  People who were already on were cut off.

    We now get the error message in the TerminalServices-Gateway logs:

    The user "DOMAIN\Username", on client computer "IP", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".


    Alert from Microsoft Forum

    Thursday, November 21, 2019 9:41 PM