Event ID 304 — RD Gateway Server Connections
Applies To: Windows Server 2008 R2
For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, clients must meet the conditions specified in at least one Remote Desktop connection authorization policy (RD CAP) and Remote Desktop resource authorization policy (RD RAP). RD CAPs specify who can connect to an RD Gateway server and the authentication method that must be used. RD RAPs specify the computers that clients can connect to through an RD Gateway server.
Note: A limit can be set on the RD Gateway server to restrict the maximum number of simultaneous client connections.
Event Details
Product: | Windows Operating System |
ID: | 304 |
Source: | Microsoft-Windows-TerminalServices-Gateway |
Version: | 6.1 |
Symbolic Name: | AAG_EVENT_CHANNEL_CONNECT_FAILED |
Message: | The user "%1", on client computer "%2", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "%4". The following error occurred: "%5". |
Resolve
Ensure that Remote Desktop is enabled and that the user is a member of the Remote Desktop Users group, and if needed, fix network connectivity issues
To resolve this issue, ensure that Remote Desktop is enabled and that the user is a member of the Remote Desktop Users group on the target computer. If this does not resolve the issue, fix any network connectivity issues.
To perform the following procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Ensure that Remote Desktop is enabled and that the user is a member of the Remote Desktop Users group on the target computer
This procedure is not required if the target computer is a Remote Desktop Session Host (RD Session Host) server.
To ensure that Remote Desktop is enabled and that the user is a member of the Remote Desktop Users group on the target computer:
- On the target computer, start the System tool. To start the System tool, click Start, click Run, type control system, and then click OK.
- Under Tasks, click Remote Settings.
- In the System Properties dialog box, on the Remote tab, click either of the following, depending on your environment:
- Allow connections from computers running any version of Remote Desktop (less secure). By default, this option is enabled.
- Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure).
- Click Select Users.
- In the Remote Desktop Users dialog box, confirm that the user account of the user who needs to connect to the computer is listed. If not, click Add, and in the Select Users dialog box, specify the user to be added, and then click OK to close the Select Users dialog box.
- Click OK to close the Remote Desktop Users dialog box.
- Click OK again to close the System Properties dialog box.
Notes
- Members of the local Administrators group can connect, even if they are not listed.
- If you select Don't allow connections to this computer on the Remote tab, no users will be able to connect remotely to this computer, even if they are members of the Remote Desktop Users group.
Fix network connectivity issues
Network connectivity issues might prevent the RD Gateway server from communicating with computers on the internal network and therefore prevent the client from connecting to the target computer through the RD Gateway server.
Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before performing these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command. If ICMP traffic is not allowed in your environment and you cannot make a temporary exception for this traffic for troubleshooting purposes, skip the steps that involve using ping.
By using ping to perform basic troubleshooting, you can determine whether there is a network connectivity, firewall configuration, or DNS host name resolution issue.
If you can ping the target computer by IP address but not by fully qualified domain name (FQDN), this indicates an issue with DNS host name resolution. For DNS troubleshooting steps, see "Determine whether DNS servers are accessible" later in this topic.
If you cannot ping the target computer by IP address, this indicates a network connectivity issue or firewall configuration issue. To identify and resolve the issue, perform the following additional troubleshooting steps:
- On the RD Gateway server, ping other computers in the network to help isolate the network connectivity issue.
- If you can ping other servers but not the target computer, try to ping the target computer from another computer. If you cannot ping the target computer from any computer, check the network settings on the target computer.
- Check the TCP/IP settings on the local computer:
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type ipconfig /all, and then press ENTER.
- Make sure that the information listed is correct.
- Check whether you can ping the local IP address, the default gateway, and the DNS servers.
- Ping the loopback address of localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
- If pinging the loopback address works, but you cannot ping the local IP address, there may be an issue with the routing table or with the network adapter driver.
- If the target computer is in a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this indicates a potential problem with the network adapter, the router or gateway device, cabling or other connectivity hardware.
- Check the Event Viewer for any error messages.
- In Device Manager, check the status of the network adapter.
- Check network connectivity indicator lights at the server and at the hub or router.
- Check network cabling.
Determine whether DNS servers are accessible
To determine whether DNS servers are configured and accessible:
- On the RD Gateway server, click Start, click Run, type cmd , and then click OK.
- At a command prompt, type ipconfig /all, and then press ENTER.
- In the results, make sure that DNS servers are listed, and that the IP addresses of the DNS servers are correct.
- Ping the listed DNS servers to determine whether they are accessible.
- If you cannot ping the DNS server, make sure that the DNS Server service is running. You can also test connectivity from other hosts in your network to help isolate the issue. If the DNS server responds to IP address ping requests but does not resolve host names, make sure that the DNS Server service is running on the DNS server.
Verify
To verify that RD Gateway server connectivity is working, examine Event Viewer logs and search for the following event messages.
To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To verify that RD Gateway server connectivity is working:
- On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
- In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
- Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
- Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
- Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.