Unable to create a Remote Desktop Connection authorization policy

RD Gateway not working

Archived Forums

Remote Desktop Services (Terminal Services)

• Question

• 
  

  0

  Sign in to vote

  Using the following setup (2012r2):
  
  
  SRV1:

  • RD Web Access
  • Connection Broker
  • Gateway

  SRV2:

  • Session host (part of test collection)

  SRV3:

  • Session host (part of test collection)

  Without the RD Gateway everything works fine when I try to open a remote app or the session collection from the Remote Web Access site, but with the RD gateway enabled it just doesn't work. In the Terminalservices-gateway it records the event:

  The user "contoso\administrator", on client computer "53.57.174.113", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "rd.contoso.com". Connection protocol used: "HTTP". The following error occurred: "23005".

  So from what I understand it was able to establish a connection with the RD Gateway server and it met the health requirements. But the strange this: Connection Protocol used: HTTP???

  In the security log it shows:

  An account was logged off.

  Perhaps I've made a mistake? I've created a single DNS record (rd.contoso.com), so it's being used for clients establishing a session using port 3389 and for the remote gateway.
  
  Under deployment options I've set the 'Use these RD Gateway settings' to: rd.contoso.com and assigned a wildcard certificate *.contoso.com

  If I open the RDP connection it shows:

  prompt for credentials on client:i:1
  span monitors:i:1
  use multimon:i:1
  remoteapplicationmode:i:1
  server port:i:3389
  allow font smoothing:i:1
  promptcredentialonce:i:1
  gatewayusagemethod:i:2
  gatewayprofileusagemethod:i:1
  gatewaycredentialssource:i:0
  full address:s:rd.contoso.com
  alternate shell:s:||OMNIS7
  remoteapplicationprogram:s:||application
  gatewayhostname:s:rd.contoso.com
  remoteapplicationname:s:application
  workspace id:s:srv1.domain.local
  use redirection server name:i:1
  loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Collection_Vakme
  alternate full address:s:rd.contoso.com

  Also disabled the firewall on all hosts participating

  
  
  
  • Edited by Marc-1983 Thursday, October 13, 2016 7:41 PM

  Thursday, October 13, 2016 7:35 PM

Answers

• 
  

  0

  Sign in to vote

  Well, and that was the problem

  To solve it i've created a new DNS zone with the name: rd.contoso.com and added a record without the hostname and the ip address of the RD gateway.

  And that solved it, the error message / solution was right in front of me the whole time...

  
  
  • Marked as answer by Marc-1983 Thursday, October 13, 2016 9:11 PM
  • Edited by Marc-1983 Thursday, October 13, 2016 9:12 PM

  Thursday, October 13, 2016 9:07 PM

All replies

• 
  

  0

  Sign in to vote

  Hi Bruun,

  Did you created & configured RAP (Resource Autothorization Policies) & CAP (Connection Authorization Policieis) policies ?

  It's seems that you have an authorization issue and the RD Gateway do not allow you to connect to your RemoteApps or remote desktop.

  HK.

  ---

  Hicham KADIRI | Just Another IT Guy
  

  Livre de référence RDS 2012 R2 désormais disponible !
  RDS 2012 R2 reference book is now available !

  Thursday, October 13, 2016 8:05 PM

• 
  

  0

  Sign in to vote

  Hi Hicham,

  This event is logged:met connection authorization policy and resource authorization policy , so it seems to meet the policies that have been set

  Connection Authorization policy:

  If the user is a member of any of the following user groups:
  contoso\Domain Users
  If the client computer is a member of any of the following computer groups:
  Not applicable (no computer group is specified)
  If the user uses the following supported Windows authentication methods:
  Password
  Allow the user to connect to this RD Gateway server and disable device redirection for the following client devices:
  Not applicable (device redirection is allowed for all client devices)
  After the idle timeout is reached:
  - Not applicable (no idle timeout)
  After the session timeout is reached:
  - Not applicable (no session timeout)

  Resource Authorization Policy:

  user groups: domain users
  Network resource: allow users to connect to any network resource
  Allowed ports: allow connections only to port 3389
  
  
  
  • Edited by Marc-1983 Thursday, October 13, 2016 8:16 PM

  Thursday, October 13, 2016 8:15 PM

• 
  

  0

  Sign in to vote

  This line got me thinking:met connection authorization policy and resource authorization policy requirements, but could not connect to resource "rd.contoso.com"

  So according to the event it was able to connect to 'rd.contoso.com' because it logged 'met rap and cap policy', then it tried to connect again to 'rd.contoso.com' ?

