Understanding Requirements for Connecting to a TS Gateway Server

Applies To: Windows Server 2008

Users on Terminal Services client computers must meet specific requirements before they can connect to TS Gateway. These requirements include the following:

  • Supported Windows authentication method (required). You can configure the authentication methods that the TS Gateway server allows by using TS Gateway Manager. On clients, you can configure the authentication method to be used to connect to the TS Gateway server by using Group Policy.


A client and the TS Gateway server to which the client connects must have at least one common authentication method, or the client’s attempt to connect to the TS Gateway server will fail.


If you configure the authentication method on the client by using Group Policy, the Group Policy settings for Terminal Services client connections can be applied in one of two ways. These policy settings can either be suggested (that is, they can be enabled, but not enforced) or they can be enabled and enforced. For more information, see Using Group Policy to Manage Client Connections Through TS Gateway.

  • User group membership (required). You configure the user group membership requirement by using TS Gateway Manager.

  • Client computer group membership (optional). You configure the client computer group membership requirement by using TS Gateway Manager.

In TS Gateway Manager, you configure these requirements on the Requirements tab of a Terminal Services connection authorization policy (TS CAP). For more information, see Creating a Terminal Services Connection Authorization Policy.

Supported Windows authentication methods

If you configure the supported Windows authentication method by using TS Gateway Manager, you can specify that a user must use a password or a smart card, or both. If you select both methods, either can be used to connect.

If you configure the supported Windows authentication method by using Group Policy, the following options are available:

  • Ask for credentials, use NTLM protocol (a Windows NT® challenge/response protocol). For information about the NTLM protocol, see Logon and Authentication Technologies (http://go.microsoft.com/fwlink/?LinkId=94215) and Microsoft NTLM (http://go.microsoft.com/fwlink/?LinkId=94216).

  • Ask for credentials, use Basic protocol. The Basic authentication method is a widely used industry-standard method for collecting user name and password information. It is less secure, however, because the passwords are transmitted in Base64-encoded form, not encrypted. For more information, see Basic Authentication (http://go.microsoft.com/fwlink/?LinkId=94217).

  • Use locally logged-on credentials. In this case, the same credentials that users provide to log on to their local computer are used to connect to the TS Gateway server. If you select this option, but users have previously connected to the same TS Gateway server and they have selected the Remember my credentials check box in the TS Gateway Server Settings dialog box on their client computer, their saved credentials are used to connect to the TS Gateway server.

  • Use smart card. Smart cards contain a microcomputer and a small amount of memory, and they provide secure, tamper-proof storage for private keys and X.509 security certificates. A smart card is a form of two-factor authentication that requires the user to have a smart card and know the PIN to gain access to network resources. For more information, see The Secure Access Using Smart Cards Planning Guide (http://go.microsoft.com/fwlink/?LinkId=94218).

If all these credentials are available to users, and if users have specified to save their credentials when connecting to the TS Gateway server, their credentials are used in the following order:

  1. Saved credentials

  2. Locally logged-on credentials

  3. Other password or smart card credentials supplied by the user