Advertisement

08.31.2008 at 06:13PM PDT, ID: 23692714
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.0

TS Gateway+NAP error

Asked by nbctcp in Remote Desktop/Terminal Services, Windows Server 2008

Tags: , ,

PROBLEM:
-everytime trying to connect win2k8x64ts1 using RDP 6.1 through TS Gateway, it failed to connect with error message "Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS GAteway ..."
-in TS Gateway Event Viewer-Windows Logs-Security
SubjectUserName TEST\Administrator
  SubjectDomainName TEST
  FullyQualifiedSubjectUserName TEST\Administrator
  SubjectMachineSID S-1-5-21-210235132-1586122489-365239878-1109
  SubjectMachineName vista.test.local
  FullyQualifiedSubjectMachineName TEST\VISTA$
  MachineInventory -
  CalledStationID UserAuthType:PW
  CallingStationID -
  NASIPv4Address -
  NASIPv6Address -
  NASIdentifier -
  NASPortType Virtual  
  NASPort -
  ClientName -
  ClientIPAddress -
  ProxyPolicyName NAP TS Gateway
  NetworkPolicyName NAP TS Gateway Non NAP-Capable
  AuthenticationProvider Windows  
  AuthenticationServer win2k8x64tsgw.test.local
  AuthenticationType Unauthenticated

So basically TS Gateway always think VistaSP1 is not NAP Capable.
Client is member of domain and in the same subnet as server.
How to fix the problem?

thanks
===========
SERVER INFO:
1. AD+DNS+TS License+TS Session Broker
-win2008
-ip 10.0.4.92
-hostname win2k8
2. TS
-win2008
-ip 10.0.4.93
-hostname win2k8x64ts1
3. TS
-win2008
-ip 10.0.4.94
-hostname win2k8x64ts2
4. TS Gateway+NAP
-win2008
-ip 10.0.4.95
-hostname win2k8x64tsgw

CLIENT INFO:
1.
-vista ultimate sp1
-ip 10.0.4.96
-hostname vista

DOMAIN NAME: test.local

-In Network Policy and Access Server-Policies-Network Policies, I create 3 policies
1. NAP TS Gateway Compliant
Condition: Health Policy: NAP TS Gateway Compliant
Access Permission: Grant Access
Authentication Method: Perform Machine Health Check Only
NAP Enforcement: Allow full network access

2. NAP TS Gateway Noncompliant
Condition: Health Policy: NAP TS Gateway Noncompliant
Access Permission: Deny Access
Authentication Method: Perform Machine Health Check Only
NAP Enforcement: Allow limited network access

3. NAP TS Gateway Non NAP-Capable
Condition: NAP Capable: Computer is not NAP Capable
Access Permission: Deny Access
Authentication Method: Perform Machine Health Check Only
NAP Enforcement: Allow limited network access

-In Network Access Protection-System Health Validators
Only check "A firewall is enabled for all network connections"

-in CLIENT Vista
C:\Users\administrator>netsh nap client show config
NAP client configuration:
----------------------------------------------------
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled
Name            = Remote Access Quarantine Enforcement Client
ID              = 79618
Admin           = Disabled
Name            = IPSec Relying Party
ID              = 79619
Admin           = Disabled
Name            = TS Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Enabled
Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Disabled
Client tracing:
----------------------------------------------------
State = Disabled
Level = Disabled

C:\Users\administrator>netsh nap client show group
NAP client configuration (group policy):
----------------------------------------------------
NAP client configuration:
----------------------------------------------------
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:
----------------------------------------------------
Name            = DHCP Quarantine Enforcement Client
ID              = 79617
Admin           = Disabled
Name            = Remote Access Quarantine Enforcement Client
ID              = 79618
Admin           = Disabled
Name            = IPSec Relying Party
ID              = 79619
Admin           = Disabled
Name            = TS Gateway Quarantine Enforcement Client
ID              = 79621
Admin           = Enabled
Name            = EAP Quarantine Enforcement Client
ID              = 79623
Admin           = Disabled
Client tracing:
----------------------------------------------------
State = Disabled
Level = DisabledStart Free Trial
[+][-]08.31.2008 at 07:50PM PDT, ID: 22357244

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Remote Desktop/Terminal Services, Windows Server 2008
Tags: Microsoft, Windows Server, 2008
Sign Up Now!
Solution Provided By: plimpias
Participating Experts: 1
Solution Grade: A
 
 
[+][-]10.03.2008 at 09:51AM PDT, ID: 22635721

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 - Hierarchy / EE_QW_2_20070628