RD Gateway Server Availability

Summary

The Remote Desktop Gateway (RD Gateway) server must be available on the network, and the appropriate services must be running on the RD Gateway server. The Remote Desktop connection authorization policy (RD CAP) and Remote Desktop resource authorization policy (RD RAP) stores must also be available, so that these policies can be evaluated to determine whether remote clients meet policy requirements. RD CAPs specify who can connect to an RD Gateway server. RD RAPs specify the internal network resources (computers) that clients can connect to through an RD Gateway server. If RD CAPs and RD RAPs are not available, the RD Gateway server will not be available for client connections.

Resolutions

To resolve this issue, check the event ID, and then view the troubleshooting information for that event in the sections below.

Resolution steps for the following event IDs: 642, 643

To resolve this issue, grant the required permissions to the rap.xml file. If granting the required permissions to the rap.xml file does not resolve the problem, rename the rap.xml file and start the Remote Desktop Gateway Manager snap-in console.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Grant the required permissions to the rap.xml file

To grant the required permissions to the rap.xml file:

1. On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the drive on which the operating system is installed.

2. Right-click rap.xml.

3. In the rap.xml Properties dialog box, click the Security tab.

4. Click Edit, and then do the following:

5. In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.

6. Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.

7. Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.

8. Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read.

9. Click OK.

Rename the rap.xml file and start Remote Desktop Gateway Manager

If granting the required permissions to rap.xml does not resolve the problem, try renaming rap.xml to rapbak.xml, and then starting Remote Desktop Gateway Manager. Starting the console will create a new rap.xml file.

To rename the rap.xml file:

1. On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the drive on which the operating system is installed.

2. Right-click rap.xml, type rapbak.xml, and then press ENTER.

Note: After you rename rap.xml and restart Remote Desktop Gateway Manager, no Remote Desktop resource authorization policies (RD RAPs) will appear when you open the console (to confirm that no RD RAPs appear, open Remote Desktop Gateway Manager, click to expand the node that represents your RD Gateway server, expand Policies, and then click Resource Authorization Policies).

To start Remote Desktop Gateway Manager:

On the RD Gateway server, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

Resolution steps for the following event ID: 100

This error might be caused by one of the following conditions:

• The services required by RD Gateway are not started.

• There are problems with the NPS Server or Web Server (IIS).

The services required by RD Gateway are not started

Use the following procedures to determine whether the services required by RD Gateway are started.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To determine whether the Network Policy Server service is started:

1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Services.

2. In the Services snap-in, find Network Policy Server, and then confirm that Started appears in the Status column.

3. If the service status is not Started, see the section titled "Restart the Remote Desktop Gateway service".

To determine whether the Remote Procedure Call (RPC) service is started:

1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Services.

2. In the Services snap-in, find Remote Procedure Call (RPC), and then confirm that Started appears in the Status column.

3. If the service status is not Started, see the section titled "Restart the Remote Desktop Gateway service".

To determine whether the RPC/HTTP Load Balancing Service is started:

1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Services.

2. In the Services snap-in, find RPC/HTTP Load Balancing Service, and then confirm that Started appears in the Status column.

3. If the service status is not Started, see the section titled "Restart the Remote Desktop Gateway service".

To determine whether the World Wide Web Publishing Service is started:

1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Services.

2. In the Services snap-in, find World Wide Web Publishing Service, and then confirm that Started appears in the Status column.

3. If the service status is not Started, see the section titled "Restart the Remote Desktop Gateway service."

There are problems with the NPS Server or Web Server (IIS)

RD Gateway depends on NPS server to store, manage, and validate Remote Desktop connection authorization policies (RD CAPs). RD Gateway depends on Web Server (IIS) for mutual authentication of clients and RD Gateway servers. Problems with the NPS server or Web Server (IIS) can prevent RD Gateway from functioning correctly and being available for client connections.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

Search the Event log to find NPS events

To search the Event log to find NPS events:

1. On the RD Gateway server or the central NPS server, click Start, point to Administrative Tools, and then click Event Viewer.

