Event Information |
According to Microsoft : Cause : This event is logged when the user on client computer did not meet resource authorization policy requirements and was therefore not authorized to resource. Resolution : Ensure that the client meets the requirements of the TS RAP To resolve this issue, ensure that the clients meet the requirements of at least one Terminal Services resource authorization policy. To determine whether a client meets the requirements of at least one TS RAP, check the TS RAP settings on the TS Gateway server. Important: If users are connecting to members of a terminal server farm, must configure a TS RAP that explicitly specifies the name of the terminal server farm. If the name of the terminal server farm is not explicitly specified, users will not be able to connect to members of the farm. For optimal security and ease of administration, to specify the terminal servers that are members of the farm, create a second TS RAP. Check TS RAP settings on the TS Gateway server To perform this procedure, must have membership in the local Administrators group, or you must have been delegated the appropriate authority. Note: When you associate a TS Gateway-managed computer group with a TS RAP, you can support both fully qualified domain names and NetBIOS names by adding both names to the TS Gateway-managed computer group separately. When you associate an Active Directory security group with a TS RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the TS Gateway server. If the internal network computer belongs to a different domain than the TS Gateway server, users must specify the FQDN of the internal network computer. To check TS RAP settings on the TS Gateway server:
- Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
- In the TS Gateway Manager console tree, select the node that represents the local TS Gateway server, which is named for the computer on which the TS Gateway server is running.
- In the console tree, expand Policies, and then click Resource Authorization Policies.
- In the results pane, in the list of TS RAPs, right-click the TS RAP that you want to check, and then click Properties.
- On the User Groups tab, note the name of the user group, so that you can ensure that the specified user group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the user account for the client is a member of this group.
- On the Computer Group tab, if Allow users to connect to any network resourceis not selected, do one of the following:
- If Select an existing Active Directory security group is selected, note the name of the security group, so that you can ensure that the specified group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the computer that the client is trying to connect to is a member of this group.
- If Select existing TS Gateway-managed computer group or create a new one is selected, ensure that the name of the TS Gateway-managed computer group is correct, and that the computers in this group exist and can be contacted on the network.
- Click OK to close the Properties dialog box for the TS RAP.
- If the client settings and TS RAP settings are not compatible, do one of the following:
- Modify the client configuration.
- Modify the settings of the existing TS RAP.
- Create a new TS RAP.
1.Confirm that the Active Directory security group specified in the TS RAP exists 2.Check account membership for the client in this group Confirm that the local security group specified in the TS RAP exists, and check account membership for the client and the target computer in this group To confirm in this group:
- On the TS Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
- In the console tree, expand Local Users and Groups, and then click Groups.
- In the results pane, locate the local security group that has been created to grant members access to internal network resources through the TS Gateway server. The group name or description should indicate whether the group has been created for this purpose.
- Right-click the group name, and then click Properties.
- On the General tab, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the TS RAP.
- Click OK to close the Properties dialog box for this security group.
- In the results pane, locate the local security group that contains the computers that clients can access through the TS Gateway server.
- Right-click the group name, and then click Properties.
- On the General tab, confirm that the computer account of the target computer is a member of this group.
Create a new TS RAP that specifies the name of a terminal server farm To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority. To create:
- Open TS Gateway Manager.
- In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running.
- In the console tree, expand Policies, and then click Resource Authorization Policies.
- In the console tree, right-click the Resource Authorization Policies folder, click Create New Policy, and then click Custom.
- On the General tab, in the Policy name box, enter a name that is no longer than 64 characters.
- In the Description box, enter a description for the new TS RAP.
- On the User Groups tab, click Add to select the user groups to which you want this TS RAP to apply.
- In the Select Groups dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following:
Type the name of each user group, separating the name of each group with a semi-colon. Add additional groups from different domains by repeating step 7 for each group.
- On the Computer Group tab, do the following:
a.Click Select an existing TS Gateway-managed computer group or create a new one, and then click Browse. b.In the Select a TS Gateway-managed computer group dialog box, click Create New Group. c.On the General tab, type a name and description for the new group. d.On the Network Resources tab, type the name of the terminal server farm that you want to add, click Add, and then click OK to close the New TS Gateway-Managed Computer Group dialog box. e.In the Select a TS Gateway-managed computer group dialog box, click the name of the new computer group, and then click OK to close the dialog box.
- On the Allowed Ports tab, do one of the following :
To specify different ports through which clients can connect, click Allow connections through these ports and then type the port number. If you are specifying more than one port, type the number for each port separated by a semi-colon. To allow clients to connect through any port, click Allow connections through any port.
- Click OK to close the Properties dialog box for the TS RAP.
- The new TS RAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS RAP, the policy details appear in the lower pane.
|