Event Information | According to Microsoft : Cause : This event is logged when the user on client computer was not authorized to connect to this TS Gateway server because the authentication method attempted by the user is not supported. Resolution : Ensure that the TS Gateway server supports the authentication methods that are supported for clients To resolve this issue, ensure that the TS Gateway server is configured correctly to support the authentication methods that are being supported for clients. If the TS Gateway server is not configured correctly, do one of the following:- Use TS Gateway Manager to change the authentication method required for the TS Gateway server to match the authentication method used by the client. For more information, see "Change the authentication method required for the TS Gateway server by using TS Gateway Manager."
- Use Group Policy to change the authentication method used by the client to connect to the TS Gateway server.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority. Change the authentication method required for the TS Gateway server by using TS Gateway Manager To change the authentication method required for the TS Gateway server by using TS Gateway Manager:- Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
- In the console tree, click to select the node that represents the TS Gateway server, which is named for the computer on which the TS Gateway server is running.
- In the console tree, expand Policies, and then click Connection Authorization Policies.
- Right-click the Connection Authorization Policies folder.
- In the console tree, in the list of Terminal Services connection authorization policies (TS CAPs), right-click the TS CAP for which you want to change the authentication method, and then click Properties. If you are unsure as to which TS CAP to select, do the following:
- On the Requirements tab, under User group membership (required), note the names of the user groups in the list. The user account for the client must be a member of one of these groups.
- On the same tab, check whether any client computer groups are listed under Client computer group membership (optional). If so, note the names of the computer groups in the list. The computer account for the client must be a member of one of these groups.
- On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes (when both are selected, clients that use either authentication method are allowed to connect):
Password Smart card - Click OK.
Change the authentication method used by the client to connect to the TS Gateway server by using Group Policy Note : To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation. To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy. To change the authentication method used by the client to connect to the TS Gateway server by using Group Policy:- Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
- In the left pane, locate the OU that you want to edit.
- To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
- In the right pane, click the Settings tab.
- In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, and then click TS Gateway.
- In the right pane, in the settings list, right-click Set TS Gateway server authentication method, and then click Properties.
- On the Settings tab, confirm that Enabled is selected, and then select the authentication method that you want to use. Ensure that the method that you select is compatible with the authentication method that you have configured for the client.The following choices are available:
Ask for credentials, use NTLM protocol Ask for credentials, use Basic protocol Use locally logged-on credentials Use smart card - Click OK.
Performing the following procedures does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials. Check account membership for the client in an Active Directory security group To check account membership for the client in an Active Directory security group:- On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then press ENTER.
- In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.
- In the details pane, right-click the user name, and then click Properties.
- On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS CAP.
- Click OK.
- If client computer group membership has also been specified as a requirement in the TS CAP, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer belongs.
- In the details pane, right-click the computer name, and then click Properties.
- On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS CAP.
- Click OK.
Check account membership for the client in a local security group To check account membership for the client in a local security group:- On the TS Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
- In the console tree, expand Local Users and Groups, and then click Groups.
- In the results pane, locate the local security group that has been created to grant members access to the TS Gateway server.
- Right-click the group name, and then click Properties.
- On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the TS CAP.
- If client computer group membership has also been specified as a requirement in the TS CAP, on the General tab, confirm that the client computer account is also a member of this group.
- Click OK.
|