Event ID 305 — RD Gateway Server Connections

  • Article

Applies To: Windows Server 2008 R2

For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, clients must meet the conditions specified in at least one Remote Desktop connection authorization policy (RD CAP) and Remote Desktop resource authorization policy (RD RAP). RD CAPs specify who can connect to an RD Gateway server and the authentication method that must be used. RD RAPs specify the computers that clients can connect to through an RD Gateway server.

Note: A limit can be set on the RD Gateway server to restrict the maximum number of simultaneous client connections.

Event Details

Product: Windows Operating System
ID: 305
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_USER_ACCESS_DENIED
Message: The user "%1", on client computer "%2", was not authorized to connect to this RD Gateway server because the authentication method attempted by the user is not supported. The following authentication method was attempted. "%3". The following error occurred: "%5".

Resolve

Ensure that the RD Gateway server supports the authentication methods that are supported for clients

To resolve this issue, ensure that the RD Gateway server is configured correctly to support the authentication methods that are being supported for clients. If the RD Gateway server is not configured correctly, do one of the following:

  • Use Remote Desktop Gateway Manager to change the authentication method required for the RD Gateway server to match the authentication method used by the client. For more information, see "Change the authentication method required for the RD Gateway server by using Remote Desktop Gateway Manager."
  • Use Group Policy to change the authentication method used by the client to connect to the RD Gateway server. For more information, see "Change the authentication method used by the client to connect to the RD Gateway server by using Group Policy."

For an example of how authentication settings for the RD Gateway server and the client might be misconfigured, see "Example of misconfiguration between RD Gateway server authentication settings and client authentication settings" later in this topic.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Change the authentication method required for the RD Gateway server by using Remote Desktop Gateway Manager

To change the authentication method required for the RD Gateway server by using Remote Desktop Gateway Manager:

  1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  2. In the console tree, click to select the node that represents the RD Gateway server, which is named for the computer on which the RD Gateway server is running.
  3. In the console tree, expand Policies, and then click Connection Authorization Policies.
  4. Right-click the Connection Authorization Policies folder.
  5. In the console tree, in the list of Remote Desktop connection authorization policies (RD CAPs), right-click the RD CAP for which you want to change the authentication method, and then click Properties. If you are unsure as to which RD CAP to select, do the following:
    • On the Requirements tab, under User group membership (required), note the names of the user groups in the list. The user account for the client must be a member of one of these groups. For instructions about how to check membership in Active Directory security groups, see "Check account membership for the client in an Active Directory security group" later in this topic. For instructions about how to check membership in local security groups, see "Check account membership for the client in a local security group" later in this topic.
    • On the same tab, check whether any client computer groups are listed under Client computer group membership (optional). If so, note the names of the computer groups in the list. The computer account for the client must be a member of one of these groups.
  6. On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes (when both are selected, clients that use either authentication method are allowed to connect):
    • Password
    • Smart card
  7. Click OK.

Change the authentication method used by the client to connect to the RD Gateway server by using Group Policy

Note:  To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation.

To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.

To change the authentication method used by the client to connect to the RD Gateway server by using Group Policy:

  1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the OU that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, and then click RD Gateway.
  6. In the right pane, in the settings list, right-click Set RD Gateway server authentication method, and then click Properties.
  7. On the Settings tab, confirm that Enabled is selected, and then select the authentication method that you want to use. Ensure that the method that you select is compatible with the authentication method that you have configured for the client. For information about each of the authentication methods available in this Group Policy setting, see "Understanding requirements for connecting to a Remote Desktop Gateway server" in the Remote Desktop Gateway Manager Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=178453). The following choices are available:
    • Ask for credentials, use NTLM protocol
    • Ask for credentials, use Basic protocol
    • Use locally logged-on credentials
    • Use smart card
  8. Click OK.

Performing the following procedures does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials.

Check account membership for the client in an Active Directory security group

To check account membership for the client in an Active Directory security group:

  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then press ENTER.

  2. In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.

  3. In the details pane, right-click the user name, and then click Properties.

  4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD CAP.

  5. Click OK.

  6. If client computer group membership has also been specified as a requirement in the RD CAP, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer belongs.

  7. In the details pane, right-click the computer name, and then click Properties.

  8. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD CAP.

  9. Click OK.

Check account membership for the client in a local security group

To check account membership for the client in a local security group:

  1. On the RD Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
  2. In the console tree, expand Local Users and Groups, and then click Groups.
  3. In the results pane, locate the local security group that has been created to grant members access to the RD Gateway server (the group name or description should indicate whether the group has been created for this purpose).
  4. Right-click the group name, and then click Properties.
  5. On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the RD CAP.
  6. If client computer group membership has also been specified as a requirement in the RD CAP, on the General tab, confirm that the client computer account is also a member of this group. 
  7. Click OK.

Example of misconfiguration between RD Gateway server authentication settings and client authentication settings

An example of misconfiguration between RD Gateway server authentication settings and client authentication settings would be if the RD Gateway server were configured to support smart card connections when the client has been configured to suppport one of the following authentication methods when connecting to the RD Gateway server:

  • Ask for credentials, use NTLM protocol. This authentication setting requires the user on the client to specify a password. It can be configured by using Group Policy, Remote Desktop Services, or an RDP file.
  • Ask for credentials, use Basic protocol. This authentication setting requires the user on the client to specify a password. It can only be configured by using Group Policy.
  • Use locally logged on credentials. This authentication setting requires the user on the client to specify a password. It can only be configured by using Group Policy.
  • Password. This authentication setting is configured on the RD Gateway server by using Remote Desktop Gateway Manager.

Verify

To verify that RD Gateway server connectivity is working, examine Event Viewer logs and search for the following event messages.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that RD Gateway server connectivity is working:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

 

RD Gateway Server Connections

Remote Desktop Services