Share via


Event ID 523 — RD Gateway Server Configuration

Applies To: Windows Server 2008 R2

For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.

Event Details

Product: Windows Operating System
ID: 523
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_EVENT_NAP_CREATE_FAILED
Message: The connection authorization policy "%1" could not be created. The following error occurred: "%2".

Resolve

Ensure that the RD CAP is configured correctly

To resolve this issue, ensure that the Remote Desktop connection authorization policy (RD CAP) is configured correctly.

Check RD CAP settings on the RD Gateway server

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To check RD CAP settings on the RD Gateway server:

  1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  2. In the Remote Desktop Gateway Manager console tree, select the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
  3. In the console tree, expand Policies, and then click Connection Authorization Policies.
  4. In the results pane, in the list of RD CAPs, right-click the RD CAP that you want to check, and then click Properties.
  5. On the General tab, check the policy name. The name that you specify for the RD CAP must be unique for RD Gateway and for Network Policy Server (NPS). If you are unsure whether the RD CAP name is already used in an NPS server policy, open the Network Policy Server Management snap-in console to verify whether the RD CAP name that you want to use for RD Gateway matches any NPS server policy names. For more information, see "Ensure that the name for the RD CAP is unique for RD Gateway" later in this topic.
  6. On the Requirements tab, do the following:
    • Under Supported Windows authentication methods, check whether the specified method(s) is compatible with the authentication method used by the client. If the authentication method that is required by the RD Gateway server is not compatible with the authentication method that is used by the client, change the method required by the RD Gateway server, or change the method that is used by the client. To change the authentication method required by the RD Gateway server, select either the Smart card check box or the Password check box, or both. If both check boxes are selected, the client can use either method to connect to the RD Gateway server. Alternatively, you can use Group Policy to change the authentication method that is used by the client. For more information, see "Change the authentication method used by the client to connect to the RD Gateway server by using Group Policy" later in this topic.
    • In User group membership (required), note the name of the user group so that you can ensure that the specified user group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the user account for the client is a member of this group. For instructions for Active Directory security groups, see "Confirm that the Active Directory security group specified in the RD CAP exists, and check account membership for the client in this group." For instructions for local security groups, see "Confirm that the local security group specified in the RD CAP exists, and check account membership for the client in this group" later in this topic.
    • Under Client computer group membership (optional), check whether a client computer group is specified. If so, note the name of the client computer group, so that you can ensure that the specified client computer group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the client is a member of this group.
  7. Click OK.
  8. If the RD CAP settings are not configured correctly, modify the settings of the existing RD CAP as needed or create a new RD CAP. For information about how to create an RD CAP, see "Create an RD CAP" in the RD Gateway Manager Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=178452).

Ensure that the name for the RD CAP is unique for RD Gateway

If you have configured local RD CAPs, perform the following procedure on the RD Gateway server. If you have configured central RD CAPs (RD CAPs that are stored on another computer running the Network Policy Server service), perform the following procedure on the NPS server where the central RD CAPs are stored.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To ensure that the name for the RD CAP is unique for RD Gateway:

  1. Open Network Policy Server. To open Network Policy Server, click Start, click Administrative Tools, and then click Network Policy Server.
  2. In the Network Policy Server console tree, select the node that represents the NPS server with the policies that you want to check.
  3. In the console tree, expand Policies, and then click Connection Request Policies.
  4. In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of RD CAPs configured on the RD Gateway server.
  5. In the console tree, click Network Policies.
  6. In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of RD CAPs configured on the RD Gateway server.
  7. In the console tree, click Health Policies.
  8. In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of RD CAPs configured on the RD Gateway server.
  9. If any of the policy names in the NPS server match the names of RD CAPs configured on the RD Gateway server, either change the policy name on the NPS server, or change the policy name on the RD Gateway server.

Change the authentication method used by the client to connect to the RD Gateway server by using Group Policy

Note:  To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation.

To configure the Group Policy setting in Active Directory Domain Services (AD DS), use the Group Policy Management Console (GPMC). To configure the Group Policy setting locally on an RD Session Host server, use the Local Group Policy Editor. For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help (https://go.microsoft.com/fwlink/?LinkId=143317) or the GPMC Help (https://go.microsoft.com/fwlink/?LinkId=143867) in the Windows Server 2008 R2 Technical Library.

To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.

To change the authentication method used by the client to connect to the RD Gateway server by using Group Policy:

  1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the OU that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, and then click RD Gateway.
  6. In the right pane, in the settings list, right-click Set RD Gateway authentication method, and then click Properties.
  7. On the Settings tab, confirm that Enabled is selected, and then select the authentication method that you want to use. Ensure that the method that you select is compatible with the authentication method that you have configured for the client. For information about each of the authentication methods available in this Group Policy setting, see "Understanding Requirements for Connecting to a Remote Desktop Gateway Server" in the Remote Desktop Gateway Manager Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=178453). The following choices are available:
    • Ask for credentials, use NTLM protocol
    • Ask for credentials, use Basic protocol
    • Use locally logged-on credentials
    • Use smart card
  8. Click OK.

Confirm that the Active Directory security group specified in the RD CAP exists, and check account membership for the client in this group

Performing this procedure does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To confirm that the Active Directory security group specified in the RD CAP exists:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
  3. Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the TS RAP, and then click Find Now.
  4. If the group exists, it will appear in the search results.
  5. Close the Find Users, Contacts, and Groups dialog box.

To check account membership for the client in this security group:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.
  3. In the details pane, right-click the user name, and then click Properties.
  4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD CAP, and then click OK.
  5. If client computer group membership has also been specified as a requirement in the RD CAP, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer belongs.
  6. In the details pane, right-click the computer name, and then click Properties.
  7. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD CAP, and then click OK.

Confirm that the local security group specified in the RD CAP exists, and check account membership for the client in this group

Performing this procedure does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To confirm that the local security group specified in the RD CAP exists, and to check account membership for the client in this group:

  1. On the RD Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
  2. In the console tree, expand Local Users and Groups, and then click Groups.
  3. In the results pane, locate the local security group that has been created to grant members access to the RD Gateway server (the group name or description should indicate whether the group has been created for this purpose).
  4. Right-click the group name, and then click Properties.
  5. On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the RD CAP.
  6. If client computer group membership has also been specified as a requirement in the RD CAP, on the General tab, confirm that the client computer account is also a member of this group, and then click OK.

Verify

To verify that the RD Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the RD Gateway server is configured correctly:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

RD Gateway Server Configuration

Remote Desktop Services