RD Gateway Server Configuration
Applies To: Windows Server 2008 R2
For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-TerminalServices-Gateway |
The Remote Desktop Gateway service requires a valid Secure Sockets Layer (SSL) certificate to accept connections. Ensure that you have obtained a valid SSL certificate, and then bind (map) the certificate by using RD Gateway Manager. For more information, see "Obtain a certificate for the RD Gateway server" in the RD Gateway Help. The following error occurred: "%2" | |
Microsoft-Windows-TerminalServices-Gateway |
The Remote Desktop Gateway service does not have sufficient permissions to access the Secure Sockets Layer (SSL) certificate that is required to accept connections. To resolve this issue, bind (map) a valid SSL certificate by using RD Gateway Manager. For more information, see "Obtain a certificate for the RD Gateway server" in the RD Gateway Help. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway service successfully registered with the Service Connection Point. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway service failed to register with the Service Connection Point. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway service successfully unregistered with the Service Connection Point. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway service failed to unregister with the Service Connection Point. | |
Microsoft-Windows-TerminalServices-Gateway |
Logging was enabled for the following RD Gateway event: "%1". | |
Microsoft-Windows-TerminalServices-Gateway |
Logging could not be enabled for the following RD Gateway event: "%1". The following error occurred: "%2". To resolve this issue, ensure that the correct permissions have been granted to the LogEvents registry key and that the Remote Registry service is started. | |
Microsoft-Windows-TerminalServices-Gateway |
Logging was disabled for the following RD Gateway event: "%1". | |
Microsoft-Windows-TerminalServices-Gateway |
Logging could not be disabled for the following RD Gateway event: "%1". The following error occurred: "%2". To resolve this issue, ensure that the correct permissions have been granted to the LogEvents registry key and that the Remote Registry service is started. | |
Microsoft-Windows-TerminalServices-Gateway |
The value for the maximum number of connections allowed to the RD Gateway server was updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The value for the maximum number of simultaneous connections allowed to the RD Gateway server could not be updated. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy was enabled. | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy store could not be enabled. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and resolve any network connectivity issues. | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy was disabled. | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy store could not be disabled. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting is enabled on this RD Gateway server. Therefore, each time a client attempts to connect to this RD Gateway server, the client’s SoH will be requested. | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting could not be enabled on this RD Gateway server. To resolve this issue, ensure that the QuarantineEnabled registry key exists and that the System and Administrators groups are granted Full Control permissions to this key. The following error occurred: "%1". | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting is not enabled on this RD Gateway server. Therefore, the client’s SoH will not be requested when the client attempts to connect to this RD Gateway server. | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting could not be disabled on this RD Gateway server. To resolve this issue, ensure that the QuarantineEnabled registry key exists and that the System and Administrators groups are granted Full Control permissions to this key. The following error occurred: "%1". | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting could not be enabled on this RD Gateway server. This setting could not be enabled because the public key of the server certificate that is bound (mapped) to the Remote Desktop Gateway service contains an object identifier (also known as OID) of 2.5.29.15, but does not support the Extended Key Usage (EKU) for encryption. To resolve this issue, if the certificate that you plan to use contains an OID of 2.5.29.15, you must ensure that one of the following key usage values for this certificate is also set: (1) CERT_KEY_ENCIPHERMENT_KEY_USAGE (2) CERT_KEY_AGREEMENT_KEY_USAGE (3) CERT_DATA_ENCIPHERMENT_KEY_USAGE. Bind (map) the certificate again by using RD Gateway Manager, and then attempt to enable the "Request clients to send a statement of health" setting again. For more information, see "Obtain a certificate for the RD Gateway server" in the RD Gateway Help. | |
Microsoft-Windows-TerminalServices-Gateway |
The server certificate is not valid because the public key of the certificate contains an object identifier (also known as OID) of 2.5.29.15, but does not support the Extended Key Usage (EKU) for encryption. For the "Request clients to send a statement of health" setting that is enabled on this RD Gateway server to function, if the certificate that you plan to use contains an OID of 2.5.29.15, you must ensure that one of the following key usage values for this certificate is also set: (1) CERT_KEY_ENCIPHERMENT_KEY_USAGE (2) CERT_KEY_AGREEMENT_KEY_USAGE (3) CERT_DATA_ENCIPHERMENT_KEY_USAGE. For more information, see "Obtain a certificate for the RD Gateway server" in the RD Gateway Help. | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" was created. | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" was deleted. | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" was updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" could not be created. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" could not be deleted. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" could not be updated. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The system message was not enabled because a failure occurred. Try enabling the system message again. | |
Microsoft-Windows-TerminalServices-Gateway |
The system message was successfully enabled. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The system message was not disabled because a failure occurred. Try removing the system message again. | |
Microsoft-Windows-TerminalServices-Gateway |
The system message was successfully disabled. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The logon message was not enabled because a failure occurred. Try enabling the logon message again. | |
