Understanding Requirements for Connecting to a Remote Desktop Gateway Server
Updated: March 2, 2011
Applies To: Windows Server 2008 R2
Users on Remote Desktop Services clients must meet specific requirements before they can connect to RD Gateway. These requirements include the following:
- Supported Windows authentication method (required). You can configure the authentication methods that the RD Gateway server will allow by using Remote Desktop Gateway Manager. On clients, you can configure the authentication method to be used to connect to the RD Gateway server by using Group Policy.
A client and the RD Gateway server to which the client connects must have at least one common authentication method, or the client connection attempt to the RD Gateway server will fail.
If you configure the authentication method on the client by using Group Policy, keep in mind that Group Policy settings for Remote Desktop Services client connections can be applied in one of two ways. These policy settings can either be suggested (that is, they can be enabled, but not enforced) or they can be enabled and enforced. For more information, see Using Group Policy to Manage Client Connections Through Remote Desktop Gateway.
User group membership (required). You configure the user group membership requirement by using Remote Desktop Gateway Manager.
Client computer group membership (optional). You configure the client computer group membership requirement by using Remote Desktop Gateway Manager.
In Remote Desktop Gateway Manager, you configure these requirements on the Requirements tab of a Remote Desktop connection authorization policy (RD CAP). For more information, see Creating an RD CAP.
Supported Windows authentication methods
If you configure the supported Windows authentication method by using Remote Desktop Gateway Manager, you can specify that a user must use either a password or a smart card, or both. If you select both methods, either can be used to connect.
If you configure the supported Windows authentication method by using Group Policy, the following options are available:
Ask for credentials, use NTLM protocol (a Windows NT challenge/response protocol). For information about the NTLM protocol, see Logon and Authentication Technologies (http://go.microsoft.com/fwlink/?LinkId=94215) and Microsoft NTLM (http://go.microsoft.com/fwlink/?LinkId=94216).
Ask for credentials, use Basic protocol. The Basic authentication method is a widely used industry-standard method for collecting user name and password information. It is less secure, however, because the passwords are transmitted in Base64-encoded form, not encrypted. For more information, see Basic Authentication (http://go.microsoft.com/fwlink/?LinkId=94217).
Use locally logged-on credentials. In this case, the same credentials that users provide to log on to their local computer will be used to connect to the RD Gateway server. Note that if you select this option, but users have previously connected to the same RD Gateway server and they have selected the Remember my credentials check box in the RD Gateway Server Settings dialog box on their client computer, their saved credentials will be used to connect to the RD Gateway server.
Use smart card. Smart cards contain a microcomputer and a small amount of memory, and they provide secure, tamper-proof storage for private keys and X.509 security certificates. A smart card is a form of two-factor authentication that requires the user to have a smart card and know the PIN to gain access to network resources. For more information, see The Secure Access Using Smart Cards Planning Guide (http://go.microsoft.com/fwlink/?LinkId=94218).
If all of these credentials are available to users, and if users have already specified to save their credentials when connecting to the RD Gateway server, their credentials will be used in the following order:
Locally logged-on credentials
Other password or smart card credentials supplied by the user