To resolve this issue, do the following:
Ensure that security groups and if applicable, TS Gateway-managed groups are configured correctly by checking security group and TS Gateway-managed computer group settings in the Terminal Services resource authorization policy (TS RAP).
If the problem still occurs, ensure that the required permissions are granted to rap.xml.
If the problem still occurs, ensure that the correct value is set and the required permissions are granted for the RAPStore registry key.
Check security group and TS Gateway-managed computer group settings in the TS RAP
Note: In addition to meeting the requirements of the TS RAP, users on clients must have the right to log on locally to the computer to which they are trying to connect.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To check security group and TS Gateway-managed computer group settings in the TS RAP:
Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
In the TS Gateway Manager console tree, select the node that represents the local TS Gateway server, which is named for the computer on which the TS Gateway server is running.
In the console tree, expand Policies, and then click Resource Authorization Policies.
In the results pane, in the list of TS RAPs, right-click the TS RAP that you want to check, and then click Properties.
On the Computer Group tab, check whether Allow users to connect to any network resource is selected. If so, proceed to the procedure "Ensure that the required permissions are granted to rap.xml" later in this topic. If not, do one of the following:
If Select an existing Active Directory security group is selected, note the name of the security group, so that you can ensure that the specified security group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the computer that the client is trying to connect to is a member of this group.
If Select existing TS Gateway-managed computer group or create a new one is selected, ensure that the name of the TS Gateway-managed computer group is correct, and that the computers in this group exist and can be contacted on the network.
Click OK to close the Properties dialog box for the TS RAP.
If an incorrect security group is specified or if the TS Gateway-managed computer group is not correctly configured, modify the settings of the existing TS RAP or create a new TS RAP. For information about how to create a TS RAP, see "Create a TS RAP" in the TS Gateway Manager Help in the Windows Server 2008 Technical Library ( http://go.microsoft.com/fwlink/?LinkId=102170).
To perform these procedures, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials.
Confirm that the Active Directory security group specified in the TS RAP exists, and check account membership for the client in this group
To confirm that the Active Directory security group specified in the TS RAP exists:
On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the TS RAP, and then click Find Now.
If the group exists, it will appear in the search results.
Close the Find Users, Contacts, and Groups dialog box.
To check account membership for the client in this security group:
On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
In the console tree, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer that the client is trying to connect to belongs.
In the details pane, right-click the computer name, and then click Properties.
On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS RAP.
Confirm that the local security group specified in the TS RAP exists, and check account membership for the client in this group
To confirm that the local security group specified in the TS RAP exists, and to check account membership for the client in this group:
On the TS Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
In the console tree, expand Local Users and Groups, and then click Groups.
In the results pane, locate the local security group that contains the computers that the client can access through the TS Gateway server (the group name or description should indicate whether the group has been created for this purpose).
Right-click the group name, and then click Properties.
On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the TS RAP.
Click OK.
If this does not resolve the issue, ensure that the correct permissions are granted to the rap.xml file.
Ensure that the required permissions are granted to rap.xml
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To ensure that the required permissions are granted to rap.xml:
On the TS Gateway server, navigate to %Windir%\System32\tsgateway\rap.xml, where %Windir% is the drive on which the operating system is installed.
Right-click rap.xml.
In the rap.xml Properties dialog box, click the Security tab.
Click Edit, and then do the following:
In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.
Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read.
Click OK.
| Target | Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TSGateway | ||
| Category | EventCollection | ||
| Enabled | True | ||
| Event Source | Microsoft-Windows-TerminalServices-Gateway | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Microsoft-Windows-TerminalServices-Gateway/Admin |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
Home
ENU <Rule ID="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TSGateway.EventCollection.563.564.565" Enabled="onStandardMonitoring" Target="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TSGateway" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Microsoft-Windows-TerminalServices-Gateway/Admin</LogName>
<Expression>
<And>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(563|564|565)$</Pattern>
</RegExExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-TerminalServices-Gateway</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertName/>
<AlertDescription/>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TSGateway.EventCollection.563.564.565.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>