Microsoft-Windows-TerminalServices-Gateway |
The logon message was successfully enabled. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The current logon message was not disabled because a failure occurred. Try disabling the logon message again. | |
Microsoft-Windows-TerminalServices-Gateway |
The current logon message was successfully disabled. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy "%1" was created. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy "%1" was deleted. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy "%1" was updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy (RAP) "%1" could not be created. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy (RAP) "%1" could not be deleted. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy (RAP) "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" was created. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" was deleted. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" was updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" could not be created. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" could not be deleted. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The Network Policy Server (NPS) "%1" was added to the central connection authorization policy. | |
Microsoft-Windows-TerminalServices-Gateway |
The Network Policy Server (NPS) "%1" was deleted from the central connection authorization policy. | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy settings for the Network Policy Server (NPS) "%1" have been updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The Network Policy Server (NPS) "%1" could not be added to the central connection authorization policy. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and any resolve network connectivity issues. | |
Microsoft-Windows-TerminalServices-Gateway |
The Network Policy Server (NPS) "%1" could not be deleted from the central connection authorization policy. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy settings for the Network Policy Server "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and resolve any network connectivity issues. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway server "%1" was deleted from the list of servers in the RD Gateway server farm. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway servers "%1" were added to the RD Gateway managed group. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway server "%1" could not be deleted from the list of servers in the RD Gateway server farm. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway servers "%1" could not be added to the Remote Desktop Gateway managed group. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway server "%1" is not a member of a domain and therefore cannot be added to the RD Gateway server farm. To add this RD Gateway server to the farm, you must first add the server to a domain. | |
Microsoft-Windows-TerminalServices-Gateway |
A Windows Firewall exception for RD Gateway has been configured to allow data for Remote Desktop Services client connections and RPC-HTTP load balancing to be sent between RD Gateway servers when load balancing is used. This exception is automatically configured when you add the first RD Gateway server to a RD Gateway server farm. | |
Microsoft-Windows-TerminalServices-Gateway |
The Windows Firewall exception for RD Gateway to allow network traffic comprising of Remote Desktop Services client connections data and RPC-HTTP load balancing data (to be sent between RD Gateway servers when load balancing is used) has been disabled. This exception is automatically disabled when you remove all RD Gateway servers from a RD Gateway server farm. | |
Microsoft-Windows-TerminalServices-Gateway |
The Windows Firewall exception to allow network traffic through TCP port 3388 (so that Remote Desktop Services client connections can be directed to the appropriate RD Gateway servers when load balancing is used) could not be configured. | |
Microsoft-Windows-TerminalServices-Gateway |
The Windows Firewall exception "RD Gateway Server Farm" that allows network traffic through TCP port 3388 (so that Remote Desktop Services client connections can be directed to the appropriate Remote Desktop Gateway servers when load balancing is used) could not be disabled. We recommend that you disable this exception manually by modifying Windows Firewall settings as needed. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway servers "%1" were set to the RD Gateway managed group. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway servers "%1" could not be set to the RD Gateway managed group. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The exception code "%2" occurred in the authentication plug-in: "%1" loaded by the RD Gateway server. The RD Gateway server will be restarted. Continued failures might indicate a problem with the authentication plug-in. | |
Microsoft-Windows-TerminalServices-Gateway |
The exception code "%2" occurred in the authorization plug-in: "%1" loaded by the RD Gateway server. The RD Gateway server will be restarted. Continued failures might indicate a problem with the authorization plug-in. | |
Microsoft-Windows-TerminalServices-Gateway |
The user authentication plug-in "%1" has been configured. The configuration will take effect after the RD Gateway service is restarted. | |
Microsoft-Windows-TerminalServices-Gateway |
RD Gateway native authentication is configured. The configuration changes will take effect after the RD Gateway service is restarted. | |
Microsoft-Windows-TerminalServices-Gateway |
The user authorization plug-in "%1" is enabled. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway native authorization is enabled. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The policy and server configuration settings for the RD Gateway server "%1" have been successfully imported. | |
Microsoft-Windows-TerminalServices-Gateway |
The policy and server configuration settings for the RD Gateway server "%1" could not be imported. This problem might occur if the settings have become corrupted. | |
Microsoft-Windows-TerminalServices-Gateway |
The policy and server configuration settings for the RD Gateway server "%1" have been successfully exported. | |
Microsoft-Windows-TerminalServices-Gateway |
The policy and server configuration settings for the RD Gateway server "%1" could not be exported. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway server certificate was changed. No user action is required. | |
Microsoft-Windows-TerminalServices-Gateway |
The RD Gateway server certificate cannot be changed. The following error occurred: "%2". Verify the certificate and try changing the certificate again. |