Event ID 523 — TS Gateway Server Configuration
Applies To: Windows Server 2008
For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.
Event Details
Product: | Windows Operating System |
ID: | 523 |
Source: | Microsoft-Windows-TerminalServices-Gateway |
Version: | 6.0 |
Symbolic Name: | AAG_EVENT_NAP_CREATE_FAILED |
Message: | The connection authorization policy "%1" could not be created. The following error occurred: "%2". |
Resolve
Ensure that the TS CAP is configured correctly
To resolve this issue, ensure that the Terminal Services connection authorization policy (TS CAP) is configured correctly.
Check TS CAP settings on the TS Gateway server
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To check TS CAP settings on the TS Gateway server:
- Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
- In the TS Gateway Manager console tree, select the node that represents the local TS Gateway server, which is named for the computer on which the TS Gateway server is running.
- In the console tree, expand Policies, and then click Connection Authorization Policies.
- In the results pane, in the list of TS CAPs, right-click the TS CAP that you want to check, and then click Properties.
- On the General tab, check the policy name. The name that you specify for the TS CAP must be unique for TS Gateway and for Network Policy Server (NPS). If you are unsure whether the TS CAP name is already used in an NPS server policy, open the Network Policy Server Management snap-in console to verify whether the TS CAP name that you want to use for TS Gateway matches any NPS server policy names. For more information, see "Ensure that the name for the TS CAP is unique for TS Gateway" later in this topic.
- On the Requirements tab, do the following:
- Under Supported Windows authentication methods, check whether the specified method(s) is compatible with the authentication method used by the client. If the authentication method that is required by the TS Gateway server is not compatible with the authentication method that is used by the client, change the method required by the TS Gateway server, or change the method that is used by the client. To change the authentication method required by the TS Gateway server, select either the Smart card check box or the Password check box, or both. If both check boxes are selected, the client can use either method to connect to the TS Gateway server. Alternatively, you can use Group Policy to change the authentication method that is used by the client. For more information, see "Change the authentication method used by the client to connect to the TS Gateway server by using Group Policy" later in this topic.
- In User group membership (required), note the name of the user group so that you can ensure that the specified user group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the user account for the client is a member of this group. For instructions for Active Directory security groups, see "Confirm that the Active Directory security group specified in the TS CAP exists, and check account membership for the client in this group." For instructions for local security groups, see "Confirm that the local security group specified in the TS CAP exists, and check account membership for the client in this group" later in this topic.
- Under Client computer group membership (optional), check whether a client computer group is specified. If so, note the name of the client computer group, so that you can ensure that the specified client computer group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the client is a member of this group.
- Click OK.
- If the TS CAP settings are not configured correctly, modify the settings of the existing TS CAP as needed or create a new TS CAP. For information about how to create a TS CAP, see "Create a TS CAP" in the TS Gateway Manager Help in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=102171).
Ensure that the name for the TS CAP is unique for TS Gateway
If you have configured local TS CAPs, perform the following procedure on the TS Gateway server. If you have configured central TS CAPs (TS CAPs that are stored on another computer running the Network Policy Server service), perform the following procedure on the NPS server where the central TS CAPs are stored.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To ensure that the name for the TS CAP is unique for TS Gateway:
- Open Network Policy Server. To open Network Policy Server, click Start, click Administrative Tools, and then click Network Policy Server.
- In the Network Policy Server console tree, select the node that represents the NPS server with the policies that you want to check.
- In the console tree, expand Policies, and then click Connection Request Policies.
- In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of TS CAPs configured on the TS Gateway server.
- In the console tree, click Network Policies.
- In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of TS CAPs configured on the TS Gateway server.
- In the console tree, click Health Policies.
- In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of TS CAPs configured on the TS Gateway server.
- If any of the policy names in the NPS server match the names of TS CAPs configured on the TS Gateway server, either change the policy name on the NPS server, or change the policy name on the TS Gateway server.
Change the authentication method used by the client to connect to the TS Gateway server by using Group Policy
Note: To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation.
For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help (https://go.microsoft.com/fwlink/?LinkId=101633) or the GPMC Help (https://go.microsoft.com/fwlink/?LinkId=101634) in the Windows Server 2008 Technical Library.
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.
To change the authentication method used by the client to connect to the TS Gateway server by using Group Policy:
- Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
- In the left pane, locate the OU that you want to edit.
- To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
- In the right pane, click the Settings tab.
- In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, and then click TS Gateway.
- In the right pane, in the settings list, right-click Set TS Gateway server authentication method, and then click Properties.
- On the Settings tab, confirm that Enabled is selected, and then select the authentication method that you want to use. Ensure that the method that you select is compatible with the authentication method that you have configured for the client. For information about each of the authentication methods available in this Group Policy setting, see "Understanding Requirements for Connecting to a TS Gateway Server" in the TS Gateway Manager Help in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=102172). The following choices are available:
- Ask for credentials, use NTLM protocol
- Ask for credentials, use Basic protocol
- Use locally logged-on credentials
- Use smart card
- Click OK.
Confirm that the Active Directory security group specified in the TS CAP exists, and check account membership for the client in this group
Performing this procedure does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To confirm that the Active Directory security group specified in the TS CAP exists:
- On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
- In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
- Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the TS RAP, and then click Find Now.
- If the group exists, it will appear in the search results.
- Close the Find Users, Contacts, and Groups dialog box.
To check account membership for the client in this security group:
- On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
- In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.
- In the details pane, right-click the user name, and then click Properties.
- On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS CAP, and then click OK.
- If client computer group membership has also been specified as a requirement in the TS CAP, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer belongs.
- In the details pane, right-click the computer name, and then click Properties.
- On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS CAP, and then click OK.
Confirm that the local security group specified in the TS CAP exists, and check account membership for the client in this group
Performing this procedure does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To confirm that the local security group specified in the TS CAP exists, and to check account membership for the client in this group:
- On the TS Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
- In the console tree, expand Local Users and Groups, and then click Groups.
- In the results pane, locate the local security group that has been created to grant members access to the TS Gateway server (the group name or description should indicate whether the group has been created for this purpose).
- Right-click the group name, and then click Properties.
- On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the TS CAP.
- If client computer group membership has also been specified as a requirement in the TS CAP, on the General tab, confirm that the client computer account is also a member of this group, and then click OK.
Verify
To verify that the TS Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.
To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To verify that the TS Gateway server is configured correctly:
- On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
- In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
- Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
- Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
- Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.