Event ID 643 — TS Gateway Server Availability

  • Article

Applies To: Windows Server 2008

The Terminal Services Gateway (TS Gateway) server must be available on the network and the appropriate services must be running on the TS Gateway server. The Terminal Services connection authorization policy (TS CAP) and Terminal Services resource authorization policy (TS RAP) stores must also be available, so that these policies can be evaluated to determine whether remote clients meet policy requirements. TS CAPs specify who can connect to a TS Gateway server. TS RAPs specify the internal network resources (computers) that clients can connect to through a TS Gateway server. If TS CAPs and TS RAPs are not available, the TS Gateway server will not be available for client connections.

Event Details

Product: Windows Operating System
ID: 643
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.0
Symbolic Name: AAG_EVENT_RAP_AZMAN_APP_FAILED
Message: TS Gateway Resource access Policy engine failed to open Azman Application(TS Gateway) and the error was "%2"

Resolve

Grant the required permissions to rap.xml

To resolve this issue, grant the required permissions to the rap.xml file. If granting the required permissions to the rap.xml file does not resolve the problem, rename the rap.xml file and start the TS Gateway Manager snap-in console.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Grant the required permissions to the rap.xml file

To grant the required permissions to the rap.xml file:

  1. On the TS Gateway server, navigate to %Windir%\System32\tsgateway\rap.xml, where %Windir% is the drive on which the operating system is installed.
  2. Right-click rap.xml.
  3. In the rap.xml Properties dialog box, click the Security tab.
  4. Click Edit, and then do the following:
    1. In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
    2. Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
    3. Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.
    4. Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read.
  5. Click OK.

Rename the rap.xml file and start TS Gateway Manager

If granting the required permissions to rap.xml does not resolve the problem, try renaming rap.xml to rapbak.xml, and then starting TS Gateway Manager. Starting the console will create a new rap.xml file.

To rename the rap.xml file:

  1. On the TS Gateway server, navigate to %Windir%\System32\tsgateway\rap.xml, where %Windir% is the drive on which the operating system is installed.
  2. Right-click rap.xml, type rapbak.xml, and then press ENTER.

Note: After you rename rap.xml and restart TS Gateway Manager, no Terminal Services resource authorization policies (TS RAPs) will appear when you open the console (to confirm that no TS RAPs appear, open TS Gateway Manager, click to expand the node that represents your TS Gateway server, expand Policies, and then click Resource Authorization Policies).

To start TS Gateway Manager:

  • On the TS Gateway server, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

Verify

To verify that the TS Gateway server is available for client connections, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the TS Gateway server is available for client connections:

  1. On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.

TS Gateway Server Availability

Terminal Services