td;dr – The Remote Desktop Gateway policy is missing or incorrect. Solution here.
We’ve now installed quite a lot of Windows 2012 Essentials servers. Overall they’re very well behaved, low-resource and easy to manage with one caveat. Remote Access (whether using Remote Web Access or VPN) seems to be fraught with authentication problems.
The most recent one that I’ve found the correct solution for is the following error from the RDP client when connecting to a computer through the Remote Web Workplace:
"The user attempted to use an authentication method that is not enabled on the matching network policy."
Server-side, the “Audit Failure” error in the Security log was equally unhelpful:
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: Account Name: Account Domain: Fully Qualified Account Name: Client Machine: Security ID: NULL SID Account Name: Fully Qualified Account Name: - OS-Version: - Called Station Identifier: UserAuthType:PW Calling Station Identifier: - NAS: NAS IPv4 Address: - NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Virtual NAS Port: - RADIUS Client: Client Friendly Name: - Client IP Address: - Authentication Details: Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY Network Policy Name: -- RDG Marker Policy Authentication Provider: Windows Authentication Server: Authentication Type: Unauthenticated EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 65 Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Other reason codes that seem to crop up for the same issue:
48 - The connection request did not match a configured network policy, so the connection request was denied by Network Policy Server. 49 - The connection request did not match a configured connection request policy, so the connection request was denied by Network Policy Server.
And the Microsoft –> Windows –> Terminal Services Gateway –> Operational event log contains the following:
The user "XXXXXX", on client computer "XX.XX.XX.XX", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "RPC-HTTP". The following error occurred: "23003".
A bit of googling on this error leads here, which doesn’t fix the problem in this instance but is quick and easy so worth trying if you’re struggling with this issue.
Digging through the Network Policies (Administrative Tools –> Network Policy Server) didn’t reveal any clues – the policies appear to be correctly scoped and allow the types of authentication being used:
These are the default policies configured by the Anywhere Access wizard. I tried recreating them from scratch, and setting them to be as permissive as possible, none of which made any difference.
Eventually searching against the Terminal Services Gateway error led to this page from Microsoft, which explains that the error is caused by problems with the Terminal Services Gateway policy and *not* the Network Policy as the Security Log error suggests.
2012 Essentials doesn’t include the Terminal Services Gateway management tools as the Wizard and Dashboard are supposed to manage all the relevant settings automagically. This means we can’t check the Terminal Services Gateway policy without installing them.
dism /online /Enable-Feature:Gateway-UI
Once these are installed, open the RD Gateway Manager (Administrative Tools –> Remote Desktop Services –> RD Gateway Manager) and either check that the policies listed have suitable settings or, more likely, note that there aren’t any policies present at all:
Just use the “Create New Policy” wizard to create a suitable policy; most likely you’ll want to allow access for the WseAllowComputerAccess group – this is how the Essentials wizard will create the policy on the rare occasions that it actually works.