Share via


Event ID 544 — RD Gateway Server Configuration

Applies To: Windows Server 2008 R2

For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.

Event Details

Product: Windows Operating System
ID: 544
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_EVENT_RAP_DELETE_FAILED
Message: The resource authorization policy (RAP) "%1" could not be deleted. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

Resolve

Ensure that the RD RAP is configured correctly

To resolve this issue, do the following:

  • Ensure that the Remote Desktop resource authorization policy (RD RAP) is configured correctly by checking the settings in the RD RAP.
  • If the problem still occurs, ensure that the required permissions are granted to rap.xml.
  • If the problem still occurs, ensure that the correct value is set and the required permissions are granted for the RAPStore registry key.

Note: In addition to meeting the requirements of the RD RAP, users on clients must have the right to log on locally to the computer to which they are trying to connect.

Important:  If users are connecting to members of an RD Session Host server farm, you must configure an RD RAP that explicitly specifies the name of the Remote Desktop Session Host (RD Session Host) server farm. If the name of the RD Session Host server farm is not explicitly specified, users will not be able to connect to members of the farm. For optimal security and ease of administration, to specify the RD Session Host servers that are members of the farm, create a second RD RAP. For more information, see "Create a new RD RAP that specifies the name of an RD Session Host server farm" later in this topic.

Check RD RAP settings on the RD Gateway server

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Note: When you associate an RD Gateway-managed computer group with an RD RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the RD Gateway-managed computer group separately. When you associate an Active Directory security group with an RD RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the RD Gateway server. If the internal network computer belongs to a different domain than the RD Gateway server, users must specify the FQDN of the internal network computer.

To check RD RAP settings on the RD Gateway server:

  1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  2. In the Remote Desktop Gateway Manager console tree, select the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
  3. In the console tree, expand Policies, and then click Resource Authorization Policies.
  4. In the results pane, in the list of RD RAPs, right-click the RD RAP that you want to check, and then click Properties.
  5. On the User Groups tab, note the name of the user group, so that you can ensure that the specified user group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the user account for the client is a member of this group. For instructions for Active Directory security groups, see "Confirm that the Active Directory security group specified in the RD CAP exists, and check account membership for the client in this group." For instructions for local security groups, see "Confirm that the local security group specified in the RD CAP exists, and check account membership for the client in this group" later in this topic.
  6. On the Computer Group tab, if Allow users to connect to any network resource is selected, proceed to step 7. If Allow users to connect to any network resource is not selected, do one of the following:
    • If Select an existing Active Directory Domain Services network resource group is selected, note the name of the network resource group, so that you can ensure that the specified group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the computer that the client is trying to connect to is a member of this group.
    • If Select existing RD Gateway-managed computer group or create a new one is selected, ensure that the name of the RD Gateway-managed computer group is correct, and that the computers in this group exist and can be contacted on the network.
  7. Click OK to close the Properties dialog box for the RD RAP.
  8. If an incorrect network resource group is specified or if the RD Gateway-managed computer group is not correctly configured, modify the settings of the existing RD RAP or create a new RD RAP. For information about how to create an RD RAP, see "Create an RD RAP" in the RD Gateway Manager Help in the Windows Server 2008 R2 Technical Library (https://technet.microsoft.com/en-us/library/cc772397.aspx).

After you check RD RAP settings, ensure that the local or Active Directory Domain Services network resource group specified in the RD RAP exists, and that the user account for the client is a member of the appropriate security group. Also, ensure that the computer group specified in the RD RAP exists.

To perform these procedures, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials.

Confirm that the Active Directory Domain Services network resource group specified in the RD RAP exists, and check account membership for the client in this group

To confirm that the Active Directory Domain Services network resource group specified in the RD RAP exists:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
  3. Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the RD RAP, and then click Find Now.
  4. If the group exists, it will appear in the search results.
  5. Close the Find Users, Contacts, and Groups dialog box.

To check account membership for the client in this network resource group:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.
  3. In the details pane, right-click the user name, and then click Properties.
  4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD RAP, and then click OK.
  5. Expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer that the client is trying to connect to belongs.
  6. In the details pane, right-click the computer name, and then click Properties.
  7. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD RAP.

Confirm that the local security group specified in the RD RAP exists, and check account membership for the client and the target computer in this group

To confirm that the local security group specified in the RD RAP exists, and to check account membership for the client and the target computer in this group:

  1. On the RD Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
  2. In the console tree, expand Local Users and Groups, and then click Groups.
  3. In the results pane, locate the local security group that has been created to grant members access to internal network resources (computers) through the RD Gateway server. The group name or description should indicate whether the group has been created for this purpose.
  4. Right-click the group name, and then click Properties.
  5. On the General tab, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the RD RAP.
  6. Click OK to close the Properties dialog box for this group.
  7. In the results pane, locate the local security group that contains the computers that clients can access through the RD Gateway server.
  8. Right-click the group name, and then click Properties.
  9. On the General tab, confirm that the computer account of the target computer (the computer that the client is trying to connect to) is a member of this group.

