Remote Desktop Gateway client fails authentication with “Your user account is not authorized to access the RD Gateway”

Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2 that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.

Refer the following links to learn more on Remote Desktop Gateway and for a step-by-step guide on deploying Remote Desktop Gateway

http://technet.microsoft.com/en-us/library/dd560672(WS.10).aspx

http://www.microsoft.com/downloads/details.aspx?familyid=6D146124-E850-4CEC-9EFA-33A5225E155D&displaylang=en

There were a few instances where our customers reported that Remote Desktop Gateway users are getting the error “Your user account is not authorized to access the RD Gateway”

There are 2 situations where a user may get the errors mentioned below:

Situation A - This error may occur for the user account that belongs to the same domain as Remote Desktop Gateway
Situation B – While user accounts from the same domain's (where Remote Desktop Gateway is located) have no issue, users from a child domain or a peer domain (within the same tree or forest) receive the error

Different error messages are reported based on the Remote Desktop Connection client version.

Remote Desktop Connection (RDC) 7.0 client

Remote Desktop can’t connect to the remote computer "<End Resource Name>" for one of these reasons:

1) Your user account is not authorized to access the RD Gateway "<RD Gateway Server Name>"
2) Your computer is not authorized to access the RD Gateway "<RD Gateway Server Name>"
3) You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)

Remote Desktop Connection (RDC) 6.1

Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS Gateway, possibly due to one of the following reasons:

You do not have permission to connect to the TS Gateway server.
You used password authentication but the TS Gateway server is expecting smart card authentication (or vice versa).

Note:

You may get the same error message irrespective of using the RDC Client (MSTSC) or the “Remote Desktop Web Access” (Under the “Remote Desktop” tab).

You may see the following events (any or all) getting logged

Security Log

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          Date Time
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      RDG Server FQDN

Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
 Security ID:   NULL SID
 Account Name:   MYDOMAIN\USER
 Account Domain:   MYDOMAIN
 Fully Qualified Account Name: MYDOMAIN\USER

Client Machine:
 Security ID:   NULL SID
 Account Name:   Client machine's FQDN
 Fully Qualified Account Name: MYDOMAIN\WSDGBLND035$
 OS-Version:   -
 Called Station Identifier:  UserAuthType:PW
 Calling Station Identifier:  -

NAS:
 NAS IPv4 Address:  -
 NAS IPv6 Address:  -
 NAS Identifier:   -
 NAS Port-Type:   Virtual
 NAS Port:   -

RADIUS Client:
 Client Friendly Name:  -
 Client IP Address:   -

Authentication Details:
 Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
 Network Policy Name:  -
 Authentication Provider:  Windows
 Authentication Server:  NPS Server's FQDN
 Authentication Type:  Unauthenticated
 EAP Type:   -
 Account Session Identifier:  -
 Reason Code:   5
 Reason:    The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6274</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="YYYY-MM-DDTHH:MM:SS.739609200Z" />
    <EventRecordID>1463</EventRecordID>
    <Correlation />
    <Execution ProcessID="528" ThreadID="5748" />
    <Channel>Security</Channel>
    <Computer>RDG Server's FQDN</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">MYDOMAIN\USER</Data>
    <Data Name="SubjectDomainName">MYDOMAIN</Data>
    <Data Name="FullyQualifiedSubjectUserName">MYDOMAIN\USER</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">WSDGBLND035.mydomain.internal</Data>
    <Data Name="FullyQualifiedSubjectMachineName">MYDOMAIN\WSDGBLND035$</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">UserAuthType:PW</Data>
    <Data Name="CallingStationID">-</Data>
    <Data Name="NASIPv4Address">-</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">-</Data>
    <Data Name="NASPortType">Virtual</Data>
    <Data Name="NASPort">-</Data>
    <Data Name="ClientName">-</Data>
    <Data Name="ClientIPAddress">-</Data>
    <Data Name="ProxyPolicyName">TS GATEWAY AUTHORIZATION POLICY</Data>
    <Data Name="NetworkPolicyName">-</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">RDSGBLND01.mydomain.internal</Data>
    <Data Name="AuthenticationType">Unauthenticated</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">5</Data>
    <Data Name="Reason">The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.</Data>
  </EventData>
</Event>

System Log

Log Name:      System
Source:        NPS
Date:          19/08/2009 12:39:56
Event ID:      4402
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      RDG Server's FQDN

Description:
There is no domain controller available for domain MYDOMAIN.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NPS" />
    <EventID Qualifiers="49152">4402</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-08-19T11:39:56.000000000Z" />
    <EventRecordID>1518</EventRecordID>
    <Channel>System</Channel>
    <Computer>RDG Server's FQDN</Computer>
    <Security />
  </System>
  <EventData>
    <Data>MYDOMAIN</Data>
  </EventData>
</Event>

Terminal Services Gateway Log

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          19/08/2009 12:39:56
Event ID:      201
Task Category: (2)
Level:         Error
Keywords:      Audit Failure,(16777216)
User:          NETWORK SERVICE
Computer:      RDG Server's FQDN

Description:

The user "MYDOMAIN\USER", on client computer "X.X.X.X", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The following authentication method was attempted: "NTLM". The following error occurred: "23003".

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" />
    <EventID>201</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>2</Task>
    <Opcode>30</Opcode>
    <Keywords>0x4010000001000000</Keywords>
    <TimeCreated SystemTime="YYYY-MM-DDTHH:MM:SS.739609200Z" />
    <EventRecordID>19</EventRecordID>
    <Correlation />
    <Execution ProcessID="4612" ThreadID="5296" />
    <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
    <Computer>RDSGBLND01.MYDOMAIN.internal</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <EventInfo xmlns="aag">
      <Username>MYDOMAIN\USER</Username>
      <IpAddress>192.168.0.189</IpAddress>
      <AuthType>NTLM</AuthType>
      <Resource>
      </Resource>
      <ErrorCode>23003</ErrorCode>
    </EventInfo>
  </UserData>
</Event>

Resolution

Please refer the 2 situations discussed above. The solution differs dependent on the particular situation.

Situation A

(If a user from the Remote Desktop Gateway domain's user has an issue)

Solution 1

In Server Manager, browse to the following location: Roles\Network Policy and Access Services\NPS (Local).
Right click on the NPS (Local) node and choose Register server in Active Directory.
Click OK to authorize the server when prompted.

Solution 2

Open Active Directory Users and Computers on any Domain Controller of the same domain as the Remote Desktop Gateway.
Add the Computer Name of the Remote Desktop Gateway to the RAS and IAS Servers group.

Situation B

(If a user from a child domain or same level domain or parent domain has an issue)

Open Active Directory Users and Computers on any Domain Controller from the remote domain in which the users belong to.
Add the Computer Name of the Remote Desktop Gateway to the RAS and IAS Servers group.

- Prathabacimman Mohan

Networking Blog

Gratuitous ARP and DAD in Windows XP, Windows 7/Vista, Windows 8 and Failover Cluster

Deployment: Windows Firewall and Group Policy

The Network Connection Status Icon

Understanding IPv6, 3rd Edition has been published!