Event ID 2004 — RD Gateway Server Configuration

  • Article

Applies To: Windows Server 2008 R2

For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.

Event Details

Product: Windows Operating System
ID: 2004
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_EXPORT_FAILED
Message: The policy and server configuration settings for the RD Gateway server "%1" could not be exported. The following error occurred: "%2".

Resolve

Ensure that the required permissions are granted to the Core registry key, and if needed, delete and recreate RD RAPs and RD CAPs

To resolve this issue, ensure that the required permissions are granted to the Core registry key. If the problem persists, you might have to delete and recreate the Remote Desktop resource authorization policies (RD RAPs) and the Remote Desktop connection authorization policies (RD CAPs) on the RD Gateway server.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Grant the required permissions to the Core registry key

Caution:  Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To grant the required permissions to the Core registry key:

  1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core subkey, right-click the subkey, and then click Permissions.
  3. In the Permissions for Core dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
  4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
  5. Click OK.
  6. Try exporting the policy and configuration settings again.
  7. If the export is successful, the rest of the resolution steps in this topic do not apply.

If granting the required permissions to the Core registry key does not resolve the problem, try deleting and then recreating the RD RAPs and the RD CAPs on the RD Gateway server.

Delete and recreate the RD RAPs on the RD Gateway server

Note: After you rename rap.xml and restart Remote Desktop Gateway Manager, no RD RAPs will appear, so you must reconfigure the RD RAP settings.

To back up and delete rap.xml and then open the Remote Desktop Gateway Manager console:

  1. Navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the folder in which Windows is installed.
  2. Save a backup copy of rap.xml by renaming rap.xml to rapbak.xml.
  3. Delete rap.xml.
  4. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  5. Reconfigure the RD RAP settings as needed.
  6. Try exporting the policy and configuration settings again.

Delete and recreate the RD CAPs on the Remote Desktop Gateway server

If backing up and removing the current copy of Rap.xml and recreating the RD RAP settings does not resolve the problem, try renaming IAS.xml to IASbak.xml, and then starting Remote Desktop Gateway Manager. Opening the console will create a new IAS.xml file.

Note: After you rename IAS.xml and restart Remote Desktop Gateway Manager, no RD CAPs will appear, so you must reconfigure the RD CAP settings.

To back up and delete IAS.xml and then open Remote Desktop Gateway Manager:

  1. Navigate to %windir%\System32\ias\ias.xml, where %windir% is the folder in which Windows is installed.
  2. Save a backup copy of IAS.xml by renaming IAS.xml to IASbak.xml.
  3. Delete IAS.xml.
  4. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
  5. Reconfigure the RD CAP settings as needed.
  6. Try exporting the policy and configuration settings again.

Verify

To verify that the RD Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the RD Gateway server is configured correctly:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

RD Gateway Server Configuration

Remote Desktop Services