Event ID 511 — TS Gateway Server Configuration
Applies To: Windows Server 2008
For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.
Event Details
Product: | Windows Operating System |
ID: | 511 |
Source: | Microsoft-Windows-TerminalServices-Gateway |
Version: | 6.0 |
Symbolic Name: | AAG_EVENT_CENTRAL_NAP_ENABLE_FAILED |
Message: | The central connection authorization policy store could not be enabled. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and resolve any network connectivity issues. |
Resolve
Ensure that the correct central NPS server is specified
To resolve this issue, ensure that the correct central Network Policy Server (NPS) is specified in TS Gateway Manager. If necessary, identify and fix network connectivity issues between the TS Gateway server and the NPS server.
Ensure that the correct central NPS server is specified
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To ensure that the correct central NPS server is specified:
- Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
- In the console tree, click to select the node that represents the local TS Gateway server, which is named for the computer on which the TS Gateway server is running.
- In the console tree, expand Policies, and then click Central Network Policy Servers.
- On the Action menu, click Configure Central TS CAP.
- On the TS CAP Store tab, under Central NPS server, check whether the correct NPS server is listed. If the correct NPS server is listed, proceed to the "Fix network connectivity issues" section later in this topic. If the correct NPS server is not listed, click the name of the NPS server, and then click Remove NPS Server.
- Type the name or IP address of the correct central NPS server, and then click Add.
- In the Shared Secret dialog box, in the Enter a new shared secret box, type the shared secret.
- Click OK to close the Shared Secret dialog box, and then click OK to close the TS Gateway server Properties dialog box.
- The new central TS CAP store (central NPS server) that you specified appears in the TS Gateway Manager results pane.
Fix network connectivity issues
Network connectivity issues might prevent the TS Gateway server from communicating with a central Network Policy Server.
Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before performing these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command. If ICMP traffic is not allowed in your environment and you cannot make a temporary exception for this traffic for troubleshooting purposes, skip the steps that involve using ping.
By using ping to perform basic troubleshooting, you can determine whether there is a network connectivity, firewall configuration, or DNS host name resolution issue.
If you can ping the NPS server by IP address but not by fully qualified domain name (FQDN), this indicates an issue with DNS host name resolution. For DNS troubleshooting steps, see "Determine whether DNS servers are accessible" later in this topic.
If you cannot ping the NPS server by IP address, this indicates a network connectivity issue or firewall configuration issue. To identify and resolve the issue, perform the following additional troubleshooting steps:
- On the TS Gateway server, ping other computers in the network to help isolate the network connectivity issue.
- If you can ping other servers but not the NPS server, try to ping the NPS server from another computer. If you cannot ping the NPS server from any computer, check the network settings on the NPS server.
- Check the TCP/IP settings on the local computer:
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type ipconfig /all, and then press ENTER.
- Make sure that the information listed is correct.
- Check whether you can ping the local IP address, the default gateway, and the DNS servers.
- Ping the loopback address of localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
- If pinging the loopback address works, but you cannot ping the local IP address, there may be an issue with the routing table or with the network adapter driver.
- If the NPS server is in a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this indicates a potential problem with the network adapter, the router or gateway device, cabling, or other connectivity hardware.
- Check the Event Viewer for any error messages.
- In Device Manager, check the status of the network adapter.
- Check network connectivity indicator lights at the server and at the hub or router.
- Check network cabling.
Determine whether DNS servers are accessible
To determine whether DNS servers are configured and accessible:
- On the TS Gateway server, click Start, click Run, type cmd , and then click OK.
- At a command prompt, type ipconfig /all, and then press ENTER.
- In the results, make sure that DNS servers are listed, and that the IP addresses of the DNS servers are correct.
- Ping the listed DNS servers to determine whether they are accessible.
- If you cannot ping the DNS server, make sure that the DNS server is running. You can also test connectivity from other hosts in your network to help isolate the issue. If the DNS server responds to IP address ping requests but does not resolve host names, make sure that the DNS Server service is running on the DNS server.
Verify
To verify that the TS Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.
To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To verify that the TS Gateway server is configured correctly:
- On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
- In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
- Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
- Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
- Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.