Event ID 306 — TS Gateway Server Connections
Applies To: Windows Server 2008
For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, clients must meet the conditions specified in at least one Terminal Services connection authorization policy (TS CAP) and Terminal Services resource authorization policy (TS RAP). TS CAPs specify who can connect to a TS Gateway server and the authentication method that must be used. TS RAPs specify the computers that clients can connect to through a TS Gateway server. Note that a limit can be set on the TS Gateway server to restrict the maximum number of simultaneous client connections.
Event Details
Product: | Windows Operating System |
ID: | 306 |
Source: | Microsoft-Windows-TerminalServices-Gateway |
Version: | 6.0 |
Symbolic Name: | AAG_TUNNEL_CREATION_FAILED |
Message: | The user "%1", on client computer "%2", was not authorized to connect to the TS Gateway server because a tunnel could not be created. The following authentication method was attempted: "%3". The following error occurred: "%5". |
Resolve
Configure the TS Gateway server to use the certificate for SSL
To resolve this issue, do the following:
- If a certificate is installed that meets TS Gateway certificate requirements, configure the TS Gateway server to use the certificate for SSL. For information about certificate requirements, see the section "Certificate requirements" later in this topic.
- If you do not have a certificate installed that meets TS Gateway requirements, obtain a certificate, install the certificate, and then configure the TS Gateway server to use the certificate for SSL. For information about how to obtain a certificate for TS Gateway, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Manager Help in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=102173).
Configure the TS Gateway server to use the certificate for SSL
You must use TS Gateway Manager to configure the TS Gateway server to use the certificate for SSL. If you do this by using any other method, TS Gateway will not function correctly.
This procedure is not required if you created a self-signed certificate for TS Gateway. To confirm whether a self-signed certificate is installed on the TS Gateway server, open TS Gateway Manager and then view the SSL Certificate tab, as described in the following procedure. On the SSL Certificate tab, the name of the local TS Gateway server will appear in the Issued by field.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To configure the TS Gateway server to use the certificate for SSL:
- Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
- In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Properties.
- On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.
- In the Install Certificates dialog box, click the certificate that you want to use, click View certificate, and then review the certificate properties to ensure that it meets TS Gateway requirements. For information about certificate requirements, see "Certificate requirements" later in this topic.
- If the certificate meets the requirements for TS Gateway, click Install. If the certificate does not meet the requirements for TS Gateway, select another certificate that does (if another certificate is available), or do the following:
- Obtain another certificate that meets TS Gateway certificate requirements. For information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Manager Help in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=102173).
- Install the certificate on the TS Gateway server. For information, see "Install the certificate on the TS Gateway server" later in this topic.
- Configure the TS Gateway server to use the certificate for SSL. For information, see "Configure the TS Gateway server to use the certificate for SSL" later in this topic.
- Click OK to close the Properties dialog box for the TS Gateway server.
- If this is the first time that you have configured the TS Gateway server to use an SSL certificate, after the procedure is completed, you can confirm that the procedure was successful by viewing the TS Gateway Server Status area in TS Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed.
Use the following procedure only if you do not have a certificate installed that meets TS Gateway requirements, and you have to obtain an alternate certificate for the TS Gateway server. In this case, after you obtain the certificate, you must install it on the TS Gateway server. Then, follow the steps in "Configure the TS Gateway server to use the certificate for SSL" to complete the certificate configuration.
Install the certificate on the TS Gateway server
To install the certificate on the TS Gateway server:
- On the TS Gateway server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:
- Click Start, click Run, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
- In the Certificates snap-in dialog box, click Computer account, and then click Next.
- In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
- In the Add or Remove Snap-ins dialog box, click OK.
- In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Personal.
- Right-click the Personal folder, point to All Tasks, and then click Import.
- On the Welcome to the Certificate Import Wizard page, click Next.
- On the File to Import page, in the File name box, specify the name of the certificate that you want to import, and then click Next.
- If the Password page appears, if you specified a password for the private key associated with the certificate earlier, type the password, and then click Next.
- On the Certificate Store page, accept the default option, and then click Next.
- On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected.
- Click Finish.
- After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.
- With Certificates selected in the console tree, in the details pane, confirm that the correct certificate appears in the list of certificates on the TS Gateway server. The certificate must be under the Personal store of the local computer.
Certificate requirements
Certificates for TS Gateway must meet these requirements:
- The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. Multiple CNs are not supported. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.
- The certificate is a computer certificate.
- The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
- The certificate has a corresponding private key.
- The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
- A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an OID of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.
- The certificate must be trusted on clients. That is, the public certificate of the CA that signed the TS Gateway server certificate must be located in the client's Trusted Root Certification Authorities store on the client computer.
Verify
To verify that TS Gateway server connectivity is working, examine Event Viewer logs and search for the following event messages.
To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To verify that TS Gateway server connectivity is working:
- On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
- In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
- Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
- Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
- Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.