RDS: The RD Gateway server must have at least one RD CAP enabled

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Remote Desktop Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2, Windows Server 2012

Product/Feature

Remote Desktop Services

Severity

Error

Category

Configuration

Issue

The Remote Desktop Gateway (RD Gateway) server does not have a Remote Desktop connection authorization policy (RD CAP) enabled.

Impact

If the RD Gateway server does not have an RD CAP enabled, users cannot connect to internal network resources (computers) by using the RD Gateway server.

Resolution

Use the RD Gateway Manager tool to enable an RD CAP to specify which users can use the RD Gateway server to connect to internal network resources (computers).

Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to network resources by using an RD Gateway server.

Use the following to ensure that an RD CAP exists and is enabled:

  • Verify an RD CAP exists

  • Create an RD CAP

  • Enable an RD CAP

Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure.

To verify an RD CAP exists

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. In the results pane, in the list of Connection Authorization Policies, verify RD CAPs exist.

    • If no RD CAPs are listed, see the section “To create an RD CAP” to create new RD CAPs.

    • If RD CAPs are listed and none are enabled, see the section “To enable an RD CAP” to enable an existing RD CAP.

To create an RD CAP

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. Right-click the Connection Authorization Policies folder, point to Create New Policy, and then click Custom.

  5. On the General tab, in the Policy name box, enter a name, and then verify that the Enable this policy check box is selected.

  6. On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes:

    • Password

    • Smart card

    When both of these options are selected, clients that use either authentication method are allowed to connect.

  7. Under User group membership (required), click Add Group, and then specify a user group whose members can connect by using the RD Gateway server. You must specify at least one user group.

  8. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box. To specify more than one user group, do either of the following:

    • Type the name of each user group, separating the name of each group with a semi-colon.

    • Add additional groups from different domains by repeating this step for each group.

  9. To specify computer domain membership criteria that client computers should meet (optional), on the Requirements tab, under Client computer group membership (optional), click Add Group, and then specify the computer groups.

    To specify the computer groups, you can use the same steps that you used to specify user groups in step 8.

  10. On the Device Redirection tab, select one of the following options to enable or disable redirection for remote client devices:

    • To permit all client devices to be redirected when connecting by using the RD Gateway server, click Enable device redirection for all client devices. By default, this option is selected.

    • To disable device redirection for only certain device types when connecting by using the RD Gateway server, click Disable device redirection for the following client device types, and then select the check boxes that correspond to the client device types for which device redirection should be disabled.

Important

Select Only allow client connections to terminal servers that enforce RD Gateway device redirection to enforce secure client device redirection at the remote desktop server.

  1. Click OK.

  2. The new local RD CAP that you created appears in the RD Gateway Manager results pane. When you click the name of the RD CAP, the policy details appear in the lower pane.

To enable an RD CAP

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the console tree, expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. In the results pane, in the list of RD CAPs, right-click the RD CAP that you want to enable, and then click Enable.

Additional references

See Also

Concepts

Best Practices Analyzer for Remote Desktop Services: Configuration
Best Practices Analyzer for Remote Desktop Services