Event ID 511 — RD Gateway Server Configuration
Applies To: Windows Server 2008 R2
For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.
|Product:||Windows Operating System|
|Message:||The central connection authorization policy store could not be enabled. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and resolve any network connectivity issues.|
Ensure that the correct central NPS server is specified
To resolve this issue, ensure that the correct central Network Policy Server (NPS) is specified in Remote Desktop Gateway Manager. If necessary, identify and fix network connectivity issues between the RD Gateway server and the NPS server.
Ensure that the correct central NPS server is specified
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To ensure that the correct central NPS server is specified:
- Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
- In the console tree, click to select the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
- In the console tree, expand Policies, and then click Central Network Policy Servers.
- On the Action menu, click Configure Central RD CAP.
- On the RD CAP Store tab, check whether the correct NPS server is listed. If the correct NPS server is listed, proceed to the "Fix network connectivity issues" section later in this topic. If the correct NPS server is not listed, click the name of the NPS server, and then click Remove Server running NPS.
- Type the name or IP address of the correct central NPS server, and then click Add.
- In the Shared Secret dialog box, in the Enter a new shared secret box, type the shared secret.
- Click OK to close the Shared Secret dialog box, and then click OK to close the Remote Desktop Gateway server Properties dialog box.
- The new central RD CAP store (central NPS server) that you specified appears in the Remote Desktop Gateway Manager results pane.
Fix network connectivity issues
Network connectivity issues might prevent the RD Gateway server from communicating with a central Network Policy Server.
Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before performing these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command. If ICMP traffic is not allowed in your environment and you cannot make a temporary exception for this traffic for troubleshooting purposes, skip the steps that involve using ping.
By using ping to perform basic troubleshooting, you can determine whether there is a network connectivity, firewall configuration, or DNS host name resolution issue.
If you can ping the NPS server by IP address but not by fully qualified domain name (FQDN), this indicates an issue with DNS host name resolution. For DNS troubleshooting steps, see "Determine whether DNS servers are accessible" later in this topic.
If you cannot ping the NPS server by IP address, this indicates a network connectivity issue or firewall configuration issue. To identify and resolve the issue, perform the following additional troubleshooting steps:
- On the RD Gateway server, ping other computers in the network to help isolate the network connectivity issue.
- If you can ping other servers but not the NPS server, try to ping the NPS server from another computer. If you cannot ping the NPS server from any computer, check the network settings on the NPS server.
- Check the TCP/IP settings on the local computer:
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type ipconfig /all, and then press ENTER.
- Make sure that the information listed is correct.
- Check whether you can ping the local IP address, the default gateway, and the DNS servers.
- Ping the loopback address of localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
- If pinging the loopback address works, but you cannot ping the local IP address, there may be an issue with the routing table or with the network adapter driver.
- If the NPS server is in a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this indicates a potential problem with the network adapter, the router or gateway device, cabling, or other connectivity hardware.
- Check the Event Viewer for any error messages.
- In Device Manager, check the status of the network adapter.
- Check network connectivity indicator lights at the server and at the hub or router.
- Check network cabling.
Determine whether DNS servers are accessible
To determine whether DNS servers are configured and accessible:
- On the RD Gateway server, click Start, click Run, type cmd , and then click OK.
- At a command prompt, type ipconfig /all, and then press ENTER.
- In the results, make sure that DNS servers are listed, and that the IP addresses of the DNS servers are correct.
- Ping the listed DNS servers to determine whether they are accessible.
- If you cannot ping the DNS server, make sure that the DNS server is running. You can also test connectivity from other hosts in your network to help isolate the issue. If the DNS server responds to IP address ping requests but does not resolve host names, make sure that the DNS Server service is running on the DNS server.
To verify that the RD Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.
To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To verify that the RD Gateway server is configured correctly:
- On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
- In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
- Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
- Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
- Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.