Remote Desktop Gateway Service – register NPS

I struggled with getting a new Server 2016 Remote Desktop Gateway Service running. I followed the official documentation from Microsoft, configuring two servers as a farm, and creating a single CAP and RAP identically on each server. But every time I tried to connect, I received an error message from the client that my account:

Remote Desktop can't connect to the remote computer "xxxxxxxx" for one of these reasons:
I love those error messages that say “Contact your network administrator for assistance.”

I found a corresponding entry in the Microsoft-Windows-TerminalServices-Gateway/Operational log with the following text:

The user “CAMPUS\[username]”, on client computer “132.198.xxx.yyy”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: “NTLM” and connection protocol used: “HTTP”. The following error occurred: “23003”.

I double-checked the groups I had added to the CAP and verified the account I was using should be authorized. I even removed everything and inserted “Domain Users”, which still failed.

I found different entries that also corresponded to each failure in the System log from the Network Policy Service (NPS) with Event ID 4402 claiming:

“There is no domain controller available for domain CAMPUS.”

I know the server has a valid connection to a domain controller (it logged me into the admin console). But I double-checked using NLTEST /SC_QUERY:CAMPUS. Yup; all good.

A few more Bingoogle searches and I found a forum post about this NPS failure. The marked solution just points to a description of the Event ID, but one of the comments contains the solution: the Network Policy Service on the gateway systems needs to be registered. This instruction is not part of the official documentation, though upon re-reading that doc, I now see that someone has mentioned this step in the comments.

In this case, registration simply means adding the computer objects to the RAS and IAS Servers AD group (requires Domain Admin privs). Once I made this change, I was able to successfully connect to a server using the new remote desktop gateway service.

Many thanks to TechNet forum user Herman Bonnie for posting the very helpful comment.

 

Geoff
Sr. System Administrator at the University of Vermont

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.