Share via


Event ID 201 — RD Gateway Server Connections

Applies To: Windows Server 2008 R2

For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, clients must meet the conditions specified in at least one Remote Desktop connection authorization policy (RD CAP) and Remote Desktop resource authorization policy (RD RAP). RD CAPs specify who can connect to an RD Gateway server and the authentication method that must be used. RD RAPs specify the computers that clients can connect to through an RD Gateway server.

Note: A limit can be set on the RD Gateway server to restrict the maximum number of simultaneous client connections.

Event Details

Product: Windows Operating System
ID: 201
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_EVENT_NAP_FAILED
Message: The user "%1", on client computer "%2", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The following authentication method was attempted: "%3". The following error occurred: "%5".

Resolve

Ensure that the client meets the requirements of the RD CAP

To resolve this issue, ensure that the clients meet the requirements of at least one Remote Desktop connection authorization policy (RD CAP).

To determine whether a client meets the requirements of at least one RD CAP, do the following:

  • Check the RD CAP settings on the RD Gateway server. For instructions, see "Check RD CAP settings on the RD Gateway server" later in this topic.
  • Ensure that the local or Active Directory security group specified in the RD CAP exists, and that the user account (and if applicable, the computer account) for the client is a member of the appropriate security group. For instructions for Active Directory security groups, see "Confirm that the Active Directory security group specified in the RD CAP exists, and check account membership for the client in this group." For instructions for local security groups, see "Confirm that the local security group specified in the RD CAP exists, and check account membership for the client in this group" later in this topic.

Check RD CAP settings on the RD Gateway server

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To check RD CAP settings on the RD Gateway server:

  1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  2. In the Remote Desktop Gateway Manager console tree, select the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
  3. In the console tree, expand Policies, and then click Connection Authorization Policies.
  4. In the results pane, in the list of RD CAPs, right-click the RD CAP that you want to check, and then click Properties.
  5. On the Requirements tab, do the following:
    • Under Supported Windows authentication methods, check whether the specified method is compatible with the authentication method used by the client. The user on the client must use the same authentication method (for example, smart card or password) that is specified in the RD CAP.
    • In User group membership (required), note the name of the user group so that you can ensure that the specified user group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the user account for the client is a member of this group. For instructions for Active Directory security groups, see "Confirm that the Active Directory security group specified in the RD CAP exists, and check account membership for the client in this group." For instructions for local security groups, see "Confirm that the local security group specified in the RD CAP exists, and check account membership for the client in this group" later in this topic.
    • Under Client computer group membership (optional), check whether a client computer group is specified. If so, note the name of the client computer group so that you can ensure that the specified client computer group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the client is a member of this group.
  6. Click OK.
  7. If the client settings and RD CAP settings are not compatible, do one of the following:
    • Modify the client configuration.
    • Modify the settings of the existing RD CAP.
    • Create a new RD CAP. For information about how to create an RD CAP, see "Create an RD CAP" in the Remote Desktop Gateway Manager Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=178452).

After you check RD CAP settings, ensure that the local or Active Directory security group specified in the RD CAP exists, and that the user account (and if applicable, the computer account) for the client is a member of the appropriate security group.

Performing these procedures does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials.

Confirm that the Active Directory security group specified in the RD CAP exists, and check account membership for the client in this group

To confirm that the Active Directory security group specified in the RD CAP exists:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then press ENTER.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
  3. Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the RD CAP, and then click Find Now.
  4. If the group exists, it will appear in the search results.
  5. Close the Find Users, Contacts, and Groups dialog box.

To check account membership for the client in this security group:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then press ENTER.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.
  3. In the details pane, right-click the user name, and then click Properties.
  4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD CAP, and then click OK.
  5. If client computer group membership has also been specified as a requirement in the RD CAP, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer belongs.
  6. In the details pane, right-click the computer name, and then click Properties.
  7. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD CAP, and then click OK.

Confirm that the local security group specified in the RD CAP exists, and check account membership for the client in this group

To confirm that the local security group specified in the RD CAP exists, and to check account membership for the client in this group:

  1. On the RD Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
  2. In the console tree, expand Local Users and Groups, and then click Groups.
  3. In the results pane, locate the local security group that has been created to grant members access to the RD Gateway server (the group name or description should indicate whether the group has been created for this purpose).
  4. Right-click the group name, and then click Properties.
  5. On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the RD CAP.
  6. If client computer group membership has also been specified as a requirement in the RD CAP, on the General tab, confirm that the client computer account is also a member of this group, and then click OK.

Verify

To verify that RD Gateway server connectivity is working, examine Event Viewer logs and search for the following event messages.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that RD Gateway server connectivity is working:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

 

RD Gateway Server Connections

Remote Desktop Services