2. In the Event Viewer console tree, navigate to Windows Logs\Application, and then search for events that contain the word NPS. If you find any NPS events, note the event ID and source of the relevant events for further investigation.

3. Navigate to Windows Logs\System, and then search for events that contain the word NPS. If you find any NPS events, note the event ID and source of the relevant events for further investigation.

4. While you are still in the Windows Logs\System event log, filter the current log to search for any NPS events. For example, you can select the NPS check box.

5. If any events correspond to the event sources that you have selected, note the event ID and source of the relevant events for further investigation, and then see the section titled "Consult the Network Policy Server (NPS) and Web Server (IIS) documentation".

Search the Event log to find IIS events

To search the Event log to find IIS events:

1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.

2. In the Event Viewer console tree, navigate to Windows Logs\Application, and then search for events that contain the word IIS. To search for these events, in the Actions pane, click Find, and in the Find dialog box, type IIS, and then click Find Next. If you find any IIS events, note the event ID and source of the relevant events for further investigation.

3. While you are still in the Windows Logs\Application event log, you can filter the current log to search for IIS events, as well. To filter the current log, in the Actions pane, click Filter Current Log. In Event sources, click the down arrow to display the list of event sources. Select the check boxes that correspond to any events containing the word IIS (for example, IIS-IISManager, IISInfoCtrs, IIS-W3SVC-PerfCounters, and IIS-W3SVC-WP), and then click OK. If any events correspond to the event sources that you have selected, they will appear in the results pane. Note the event ID and source of the relevant events for further investigation.

4. Navigate to Windows Logs\System, and then search for events that contain the word IIS. If you find any IIS events, note the event ID and source of the relevant events for further investigation.

5. While you are still in the Windows Logs\Applications event log, filter the current log to search for any IIS events. Sources for IIS events in this event log include: IIS Config, IIS-APPHOSTSVC, IIS-IisMetabaseAudit, IIS-IISReset, IISLOG, and IIS-W3SVC.

6. If any events correspond to the event sources that you have selected, note the event ID and source of the relevant events for further investigation, and then see the section titled "Consult the Network Policy Server (NPS) and Web Server (IIS) documentation."

Resolution steps for the following event IDs: 641, 640

To resolve this issue, ensure that the Network Policy Server service is started.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

If you have configured local Remote Desktop connection authorization policies (RD CAPs), perform the following procedure on the RD Gateway server. If you have configured central RD CAPs (RD CAPs that are stored on another computer running the Network Policy Server service), perform the following procedure on the NPS server where the central RD CAPs are stored.

To ensure that the Network Policy Server service is started:

1. On the RD Gateway server or the NPS server where the central RD CAPs are stored, click Start, point to Administrative Tools, and then click Services.

2. In the Services snap-in, find Network Policy Server, and then confirm that Started appears in the Status column.

3. If the status is not Started, right-click Network Policy Server, and then click Start.

4. If the attempt to start only the service fails, restart the computer. This forces all related and dependent services to restart.

5. If you want the service to always start automatically after the server is restarted, right-click Network Policy Server, click Properties, and in Startup type, select Automatic, and then click OK.

Resolution steps for the following event ID: 700

To resolve this issue, restart the Remote Desktop Gateway service. Restarting the Remote Desktop Gateway service also restarts all dependent services.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To restart the Remote Desktop Gateway service:

1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Services. In the Name column of the Services snap-in, right-click Remote Desktop Gateway, and then click Restart.

2. If the attempt to restart only the service fails, restart the computer. This forces all related and dependent services to restart.

If you want the service to always start automatically after the server is restarted, in the Name column of the Services snap-in, right-click Remote Desktop Gateway, click Properties, and in Startup type, select Automatic, and then click OK.