Understanding Requirements for Connecting to a TS Gateway Server
Applies To: Windows Server 2008
Users on Terminal Services clients must meet specific requirements before they can connect to TS Gateway. These requirements include the following:
- Supported Windows authentication method (required). You can configure the authentication methods that the TS Gateway server will allow by using TS Gateway Manager. On clients, you can configure the authentication method to be used to connect to the TS Gateway server by using Group Policy.
Important
A client and the TS Gateway server to which the client connects must have at least one common authentication method, or the client connection attempt to the TS Gateway server will fail.
Note
If you configure the authentication method on the client by using Group Policy, keep in mind that Group Policy settings for Terminal Services client connections can be applied in one of two ways. These policy settings can either be suggested (that is, they can be enabled, but not enforced) or they can be enabled and enforced. For more information, see Using Group Policy to Manage Client Connections Through TS Gateway.
User group membership (required). You configure the user group membership requirement by using TS Gateway Manager.
Client computer group membership (optional). You configure the client computer group membership requirement by using TS Gateway Manager.
In TS Gateway Manager, you configure these requirements on the Requirements tab of a Terminal Services connection authorization policy (TS CAP). For more information, see Create a TS CAP.
Supported Windows authentication methods
If you configure the supported Windows authentication method by using TS Gateway Manager, you can specify that a user must use either a password or a smart card, or both. If you select both methods, either can be used to connect.
If you configure the supported Windows authentication method by using Group Policy, the following options are available:
Ask for credentials, use NTLM protocol (a Windows NT challenge/response protocol). For information about the NTLM protocol, see Logon and Authentication Technologies (https://go.microsoft.com/fwlink/?LinkId=94215) and Microsoft NTLM (https://go.microsoft.com/fwlink/?LinkId=94216).
Ask for credentials, use Basic protocol. The Basic authentication method is a widely used industry-standard method for collecting user name and password information. It is less secure, however, because the passwords are transmitted in Base64-encoded form, not encrypted. For more information, see Basic Authentication (https://go.microsoft.com/fwlink/?LinkId=94217).
Use locally logged-on credentials. In this case, the same credentials that users provide to log on to their local computer will be used to connect to the TS Gateway server. Note that if you select this option but users have previously connected to the same TS Gateway server and they have selected the Remember my credentials check box in the TS Gateway Server Settings dialog box on their client computer, their saved credentials will be used to connect to the TS Gateway server.
Use smart card. Smart cards contain a microcomputer and a small amount of memory, and they provide secure, tamper-proof storage for private keys and X.509 security certificates. A smart card is a form of two-factor authentication that requires the user to have a smart card and know the PIN to gain access to network resources. For more information, see The Secure Access Using Smart Cards Planning Guide (https://go.microsoft.com/fwlink/?LinkId=94218).
If all of these credentials are available to users, and if users have already specified to save their credentials when connecting to the TS Gateway server, their credentials will be used in the following order:
Saved credentials
Locally logged-on credentials
Other password or smart card credentials supplied by the user
Additional references
For information about how to configure supported Windows authentication methods for TS Gateway by using Group Policy, see Set the TS Gateway Server Authentication Method.
For information about how to configure supported Windows authentication methods by using TS Gateway Manager, see Create a TS CAP.
For information about how to configure user group and client computer group membership requirements by using TS Gateway Manager, see Create a TS CAP.