We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

SBS 2008 RWW cannot connect to client computers

Badink
Badink asked
on
Medium Priority
7,979 Views
Last Modified: 2012-05-06
I migrated from sbs 2003 to sbs 2008 and for the most part things went smoothly. Two main problems; clients cannot connect to computers using the RWW and our external website no longer works.

We can access our remote site and check emails, however when logging into the client computer we get an error VBScript: remote desktop disconnected. An internal error has occured (50331676)

In the event log for terminal services gateway I get this event

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          2/19/2009 8:46:42 AM
Event ID:      201
Task Category: (2)
Level:         Error
Keywords:      Audit Failure,(16777216)
User:          NETWORK SERVICE
Computer:      NORWALK1.dvcc.local
Description:
The user "dvcc\DDuBose", on client computer "67.87.115.243", did not meet connection authorization policy requirements and was therefore not authorized to access the TS Gateway server. The following authentication method was attempted: "NTLM". The following error occurred: "23003".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4d5ae6a1-c7c8-4e6d-b840-4d8080b42e1b}" />
    <EventID>201</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>2</Task>
    <Opcode>30</Opcode>
    <Keywords>0x4010000001000000</Keywords>
    <TimeCreated SystemTime="2009-02-19T13:46:42.523Z" />
    <EventRecordID>83</EventRecordID>
    <Correlation />
    <Execution ProcessID="5312" ThreadID="5412" />
    <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
    <Computer>NORWALK1.dvcc.local</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <EventInfo xmlns="aag">
      <Username>dvcc\DDuBose</Username>
      <IpAddress>67.87.115.243</IpAddress>
      <AuthType>NTLM</AuthType>
      <Resource>
      </Resource>
      <ErrorCode>23003</ErrorCode>
    </EventInfo>
  </UserData>
</Event>
This was not a problem in SBS 2003, not sure what I am missing here. Can someone shead some light on this for me?
Comment
Watch Question

Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Did you complete the Getting Started Tasks (more obvious question ;))?

Are you using the self issued certificate? Do users get the Red Shield in IE when connecting to the RWW?

If you are, go get yourself an inexpensive third party certificate and use the wizard to import it into SBS. That will fix any SSL related errors.

For remote clients, if you are using the self-issued cert, you need to copy the certificate package out of \\SBS\Public\Downloads onto a USB stick and take it home to import it. Once imported, your URL will show a proper lock on RWW and your TS Gateway should work properly.

Philip

Commented:
Philip, now that you are here, and this might be also interesting to this question...
Is there some more info on the ts gateway policies on SBS 2008?
Where exactly does it check for?
Is the only check the SSL cert?, domain user and domain computer, or are there other checks?

The only three conditions I see are:
NAS port type (VPN)
user groups: domain users
called station ID: user auth type (SC|PW)

now where comes the cert in play?

I am still wayting for the blueprint book, I hope it will cover that :-)

and for the user:
check out this link:
http://technet.microsoft.com/en-us/library/cc775130.aspx

Author

Commented:
No red shield, cert is self-signed, but it is imported and I get a lock. Is there a way to turn off the NTLM authorization, just for testing purposes?

Commented:
how did you imort this cert?
maybe it's not the same cert, but the basics are the same:
http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Does the client connecting have XP SP3 or Vista SP1 applied? You need RDP Client 6.1 to properly connect to a remote desktop via RWW.

Philip

Author

Commented:
Installed RDP Client 6.1, still getting the same error "connection authorization policy requirements"

Commented:
did you check this page?
http://sbs.editme.com/sbs2008rww

Author

Commented:
Ok thanks for the link, check tried all suggestions, still same message. I did look at the owa and remote under sites and I see that owa is basic and network authorization and remote is anonymous and forms, tried changing remote to basic and network and lost promt to logon to computers. I think I may just need to remove the server roles and rebuild.

Author

Commented:
Never mind I fixed it! It was a network policy error and not a certificate error. Thanks anyway

Commented:
what did you do exactly to fix it?

Author

Commented:
I reset the permissions in the NPS, I still have  a problem. Now some computers can connect and some get a certificate error. I have a third party cert, I don't know why some can and some can't? Anyone know?
Commented:
Sorry you did request exactly how I fixed it. In the NPS  - policies - network policy - TSG Maker - Access policy

click grant access and uncheck "ignore user account dial-in"

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
I have a similar issue, where i have reset the nps, reset the cert that tsgateway looks at, reinstalled the certs on the remote workstations, but i get a few that connect and others cannot.  It is the same for xp, vista and window 7 with intermittent connections.  Is there something else to this service to get it to work?

Commented:
Did you ever resolve this? I'm having a similar issue.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.