Event ID 519 — RD Gateway Server Configuration

  • Article

Applies To: Windows Server 2008 R2

For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.

Event Details

Product: Windows Operating System
ID: 519
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_EVENT_INVALID_CERT_WHEN_QUARANTINE_ENABLE_FAILED
Message: The server certificate is not valid because the public key of the certificate contains an object identifier (also known as OID) of 2.5.29.15, but does not support the Extended Key Usage (EKU) for encryption. For the "Request clients to send a statement of health" setting that is enabled on this RD Gateway server to function, if the certificate that you plan to use contains an OID of 2.5.29.15, you must ensure that one of the following key usage values for this certificate is also set: (1) CERT_KEY_ENCIPHERMENT_KEY_USAGE (2) CERT_KEY_AGREEMENT_KEY_USAGE (3) CERT_DATA_ENCIPHERMENT_KEY_USAGE. For more information, see "Obtain a certificate for the RD Gateway server" in the RD Gateway Help.

Resolve

Check whether the RD Gateway server is configured to use a certificate that meets RD Gateway requirements

To resolve this issue, do the following:

  1. Check whether the RD Gateway server is configured to use a certificate that meets RD Gateway requirements. For information, see "Check whether the certificate that the RD Gateway server is configured to use meets the certificate requirements" later in this topic. For information about RD Gateway certificate requirements, see "Certificate requirements" later in this topic.
  2. If the certificate that the RD Gateway server is configured to use does not meet RD Gateway certificate requirements, check whether another certificate is installed on the RD Gateway server that does meet the certificate requirements.
  3. If no other certificate is installed on the RD Gateway server that meets the certificate requirements, do the following:
    • Obtain another certificate that meets RD Gateway certificate requirements. For information about obtaining a certificate for the RD Gateway server, see "Obtain a certificate for the Remote Desktop Gateway server" in the Remote Desktop Gateway Manager Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=178454).
    • Install the certificate on the RD Gateway server.
    • Configure the RD Gateway server to use the certificate for SSL.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Check whether the certificate that the RD Gateway server is configured to use meets the certificate requirements

To check whether the certificate that the RD Gateway server is configured to use certificate meets the certificate requirements:

  1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  2. In the Remote Desktop Gateway Manager console tree, right-click the local RD Gateway server, and then click Properties.
  3. On the SSL Certificate tab, note the properties of the certificate that the RD Gateway server is configured to use, so that you know which certificate to check. At the top of the tab, the following properties for the certificate are displayed: Issued to, Issued by, and Expiration date.
  4. Click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.
  5. In the Install Certificates dialog box, click the certificate that the RD Gateway server is currently configured to use (click the certificate with values that match the Issued to, Issued by, and Expiration date values displayed at the top of the SSL Certificate tab, as described in step 3), and then click View Certificate.
  6. In the Install Certificates dialog box, click the certificate that you want to check, click View certificate, and then review the certificate properties to ensure that it meets RD Gateway requirements. For information about certificate requirements, see "Certificate requirements" later in this topic.
  7. If the certificate meets the requirements for RD Gateway, click Install. If the certificate does not meet the requirements for RD Gateway, select another certificate that does and install it (if another certificate is available), or do the following:
    1. Obtain another certificate that meets RD Gateway certificate requirements. For information, see "Obtain a certificate for the Remote Desktop Gateway server" in the Remote Desktop Gateway Manager Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=178454).
    2. Install the certificate on the RD Gateway server. For information, see "Install the certificate on the RD Gateway server" later in this topic.
    3. Configure the RD Gateway server to use the certificate for SSL. For information, see "Configure the RD Gateway server to use the certificate for SSL" later in this topic.
  8. Click OK to close the Properties dialog box for the RD Gateway server.

Install the certificate on the RD Gateway server

To install the certificate on the RD Gateway server:

  1. On the RD Gateway server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in.
    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
    4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
    6. In the Add or Remove Snap-ins dialog box, click OK.
  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Personal.
  3. Right-click the Personal folder, point to All Tasks, and then click Import.
  4. On the Welcome to the Certificate Import Wizard page, click Next.
  5. On the File to Import page, in the File name box, specify the name of the certificate that you want to import, and then click Next.
  6. If the Password page appears, if you specified a password for the private key associated with the certificate earlier, type the password, and then click Next.
  7. On the Certificate Store page, accept the default option, and then click Next.
  8. On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected.
  9. Click Finish.
  10. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.
  11. With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the RD Gateway server. The certificate must be under the Personal store of the local computer.

Configure the RD Gateway server to use the certificate for SSL

After you install an appropriate certificate on the RD Gateway server, you must use the Remote Desktop Gateway Manager snap-in console to configure the RD Gateway server to use the certificate for SSL. If you do this by using any other method, RD Gateway will not function correctly.

To configure the RD Gateway server to use the certificate for SSL:

  1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  2. In the Remote Desktop Gateway Manager console tree, right-click the local RD Gateway server, and then click Properties.
  3. On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.
  4. In the Install Certificates dialog box, click the certificate that you want to use, click View certificate, and then review the certificate properties to ensure that it meets RD Gateway requirements. For information about certificate requirements, see "Certificate requirements" later in this topic.
  5. If the certificate meets the requirements for RD Gateway, click Install. If the certificate does not meet the requirements for RD Gateway, select another certificate that does, or obtain a new certificate for RD Gateway. For information about how to obtain a certificate for RD Gateway, see "Obtain a certificate for the Remote Desktop Gateway server" in the Remote Desktop Gateway Manager Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=178454).
  6. Click OK to close the Properties dialog box for the RD Gateway server.
  7. If this is the first time that you have configured the RD Gateway server to use an SSL certificate, after this procedure is completed, you can confirm that the procedure was successful by viewing the RD Gateway Server Status area in the Remote Desktop Gateway Manager snap-in console. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed.

Certificate requirements

Certificates for RD Gateway must meet these requirements:

  • The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. Multiple CNs are not supported. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.
  • The certificate is a computer certificate.
  • The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
  • The certificate has a corresponding private key.
  • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
  • A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an OID of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.
  • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the client's Trusted Root Certification Authorities store on the client computer.

Verify

To verify that the RD Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the RD Gateway server is configured correctly:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

RD Gateway Server Configuration

Remote Desktop Services