question

Sha1I-4368 avatar image
0 Votes"
Sha1I-4368 asked BorisGARCIA-5104 answered

RD Gateway Event Viewer Logs do not show the TS-Gateway Logs

Hi, so I have a Server 2019 DC RD Gateway Server in production that seems to be having some issues with logging anything that is being audited by the RD Gateway Manager. For example, I have turned on all the auditing options within the RD Gateway manager and I can see the traffic coming in via the 'monitoring' tab. However, those sessions are not being logged by event viewer under 'TerminalServices-Gateway' in Event Viewer. I should mention that this is a brand new build and the old Gateway was simply migrated over to this one as an upgrade path from Server 2016 to Server 2019. Any assistance on this would be great.

remote-desktop-serviceswindows-server-management
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI Sha1I-4368

1.Do you use local server running NPS or central server running NPS ?

2 Votes 2 ·

Hi, the gateway server is running NPS locally.

0 Votes 0 ·
JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered JiaYou-MSFT edited

HI Sha1I-4368,

2.When the user remote access RDsession host server through RDgateway server, there is log recorded in Microsoft-Windows-TerminalServices-Gateway like below:

The description for Event ID 205 from source Microsoft-Windows-TerminalServices-Gateway cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

or there is nothing recorded in Microsoft-Windows-TerminalServices-Gateway-operational

3.Please check if RDgateway related port isn't blocked by windows firewall an hardware firewall.

Remote Desktop Gateway
https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx

4.Is problematical RDgateway server in DMZ ?

5.Could you please enter below command on problematical RDgateway server then check how many policy applied on this RDgateway server ?
gpresult /h c:\rdgateway.html

6.Did your new problematical w2019 gateway server work fine(record log in Microsoft-Windows-TerminalServices-Gateway-operational correctly ) before?


96761-11.png



11.png (72.5 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi JiaYou-MSFT, thanks for the response. That exactly location you mentioned under "TerminalServices-Gateway" is exactly where I was looking as well. I don't have any 205 or 302 Event ID's being generated even though there are multiple users logging in. I'm going to go through and check all the Firewall rules and make sure, but My assumption was that when the RD Gateway services are added that those rules are automatically put in place. The server itself is not in a DMZ per say, but it is behind 2 firewalls, but the server is still accessible from the outside. Lastly, after running that report, we have 9 group policies applied on the server. Since it is a restricted environment, I am not at liberty to say what specifically. But if you think its somehow related, let me know. Lastly, our previous Server 2016 was logging correctly without any issues and with the same exact policies applied to it. Thats what is a bit confusing to me.

0 Votes 0 ·

HI Sha1I-4368,

7.In general, there is no additional policy applied to RDgateway, so I think we can build a test RDS environment and applied 9 policy on test RDgateway server then check if the issue also happen on test RDgateway server?

server 2019
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019

8.Please restart RDgateway service on problematical RDgateway server then check if there are the same event log recorded like below picture?
97126-14.png


0 Votes 0 ·
14.png (128.7 KiB)

HI Sha1I-4368,

Is there any progress on your question?

0 Votes 0 ·

Hey JiaYou-MSFT, sorry been a bit tied up lately. I have tried just about everything you mentioned with the exception of building a test RDS environment with a test gateway server. Since we don't have a dev environment, that is much harder to accomplish. However, the team I work with agree that it may be a group policy that is causing this issue because it looks like the Gateways server was logging things to the Microsoft-Windows-TerminalServices-Gateway portion of event viewer before we joined that server to the domain. I have a feeling this could be caused by the FIPS policies we have applied on the domain. This one to be exact: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. We will plan to test this soon and will let you know what progress we make, but at this point it seems that a group policy is the culprit here.

0 Votes 0 ·
Show more comments
BorisGARCIA-5104 avatar image
0 Votes"
BorisGARCIA-5104 answered

192391-image.png


192392-microsoftteams-image.png


We have a gateway that shutted down on the march 11 weekend.
several different error code appeared :
"Your data gateway is offline or could not be reached. "
We logged a ticket with the microsoft Power BI Team to check on this issue and we have got a confirmation that the gateway has restarted on the 11th of march 2022.{Attached screenshot for your reference}
We had checked the event logs in the gateway machine but we couldn't find the gateway restarted logs on the particular date and time. We need your help on this.


image.png (38.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnReam-2643 avatar image
0 Votes"
JohnReam-2643 answered

Any update on this? Possible missing Event Log entries from RD Gateway. Do FAILED login passwords attempts get recorded in Microsoft-Windows-TerminalServices-Gateway-Operational ?

We have been intentionally trying bad passwords and Usernames but no Event Log Entries are created?? Where are the Login FAILURE Event Log entries?

In our RD host server's RD Gateway Manager, Properties, Auditing. We have ALL of the Auditing options checked. Yes, both Roles same host.

We do see entries occurring perfectly fine in Microsoft-Windows-TerminalServices-Gateway-Operational for
312 The user "Me", on client computer "n.n.n.n", has initiated an outbound connection. This connection may not be authenticated yet.
200 The user "Me", on client computer "n.n.n.n", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server.

Any hints would surely be appreciated.








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.