Share via


Event ID 563 — TS Gateway Server Configuration

Applies To: Windows Server 2008

For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.

Event Details

Product: Windows Operating System
ID: 563
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.0
Symbolic Name: AAG_EVENT_RG_CREATE_FAILED
Message: The resource group "%1" could not be created. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

Resolve

Ensure that security groups and TS Gateway-managed groups are configured correctly

To resolve this issue, do the following:

  • Ensure that security groups and if applicable, TS Gateway-managed groups are configured correctly by checking security group and TS Gateway-managed computer group settings in the Terminal Services resource authorization policy (TS RAP).
  • If the problem still occurs, ensure that the required permissions are granted to rap.xml.
  • If the problem still occurs, ensure that the correct value is set and the required permissions are granted for the RAPStore registry key.

Check security group and TS Gateway-managed computer group settings in the TS RAP

Note: In addition to meeting the requirements of the TS RAP, users on clients must have the right to log on locally to the computer to which they are trying to connect.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To check security group and TS Gateway-managed computer group settings in the TS RAP:

  1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
  2. In the TS Gateway Manager console tree, select the node that represents the local TS Gateway server, which is named for the computer on which the TS Gateway server is running.
  3. In the console tree, expand Policies, and then click Resource Authorization Policies.
  4. In the results pane, in the list of TS RAPs, right-click the TS RAP that you want to check, and then click Properties.
  5. On the Computer Group tab, check whether Allow users to connect to any network resource is selected. If so, proceed to the procedure "Ensure that the required permissions are granted to rap.xml" later in this topic. If not, do one of the following:
    • If Select an existing Active Directory security group is selected, note the name of the security group, so that you can ensure that the specified security group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the computer that the client is trying to connect to is a member of this group.
    • If Select existing TS Gateway-managed computer group or create a new one is selected, ensure that the name of the TS Gateway-managed computer group is correct, and that the computers in this group exist and can be contacted on the network.
  6. Click OK to close the Properties dialog box for the TS RAP.
  7. If an incorrect security group is specified or if the TS Gateway-managed computer group is not correctly configured, modify the settings of the existing TS RAP or create a new TS RAP. For information about how to create a TS RAP, see "Create a TS RAP" in the TS Gateway Manager Help in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=102170).

To perform these procedures, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials.

Confirm that the Active Directory security group specified in the TS RAP exists, and check account membership for the client in this group

To confirm that the Active Directory security group specified in the TS RAP exists:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
  3. Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the TS RAP, and then click Find Now.
  4. If the group exists, it will appear in the search results.
  5. Close the Find Users, Contacts, and Groups dialog box.

To check account membership for the client in this security group:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer that the client is trying to connect to belongs.
  3. In the details pane, right-click the computer name, and then click Properties.
  4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS RAP.

Confirm that the local security group specified in the TS RAP exists, and check account membership for the client in this group

To confirm that the local security group specified in the TS RAP exists, and to check account membership for the client in this group:

  1. On the TS Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
  2. In the console tree, expand Local Users and Groups, and then click Groups.
  3. In the results pane, locate the local security group that contains the computers that the client can access through the TS Gateway server (the group name or description should indicate whether the group has been created for this purpose).
  4. Right-click the group name, and then click Properties.
  5. On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the TS RAP.
  6. Click OK.

If this does not resolve the issue, ensure that the correct permissions are granted to the rap.xml file.

Ensure that the required permissions are granted to rap.xml

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To ensure that the required permissions are granted to rap.xml:

  1. On the TS Gateway server, navigate to %Windir%\System32\tsgateway\rap.xml, where %Windir% is the drive on which the operating system is installed.
  2. Right-click rap.xml.
  3. In the rap.xml Properties dialog box, click the Security tab.
  4. Click Edit, and then do the following:
    • In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
    • Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
    • Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.
    • Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read.
  5. Click OK.

Rename rap.xml and start TS Gateway Manager

If granting the required permissions to rap.xml does not resolve the problem, try renaming rap.xml to rapbak.xml, and then starting TS Gateway Manager. Starting the console will create a new rap.xml file.

To rename rap.xml:

  1. On the TS Gateway server, navigate to %Systemdrive%\System32\tsgateway\rap.xml.
  2. Right-click rap.xml, type rapbak.xml, and then press ENTER.

Note: After you rename rap.xml and restart TS Gateway Manager, no TS RAPs will appear when you open the console (to confirm that no TS RAPs appear, open TS Gateway Manager, click to expand the node that represents your TS Gateway server, expand Policies, and then click Resource Authorization Policies).

To start TS Gateway Manager:

  • On the TS Gateway server, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

If this does not resolve the issue, ensure that the correct value is set for the RAPStore registry key, and that the required permissions are granted to this registry key.

Ensure that the correct value is set and the required permissions are granted for the RAPStore registry key

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To set the correct value and grant the required permissions for the RAPStore registry key:

  1. On the TS Gateway server, click Start, click Run, type regedit, and then press ENTER.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core\ subkey, right-click the subkey, and then click Permissions.
  3. In the Permissions for Core dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
  4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control, and then click OK.
  5. Click the Core registry subkey.
  6. In the details pane, right-click RAPStore, and then click Modify.
  7. In the Edit String dialog box, in Value data, verify that the value is set to msxml://%SystemRoot%\System32\rap.xml. If the value is different, modify it as required, and then click OK.

Verify

To verify that the TS Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the TS Gateway server is configured correctly:

  1. On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.

TS Gateway Server Configuration

Terminal Services