Event ID 305 — TS Gateway Server Connections

  • Article

Applies To: Windows Server 2008

For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, clients must meet the conditions specified in at least one Terminal Services connection authorization policy (TS CAP) and Terminal Services resource authorization policy (TS RAP). TS CAPs specify who can connect to a TS Gateway server and the authentication method that must be used. TS RAPs specify the computers that clients can connect to through a TS Gateway server. Note that a limit can be set on the TS Gateway server to restrict the maximum number of simultaneous client connections.

Event Details

Product: Windows Operating System
ID: 305
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.0
Symbolic Name: AAG_USER_ACCESS_DENIED
Message: The user "%1", on client computer "%2", was not authorized to connect to this TS Gateway server because the authentication method attempted by the user is not supported. The following authentication method was attempted. "%3". The following error occurred: "%5".

Resolve

Ensure that the TS Gateway server supports the authentication methods that are supported for clients

To resolve this issue, ensure that the TS Gateway server is configured correctly to support the authentication methods that are being supported for clients. If the TS Gateway server is not configured correctly, do one of the following:

  • Use TS Gateway Manager to change the authentication method required for the TS Gateway server to match the authentication method used by the client. For more information, see "Change the authentication method required for the TS Gateway server by using TS Gateway Manager."
  • Use Group Policy to change the authentication method used by the client to connect to the TS Gateway server. For more information, see "Change the authentication method used by the client to connect to the TS Gateway server by using Group Policy."

For an example of how authentication settings for the TS Gateway server and the client might be misconfigured, see "Example of misconfiguration between TS Gateway server authentication settings and client authentication settings" later in this topic.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Change the authentication method required for the TS Gateway server by using TS Gateway Manager

To change the authentication method required for the TS Gateway server by using TS Gateway Manager:

  1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
  2. In the console tree, click to select the node that represents the TS Gateway server, which is named for the computer on which the TS Gateway server is running.
  3. In the console tree, expand Policies, and then click Connection Authorization Policies.
  4. Right-click the Connection Authorization Policies folder.
  5. In the console tree, in the list of Terminal Services connection authorization policies (TS CAPs), right-click the TS CAP for which you want to change the authentication method, and then click Properties. If you are unsure as to which TS CAP to select, do the following:
    • On the Requirements tab, under User group membership (required), note the names of the user groups in the list. The user account for the client must be a member of one of these groups. For instructions about how to check membership in Active Directory security groups, see "Check account membership for the client in an Active Directory security group" later in this topic. For instructions about how to check membership in local security groups, see "Check account membership for the client in a local security group" later in this topic.
    • On the same tab, check whether any client computer groups are listed under Client computer group membership (optional). If so, note the names of the computer groups in the list. The computer account for the client must be a member of one of these groups.
  6. On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes (when both are selected, clients that use either authentication method are allowed to connect):
    • Password
    • Smart card
  7. Click OK.

Change the authentication method used by the client to connect to the TS Gateway server by using Group Policy

Note:  To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation.

To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.

To change the authentication method used by the client to connect to the TS Gateway server by using Group Policy:

  1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the OU that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, and then click TS Gateway.
  6. In the right pane, in the settings list, right-click Set TS Gateway server authentication method, and then click Properties.
  7. On the Settings tab, confirm that Enabled is selected, and then select the authentication method that you want to use. Ensure that the method that you select is compatible with the authentication method that you have configured for the client. For information about each of the authentication methods available in this Group Policy setting, see "Understanding requirements for connecting to a TS Gateway server" in the TS Gateway Manager Help in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=102172). The following choices are available:
    • Ask for credentials, use NTLM protocol
    • Ask for credentials, use Basic protocol
    • Use locally logged-on credentials
    • Use smart card
  8. Click OK.

Performing the following procedures does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials.

Check account membership for the client in an Active Directory security group

To check account membership for the client in an Active Directory security group:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then press ENTER.

  2. In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.

  3. In the details pane, right-click the user name, and then click Properties.

  4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS CAP.

  5. Click OK.

  6. If client computer group membership has also been specified as a requirement in the TS CAP, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer belongs.

  7. In the details pane, right-click the computer name, and then click Properties.

  8. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS CAP.

  9. Click OK.

Check account membership for the client in a local security group

To check account membership for the client in a local security group:

  1. On the TS Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
  2. In the console tree, expand Local Users and Groups, and then click Groups.
  3. In the results pane, locate the local security group that has been created to grant members access to the TS Gateway server (the group name or description should indicate whether the group has been created for this purpose).
  4. Right-click the group name, and then click Properties.
  5. On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the TS CAP.
  6. If client computer group membership has also been specified as a requirement in the TS CAP, on the General tab, confirm that the client computer account is also a member of this group. 
  7. Click OK.

Example of misconfiguration between TS Gateway server authentication settings and client authentication settings

An example of misconfiguration between TS Gateway server authentication settings and client authentication settings would be if the TS Gateway server were configured to support smart card connections when the client has been configured to suppport one of the following authentication methods when connecting to the TS Gateway server:

  • Ask for credentials, use NTLM protocol. This authentication setting requires the user on the client to specify a password. It can be configured by using Group Policy, Terminal Services, or an RDP file.
  • Ask for credentials, use Basic protocol. This authentication setting requires the user on the client to specify a password. It can only be configured by using Group Policy.
  • Use locally logged on credentials. This authentication setting requires the user on the client to specify a password. It can only be configured by using Group Policy.
  • Password. This authentication setting is configured on the TS Gateway server by using TS Gateway Manager.

Verify

To verify that TS Gateway server connectivity is working, examine Event Viewer logs and search for the following event messages.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that TS Gateway server connectivity is working:

  1. On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.

 

TS Gateway Server Connections

Terminal Services