Remote Desktop Gateway client fails authentication with “Your user account is not authorized to access the RD Gateway”

Remote Desktop Gateway client fails authentication with “Your user account is not authorized to access the RD Gateway”

  • Comments 5
  • Likes

Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2 that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.

Refer the following links to learn more on Remote Desktop Gateway and for a step-by-step guide on deploying Remote Desktop Gateway

http://technet.microsoft.com/en-us/library/dd560672(WS.10).aspx

http://www.microsoft.com/downloads/details.aspx?familyid=6D146124-E850-4CEC-9EFA-33A5225E155D&displaylang=en

There were a few instances where our customers reported that Remote Desktop Gateway users are getting the error “Your user account is not authorized to access the RD Gateway”

There are 2 situations where a user may get the errors mentioned below:

  • Situation A - This error may occur for the user account that belongs to the same domain as Remote Desktop Gateway
  • Situation B – While user accounts from the same domain's (where Remote Desktop Gateway is located) have no issue, users from a child domain or a peer domain (within the same tree or forest) receive the error

Different error messages are reported based on the Remote Desktop Connection client version.

Remote Desktop Connection (RDC) 7.0 client

Remote Desktop can’t connect to the remote computer "<End Resource Name>" for one of these reasons:

1) Your user account is not authorized to access the RD Gateway "<RD Gateway Server Name>"
2) Your computer is not authorized to access the RD Gateway "<RD Gateway Server Name>"
3) You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)

Remote Desktop Connection (RDC) 6.1

Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS Gateway, possibly due to one of the following reasons:

  • You do not have permission to connect to the TS Gateway server.
  • You used password authentication but the TS Gateway server is expecting smart card authentication (or vice versa).

Note:

You may get the same error message irrespective of using the RDC Client (MSTSC) or the “Remote Desktop Web Access” (Under the “Remote Desktop” tab).

You may see the following events (any or all) getting logged

Security Log
Log Name:      Security
Source: Microsoft-Windows-Security-Auditing
Date: Date Time
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: RDG Server FQDN

Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: MYDOMAIN\USER
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\USER

Client Machine:
Security ID: NULL SID
Account Name: Client machine's FQDN
Fully Qualified Account Name: MYDOMAIN\WSDGBLND035$
OS-Version: -
Called Station Identifier: UserAuthType:PW
Calling Station Identifier: -

NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -

RADIUS Client:
Client Friendly Name: -
Client IP Address: -

Authentication Details:
Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS Server's FQDN
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: -
Reason Code: 5
Reason: The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6274</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="YYYY-MM-DDTHH:MM:SS.739609200Z" />
<EventRecordID>1463</EventRecordID>
<Correlation />
<Execution ProcessID="528" ThreadID="5748" />
<Channel>Security</Channel>
<Computer>RDG Server's FQDN</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">MYDOMAIN\USER</Data>
<Data Name="SubjectDomainName">MYDOMAIN</Data>
<Data Name="FullyQualifiedSubjectUserName">MYDOMAIN\USER</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">WSDGBLND035.mydomain.internal</Data>
<Data Name="FullyQualifiedSubjectMachineName">MYDOMAIN\WSDGBLND035$</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">UserAuthType:PW</Data>
<Data Name="CallingStationID">-</Data>
<Data Name="NASIPv4Address">-</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">-</Data>
<Data Name="NASPortType">Virtual</Data>
<Data Name="NASPort">-</Data>
<Data Name="ClientName">-</Data>
<Data Name="ClientIPAddress">-</Data>
<Data Name="ProxyPolicyName">TS GATEWAY AUTHORIZATION POLICY</Data>
<Data Name="NetworkPolicyName">-</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">RDSGBLND01.mydomain.internal</Data>
<Data Name="AuthenticationType">Unauthenticated</Data>
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">5</Data>
<Data Name="Reason">The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.</Data>
</EventData>
</Event>

System Log
Log Name:      System
Source: NPS
Date: 19/08/2009 12:39:56
Event ID: 4402
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: RDG Server's FQDN

Description:
There is no domain controller available for domain MYDOMAIN.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="49152">4402</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-19T11:39:56.000000000Z" />
<EventRecordID>1518</EventRecordID>
<Channel>System</Channel>
<Computer>RDG Server's FQDN</Computer>
<Security />
</System>
<EventData>
<Data>MYDOMAIN</Data>
</EventData>
</Event>

Terminal Services Gateway Log
Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source: Microsoft-Windows-TerminalServices-Gateway
Date: 19/08/2009 12:39:56
Event ID: 201
Task Category: (2)
Level: Error
Keywords: Audit Failure,(16777216)
User: NETWORK SERVICE
Computer: RDG Server's FQDN

Description:

The user "MYDOMAIN\USER", on client computer "X.X.X.X", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The following authentication method was attempted: "NTLM". The following error occurred: "23003".

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" />
<EventID>201</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>30</Opcode>
<Keywords>0x4010000001000000</Keywords>
<TimeCreated SystemTime="YYYY-MM-DDTHH:MM:SS.739609200Z" />
<EventRecordID>19</EventRecordID>
<Correlation />
<Execution ProcessID="4612" ThreadID="5296" />
<Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
<Computer>RDSGBLND01.MYDOMAIN.internal</Computer>
<Security UserID="S-1-5-20" />
</System>
<UserData>
<EventInfo xmlns="aag">
<Username>MYDOMAIN\USER</Username>
<IpAddress>192.168.0.189</IpAddress>
<AuthType>NTLM</AuthType>
<Resource>
</Resource>
<ErrorCode>23003</ErrorCode>
</EventInfo>
</UserData>
</Event>

Resolution

Please refer the 2 situations discussed above. The solution differs dependent on the particular situation.

Situation A

(If a user from the Remote Desktop Gateway domain's user has an issue)

Solution 1

Register the NPS server in Active Directory:

  1. In Server Manager, browse to the following location: Roles\Network Policy and Access Services\NPS (Local).
  2. Right click on the NPS (Local) node and choose Register server in Active Directory.
  3. Click OK to authorize the server when prompted.

Solution 2

  1. Open Active Directory Users and Computers on any Domain Controller of the same domain as the Remote Desktop Gateway.
  2. Add the Computer Name of the Remote Desktop Gateway to the RAS and IAS Servers group.
Situation B

(If a user from a child domain or same level domain or parent domain has an issue)

  1. Open Active Directory Users and Computers on any Domain Controller from the remote domain in which the users belong to.
  2. Add the Computer Name of the Remote Desktop Gateway to the RAS and IAS Servers group.

- Prathabacimman Mohan

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Yes, that's it!

    >>Add the Computer Name of the Remote Desktop Gateway >>to the RAS and IAS Servers group.

    Thank you very much for this entry! ;-)

    Best regards

    Dani

  • I get the same error but in my scenario I have users from a different forest/domain that our domain is trusting that get this error when trying to connect through the RD Gateway.  It is currently a one-way trust and not likely to change.

    In our case things were working fine for accounts in our domain as well as the trusted domain and then things suddenly stopped for the trusted domain users.  Users in our domain have no problem connecting.

  • Excellent blog, just what I was looking for, thankyou

  • Solution 2 fixed this for our 2008x64R2 RD Gateway in 2008 Domain.  Thanks!!

  • After registering the NPS server in Active Directory, the change won't take effect until you restart the Remote Desktop Gateway computer.