  Thursday, October 13, 2016 8:44 PM

• 
  

  0

  Sign in to vote

  When i open the remote application RDP it show:

  Remote computer: rd.contoso.com

  Gateway server: rd.contoso.com

  It seems to me that the remote computer must be: SRV1.contoso.local (That explains why it logged the event: cannot connect to resource 'rd.contoso.com')

  Thursday, October 13, 2016 9:01 PM

• 
  

  0

  Sign in to vote

  Well, and that was the problem

  To solve it i've created a new DNS zone with the name: rd.contoso.com and added a record without the hostname and the ip address of the RD gateway.

  And that solved it, the error message / solution was right in front of me the whole time...

  
  
  • Marked as answer by Marc-1983 Thursday, October 13, 2016 9:11 PM
  • Edited by Marc-1983 Thursday, October 13, 2016 9:12 PM

  Thursday, October 13, 2016 9:07 PM

• 
  

  0

  Sign in to vote

  Hi,

  I am glad to hear that your problem has been resolved. And thanks for your share.

  Best Regards,

  Jay

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help.
  If you have feedback for TechNet Subscriber Support, contact .

  Friday, October 14, 2016 6:53 AM

What is a Remote Desktop Gateway

A Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the HTTPS Protocol to create a secure encrypted connection.

A 2012 RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel.

A Remote Desktop Gateway Provides The following Benefits:

• Enables Remote Desktop Connections to a corporate network without having to set up a virtual private network (VPN).
• Enables connections to remote computers across firewalls.
• Allows you to share a network connection with other programs running on your computer. This enables you to use your ISP connection instead of your corporate network to send and receive data over a remote connection.

http://windows.microsoft.com/en-us/windows7/what-is-a-remote-desktop-gateway-server

Please see the following linkFor more information on deploying a Gateway on the perimeter network:http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

2 Replies

· · ·

Jalapeno

OP

theskyisthelimit99 Mar 15, 2020 at 03:41 UTC

Turns out this was an NPS logging issue of all things:

https://blog.alschneiter.com/2015/12/11/error-connecting-truogh-rd-gateway-2012-r2/

Once i set to "if logging fails, discard connection requests" to unchecked for both sql and event viewer entries, i could connect.

0

· · ·

Pimiento

OP

Erick4578 Jun 5, 2020 at 12:12 UTC

Thank you so much. I have been beating my head on a very similar issue. Your link to the NPS logging was the key that I was missing.

0

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

Overview

Duo Authentication for Remote Desktop Gateway adds two-factor authentication to your RemoteApp Access logons, and blocks any connections to your Remote Desktop Gateway server(s) from users who have not completed two-factor authentication when all connection requests are proxied through a Remote Desktop Gateway. Users automatically receive a 2FA prompt in the form of a push request in Duo Mobile or a phone call when logging in. This configuration does not support passcodes or inline self-enrollment.

Installing Duo's RD Gateway plugin disables Remote Desktop Connection Authorization Policies (RD CAP) and Resource Authorization Policies (RD RAP). The CAPs and RAPs become inaccessible from the Remote Desktop Gateway Manager and previously configured policy settings are ignored by Remote Desktop Gateway. If operational requirements mandate continued use of RD CAPs/RAPs, you may want to consider installing Duo for Windows Logon at your RDS Session Hosts instead. This alternative also supports passcode authentication.

Before you begin deploying Duo in your RDS environment, please read our Duo 2FA for Microsoft Remote Desktop Services overview to understand the capabilities and limitations of the different deployment options.

If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access with Duo and/or RD Gateway with Duo. If clients can establish a direct connection to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two­-factor authentication. Block direct RDP access to these hosts to mitigate the potential for bypass.