Event ID - 524

Event Id524
SourceMicrosoft-Windows-TerminalServices-Gateway
DescriptionThe connection authorization policy "%1" could not be deleted. The following error occurred: "%2".
Event InformationAccording to Microsoft :
Cause :
This event is logged when the connection authorization policy could not be deleted.
Resolution :
Ensure that the TS CAP is configured correctly
To resolve this, ensure that the Terminal Services connection authorization policy (TS CAP) is configured correctly.
Check TS CAP settings on the TS Gateway server
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To check TS CAP settings on the TS Gateway server:
  1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
  2. In the TS Gateway Manager console tree, select the node that represents the local TS Gateway server, which is named for the computer on which the TS Gateway server is running.
  3. In the console tree, expand Policies, and then click Connection Authorization Policies.
  4. In the results pane, in the list of TS CAPs, right-click the TS CAP that you want to check, and then click Properties.
  5. On the General tab, check the policy name. The name that you specify for the TS CAP must be unique for TS Gateway and for Network Policy Server (NPS). If you are unsure whether the TS CAP name is already used in an NPS server policy, open the Network Policy Server Management snap-in console to verify whether the TS CAP name that you want to use for TS Gateway matches any NPS server policy names.
  6. On the Requirements tab, do the following:
    • Check whether the specified method(s) is compatible with the authentication method used by the client.
    • Note the name of the user group so that you can ensure that the specified user group exists in Active Directory Domain Services or Local Users and Computers.
    • Check whether a client computer group is specified.
  7. Click OK.
  8. If the TS CAP settings are not configured correctly, modify the settings of the existing TS CAP as needed or create a new TS CAP.
Ensure that the name for the TS CAP is unique for TS Gateway
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To ensure that the name for the TS CAP is unique for TS Gateway:
  1. Open Network Policy Server. To open Network Policy Server, click Start, click Administrative Tools, and then click Network Policy Server.
  2. In the Network Policy Server console tree, select the node that represents the NPS server with the policies that you want to check.
  3. In the console tree, expand Policies, and then click Connection Request Policies.
  4. In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of TS CAPs configured on the TS Gateway server.
  5. In the console tree, click Network Policies.
  6. In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of TS CAPs configured on the TS Gateway server.
  7. In the console tree, click Health Policies.
  8. In the details pane, note the names of the policies in the list and ensure that none of the policy names match the names of TS CAPs configured on the TS Gateway server.
  9. If any of the policy names in the NPS server match the names of TS CAPs configured on the TS Gateway server, either change the policy name on the NPS server, or change the policy name on the TS Gateway server.
Change the authentication method used by the client to connect to the TS Gateway server by using Group Policy
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.
To change the authentication method used by the client to connect to the TS Gateway server by using Group Policy:
  1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the OU that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, and then click TS Gateway.
  6. In the right pane, in the settings list, right-click Set TS Gateway server authentication method, and then click Properties.
  7. On the Settings tab, confirm that Enabled is selected, and then select the authentication method that you want to use. Ensure that the method that you select is compatible with the authentication method that you have configured for the client.The following choices are available:
    Ask for credentials, use NTLM protocol
    Ask for credentials, use Basic protocol
    Use locally logged-on credentials
    Use smart card
  8. Click OK.
Confirm that the Active Directory security group specified in the TS CAP exists, and check account membership for the client in this group
Performing this procedure does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To confirm that the Active Directory security group specified in the TS CAP exists:
  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
  3. Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the TS RAP, and then click Find Now.
  4. If the group exists, it will appear in the search results.
  5. Close the Find Users, Contacts, and Groups dialog box.
To check account membership for the client in this security group:
  1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
  2. In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.
  3. In the details pane, right-click the user name, and then click Properties.
  4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS CAP, and then click OK.
  5. If client computer group membership has also been specified as a requirement in the TS CAP, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer belongs.
  6. In the details pane, right-click the computer name, and then click Properties.
  7. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the TS CAP, and then click OK.
Confirm that the local security group specified in the TS CAP exists, and check account membership for the client in this group
Performing this procedure does not require membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
Reference LinksEvent ID 524 from Source Microsoft-Windows-TerminalServices-Gateway

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.