Remote Desktop Gateway and Active Directory User Profiles

Remote Desktop Gateway and Active Directory User Profiles

  • Comments 3
  • Likes

Hello All! It’s Brett Crane from the Networking teams here at Microsoft. I want to take just a moment to talk about Remote Desktop Gateway (previously called Terminal Services Gateway prior to the release of 2008 R2) and utilization of the “Log on to…” option within an Active Directory Users Account information (See example 1.1 below).

clip_image002

Example 1.1

I have seen an increase in the number of incoming calls to us from customers that utilize this option for security in the internal domain and are trying to setup Gateway to work for users in their environment. I need to be clear in stating that you are NOT able to utilize this option and Remote Desktop Gateway (or TSG in Server 2008) at the same time.

So you ask…

“What behaviors will I see if I try using both?”

“How can I tell if this is what is causing my problem and not another issue that has the same symptom?”

Well… these are two great questions and here are your answers:

First, “What behaviors will I see if I try using both?”  Simple enough, the behavior you will see is that your clients will continually get prompted for credentials without ever being able to access the internal environment through the Gateway. They will not receive any errors what-so-ever.

Second question, “How can I tell if this is what is causing my problem and not another issue that has the same symptom?”  Here are the steps you can utilize to troubleshoot this on your Gateway server.

Note: One thing I would like to point out is that you will not receive any logs showing a problem on your Gateway server while reproducing the behavior pointed out above on your client.

  1. Configure Netlogon logging on your Gateway Server. You can utilize the following KB article to assist in this process: 109626 - Enabling debug logging for the Net Logon service
  2. Reproduce the continuous credential prompting behavior on your test client.
  3. Open the Netlogon.log that was created utilizing information provided in step 1 above.
  4. Do a search for the following hexadecimal value: 0xC0000070. If you see this log then you are running into the behavior I am listing in this article. The log should look similar to the following example:

12/08 14:13:57 [LOGON] <Domain_Name>: SamLogon: Network logon of <Domain>\<User_Name> from <Client_Physical_Machine_Name> Entered

12/08 14:13:57 [LOGON] <Domain_Name>: SamLogon: Network logon of <Domain>\<User_Name> from <Client_Physical_Machine_Name> Returns 0xC0000070

Note: if you install the “Microsoft Exchange Server Error Code Look-up”  tool (err.exe - it can be downloaded from this link: http://www.microsoft.com/downloads/details.aspx?FamilyId=BE596899-7BB8-4208-B7FC-09E02A13696C&displaylang=en) and run the Return code above through it you will see that it resolves to the following error in example 1.2 below:

clip_image002[5]

Example 1.2

At this point you have to determine which is more important to your environment, Gateway Services or the functionality of the “Log on to…” settings in the users account. Please keep in mind that there are always other ways to administer internal security so that users can only log on to specific machines. If you choose to utilize the Gateway services all you will need to do is set the “Log on to…” settings for all users that are planned to utilize the Gateway to access your environment to “All Computers” (as seen in example 1.3 below). Now users will be able to access the environment properly.

clip_image004

Example 1.3

I hope the information I have provided here proves to be useful! Until next time… Safe Computing!

-Brett Crane

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • "Please keep in mind that there are always other ways to administer internal security so that users can only log on to specific machines."

    What "other ways" do you suggest?

  • Will it work properly if I add the name of the TS Gateway machine to Logon Workstations?

  • What happens if you add the Gateway server to the list of allowed workstations in the users AD account?  Would that work?  Can you provide more detail about why the Gateway doesn't work with the Logon to feature?