TS Gateway authentication fails, but only from external sources


  • I have managed to make some progress on my TS gateway implementation but am still not yet at the point where I can use it externally. I have published it through ISA server (managed to get it going on a single IP that also runs OWA, which a lot of sites told me couldn't be done, so I'm quite pleased there) but now can't log on when I try from outside the network.

    On a machine that is on the network on which the TS gateway resides, I can use the gateway (even if I uncheck 'bypass TS gateway for local addresses') so I know the config is working. When I try to access it remotely, I now get no certificate errors, but when I type in a correct domain\username or even machinename\username and password, the authentication box just comes straight back. If I examine the security event log on the TS gateway, for each failed logon attempt I see the following entry in there twice:

    An account failed to log on.

        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        administrator
        Account Domain:        domain.local

    Failure Information:
        Failure Reason:        Unknown user name or bad password.
        Status:            0xc000006d
        Sub Status:        0xc000006a

    Process Information:
        Caller Process ID:    0x0
        Caller Process Name:    -

    Network Information:
        Workstation Name:    WS0001
        Source Network Address:
        Source Port:        63707

    Detailed Authentication Information:
        Logon Process:        NtLmSsp
        Authentication Package:    NTLM
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    The password I typed was correct, and as I say, if I use the same credentials internally it works fine, albeit rather pointlessly apart from for the purpose of troubleshooting.

    Any advice is welcomed

    Thursday, December 24, 2009 2:11 AM


All replies

  • Please answer the below questions:

    1. Do you have any authentication set-up on the ISA server or are you using "No Authentication" on the ISA web listener?
    2. How are you trying to connect from the external machines? Using the RDC client directly or by using web access?
    3. Did you check logging on the ISA if it indicates any issue?
    4. Please use the script at for ISA configuration and use it to validate your current web publishing rule and web listner on the ISA and see if it flags any obvious issue.

    Thanks, Vikash
    Thursday, December 24, 2009 4:37 AM
  • Hi Vikash

    1. Yes, I do have authentication set up for the particular web listener (as the same listener is being used for OWA). The rule for TS Gateway is set for All Users, but just in case, I did a test with the auth set to 'No Authentication' and got the same result.
    2. I am using the RDC client. to connect externally.
    3. I did after you asked. The rule is definitely succeeding, however, once it has succeeded I see another line in the log from my external IP initiating a connection to the Internet interface on the ISA server, but nothing afterwards. I checked to see what happens when you connect through OWA and while it does the same thing, it is also follwed by a 'closed connection' line. THe main thing is, there is no failing.
    4. I tried the script and it did warn me about my authentication conflict (using HTML Form authentication along with allowing All Users, but as I mentioned in the earlier response, i did try bypassing authentication and still got the same result. I am running ISA 2006 SP1 and have use the 'validate rule' feature also to confirm that the rule works fine.

    Thursday, December 24, 2009 7:41 AM
  • 1. What authentication are you using on the ISA? It is OTP?
    2. From your client machine, can you check if you can launch http://<TSGatewayWebSiteName>/rpc ? It should prompt you for credentials and then after authentication lead you to a blank page.
    3. There are troubleshooting tips for issues similar to what you have reported on the TS Gateway step by step guide at Please see if it helps.

    Thanks, Vikash
    Thursday, December 24, 2009 8:42 AM
  • Hi Richard,
    Some more follow up questions -
    a) On the gateway machine do you have any other role installed. say, may be OWA?
    b) Can you please try the vanilla scenario and tell us if it succeeds before throwing OWA in the mix.


    Thursday, December 24, 2009 2:06 PM
  • I'm using AD authentication, not OTP.
    If I connect to http://<tsgatewaywebsitename>/rpc I receive nothing, but if I try https://<tsgatewaywebsitename>/rpc I do get prompted for a username/password but anything I enter will fail. However, if I press cancel I then receive another dialog which obviously originates from the TS gateway, and I am able to authenticate successfully. I think this shows where the problem lies. I'm assuming the first dialog comes from ISA and the second from the TS gateway.

    I have read the guide you mentioned a number of times, but perhaps need to re-read the troubleshooting section again in case there is something I have missed.


    I just tried connecting to the same site using a Windows 7 machine and it works absolutely fine. Previously, I had been using Windows XP SP3 on the client with MSTSC ver 6.0.6000.18000  I can't figure out why this would fail for XP and not for Win7.''

    Any ideas?


    Wednesday, January 06, 2010 10:10 PM
  • I just tried connecting to the same site using a Windows 7 machine and it works absolutely fine. Previously, I had been using Windows XP SP3 on the client with MSTSC ver 6.0.6000.18000  I can't figure out why this would fail for XP and not for Win7.''
    I have the same issue. Works from win7, fails from xp (auth prompt three times, then account lockout). Any ideas?
    Sunday, February 28, 2010 4:57 PM