Event ID 643 — RD Gateway Server Availability
Applies To: Windows Server 2008 R2
The Remote Desktop Gateway (RD Gateway) server must be available on the network, and the appropriate services must be running on the RD Gateway server. The Remote Desktop connection authorization policy (RD CAP) and the Remote Desktop resource authorization policy (RD RAP) stores must also be available, so that these policies can be evaluated to determine whether remote clients meet policy requirements. RD CAPs specify who can connect to an RD Gateway server. RD RAPs specify the internal network resources (computers) that clients can connect to through an RD Gateway server. If RD CAPs and RD RAPs are not available, the RD Gateway server will not be available for client connections.
Event Details
Product: | Windows Operating System |
ID: | 643 |
Source: | Microsoft-Windows-TerminalServices-Gateway |
Version: | 6.1 |
Symbolic Name: | AAG_EVENT_RAP_AZMAN_APP_FAILED |
Message: | RD Gateway Resource access Policy engine failed to open Azman Application(Remote Desktop Gateway) and the error was "%2" |
Resolve
Grant the required permissions to rap.xml
To resolve this issue, grant the required permissions to the rap.xml file. If granting the required permissions to the rap.xml file does not resolve the problem, rename the rap.xml file and start the Remote Desktop Gateway Manager snap-in console.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Grant the required permissions to the rap.xml file
To grant the required permissions to the rap.xml file:
- On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the drive on which the operating system is installed.
- Right-click rap.xml.
- In the rap.xml Properties dialog box, click the Security tab.
- Click Edit, and then do the following:
- In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
- Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
- Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.
- Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read.
- Click OK.
Rename the rap.xml file and start Remote Desktop Gateway Manager
If granting the required permissions to rap.xml does not resolve the problem, try renaming rap.xml to rapbak.xml, and then starting Remote Desktop Gateway Manager. Starting the console will create a new rap.xml file.
To rename the rap.xml file:
- On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the drive on which the operating system is installed.
- Right-click rap.xml, type rapbak.xml, and then press ENTER.
Note: After you rename rap.xml and restart Remote Desktop Gateway Manager, no Remote Desktop resource authorization policies (RD RAPs) will appear when you open the console (to confirm that no RD RAPs appear, open Remote Desktop Gateway Manager, click to expand the node that represents your RD Gateway server, expand Policies, and then click Resource Authorization Policies).
To start Remote Desktop Gateway Manager:
- On the RD Gateway server, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
Verify
To verify that the RD Gateway server is available for client connections, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.
To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To verify that the RD Gateway server is available for client connections:
- On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
- In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
- Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
- Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
- Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.