Create a new RD RAP that specifies the name of an RD Session Host server farm

Complete the steps in the following procedure if this error occurs when clients are connecting to members of an RD Session Host server farm.

Important:  If users are connecting to members of an RD Session Host server farm, you must configure an RD RAP that explicitly specifies the name of the RD Session Host server farm. If the name of the RD Session Host server farm is not explicitly specified, users will not be able to connect to members of the farm. For optimal security and ease of administration, to specify the RD Session Host servers that are members of the farm, create a second RD RAP.

When you create a second RD RAP to specify the RD Session Host servers that are members of the farm, complete the steps in the following procedure, but for step 9, do the following instead: On the Computer Group tab, select the Select an Active Directory Domain Services network resource group option, and then specify the group that contains the RD Session Host servers in the farm. Doing this optimizes security by ensuring that the members of the farm are trusted members of an Active Directory Domain Services group.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To create a new RD RAP that specifies the name of an RD Session Host server farm:

  1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  2. In the console tree, click to select the node that represents your RD Gateway server, which is named for the computer on which the RD Gateway server is running.
  3. In the console tree, expand Policies, and then click Resource Authorization Policies.
  4. In the console tree, right-click the Resource Authorization Policies folder, click Create New Policy, and then click Custom.
  5. On the General tab, in the Policy name box, enter a name that is no longer than 64 characters.
  6. In the Description box, enter a description for the new RD RAP.
  7. On the User Groups tab, click Add to select the user groups to which you want this RD RAP to apply.
  8. In the **Network Resource **dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following:
    • Type the name of each user group, separating the name of each group with a semi-colon.
    • Add additional groups from different domains by repeating step 7 for each group.
  9. On the **Network Resource **tab, do the following:
    1. Click Select an existing RD Gateway-managed computer group or create a new one, and then click Browse.
    2. In the Select an RD Gateway-managed computer group dialog box, click Create New Group.
    3. On the General tab, type a name and description for the new group.
    4. On the Network Resources tab, type the name of the RD Session Host server farm that you want to add, click Add, and then click OK to close the New RD Gateway-Managed Computer Group dialog box.
    5. In the Select an RD Gateway-managed computer group dialog box, click the name of the new computer group, and then click OK to close the dialog box.
    6. On the Allowed Ports tab, do one of the following to specify the port that Remote Desktop Services clients can use when connecting to computers through RD Gateway:
      • To specify different ports through which clients can connect, click Allow connections through these ports and then type the port number. If you are specifying more than one port, type the number for each port separated by a semi-colon.
      • To allow clients to connect through any port, click Allow connections through any port.
    7. Click OK to close the Properties dialog box for the RD RAP.
    8. The new RD RAP that you created appears in the Remote Desktop Gateway Manager results pane. When you click the name of the RD RAP, the policy details appear in the lower pane.

If this does not resolve the issue, ensure that the correct permissions are granted to the rap.xml file.

Ensure that the required permissions are granted to rap.xml

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To ensure that the required permissions are granted to rap.xml:

  1. On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the folder in which Windows is installed.
  2. Right-click rap.xml.
  3. In the rap.xml Properties dialog box, click the Security tab.
  4. Click Edit, and then do the following:
    1. In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
    2. Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
    3. Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.
    4. Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read, and then click OK.

Rename rap.xml and start Remote Desktop Gateway Manager

If granting the required permissions to rap.xml does not resolve the problem, try renaming rap.xml to rapbak.xml, and then starting Remote Desktop Gateway Manager. Starting the console will create a new rap.xml file.

To rename rap.xml:

  1. On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the folder in which Windows is installed.
  2. Right-click rap.xml, type rapbak.xml, and then press ENTER.

Note: After you rename rap.xml and restart Remote Desktop Gateway Manager, no RD RAPs will appear when you open the console (to confirm that no RD RAPs appear, open Remote Desktop Gateway Manager, click to expand the node that represents your RD Gateway server, expand Policies, and then click Resource Authorization Policies).

To start Remote Desktop Gateway Manager:

  • On the RD Gateway server, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

If this does not resolve the issue, ensure that the correct value is set for the RAPStore registry key, and that the required permissions are granted to this registry key.

Ensure that the correct value is set and the required permissions are granted for the RAPStore registry key

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To set the correct value and grant the required permissions for the RAPStore registry key:

  1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core\ subkey, right-click the subkey, and then click Permissions.
  3. In the Permissions for Core dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
  4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control, and then click OK.
  5. Click the Core registry subkey.
  6. In the details pane, right-click RAPStore, and then click Modify.
  7. In the Edit String dialog box, in Value data, verify that the value is set to msxml://%SystemRoot%\System32\rap.xml. If the value is different, modify it as required, and then click OK.

Verify

To verify that the RD Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the RD Gateway server is configured correctly:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

RD Gateway Server Configuration

Remote Desktop Services