"The logon attempt failed" for TS (RD) Gateway Authentication

windows-server-2008 remote-desktop remote-access terminal-server

I've been using TS Gateway to permit remote access for our staff for a few months now, and all has been well. Users either connect to a traditional terminal server desktop or hit our website and start an TS RemoteApp application- in both cases the connection is routed through a TS Gateway.

However I came into work this morning to find that has stopped authenticating users through TS Gateway, each time returning "The logon attempt failed" as seen in the image even though the credentials are correct.

alt text

It should be noted that everything works fine if the Gateway is taken out of the equation, it's the TS Gateway component that is causing these problems.

Users experience this problem whether they connect through XP SP3, Vista or 7.

On the server a total of 4 entries appear in the Windows security log at exactly the same time for each failed logon attempt: two 4624 "An account was successfully logged on" messages for the user, immediately followed by two 4634 "An account was logged off"s. This suggests that the server is accepting the credentials as correct, then booting the user off. Nothing at all is recorded in the NPS and Terminal Server logs.

A reboot doesn't change things. Neither does completely removing and reinstalling the NPS and Terminal Server roles. I'm baffled as to how this can happen suddenly without warning.

Any suggestions would be greatly appreciated.


This problem has been plaguing me for months on an SBS 2008 machine, but has never been critical enough to go to crazy measures to fix.

After resorting to uninstalling and reinstalling the TS Gateway service and it still not working, I went to IIS Manager → Sites → SBS Web Applications → Rpc → Authentication and found only "Basic Authentication" was enabled.

Though details on this particular error are scarce online, I have seen that Outlook Anywhere seems to change IIS Authentication schemes. Since this is SBS, I figured Exchange and TS Gateway might be fighting over the authentication setting.

I enabled "Windows Authentication" then ran an IIS reset. When IIS came back online, I was able to connect via TS Gateway to two servers and at least one workstation. I connected and disconnected multiple times and it had no problems.

I can't guarantee this is permanent, but I'm definitely hoping.

EDIT: Since making this change, I haven't had any problems with TS Gateway.


Ok here is the answer?

2k8r2 and iis7

TSGateway repeatedly asks for credentials but does not log in...

Turns out that TSGateway doesn’t do the connection and authentication, IIS does. Surprise, Ya I know….

TSGateway only filters and routes.

So, Now, what part of IIS does the connection and authentication for TSGateway? I don’t know. And apparently, no one else really does either. But if you mess with the Authentication settings of RDWEB, RPC, RPCWCERT, Default WEB SITE, Authdiscover, you can make it work…

This is a good article. But as you see, it’s a shot in the dark with them also.

NOTE: Apparently, redirection of the Default Web Site breaks communication to RDWeb and therefore TSGateway.

HTTP – HTTPS redirection…

It looks like my default web site came as HTTPs but I wanted it to be reachable from HTTP users. So I created a redirection web site to redirect HTTP requests to the Default Web Site as HTTPS. Which works great but it stopped my TSGateway authentication. (I think it was because port 80 was being used by the redirection web site. And for some reason, RDWEB uses port 80 as well as 443 for communications…)

By the way, if you turn off Require SSL in SSL Settings on the default web site in IIS, it does work correctly and does the same thing…

Anyhow, start buy getting RDWEB working correctly then, work on TSGateway.

RDWEB should have only: Anonymous Authentication Enabled AutoDiscovery should have Anonymous, Basic and Windows Authentication Enabled. OWA: Basic Only. RPC: should have: Basic and Windows Authentication. RPCWCert: Should not have anything enabled. At lease those are the settings in My setup…

Good Luck.

Robert


The Terminal Services Gateway windows service kept failing for us.

In the absence of anything useful in the event logs, I just get task scheduler to "net start tsgateway" a few times every hour. Horrible, but zero complaints ever since.


I had a similar problem. I found I had to edit IIS Manager → Sites → SBS Web Applications → Rpc With Cert→ Authentication and added Windows Authentication. Then performed and IISRESET and all worked as it should.


Had the same exact issues as the original post. I was also redirecting the default web site to /RDWeb/Pages/en-US, once I took that redirect off everything worked as normal.

I'm bewildered how this even caused the issue in all honesty.

Related

Receiving error "A new record cannot be created. Node is a CNAME DNS record." when adding an MX record to Windows Server 2003 DNS
Does UAC kill the need to run as a regular user?
Compress and host large amounts of static HTML
Why attend Tech.Ed?
file ownership for new files with administrator - why is it giving ownership to the group administrators?
Apache RewriteRule for proxying
How should I convert a physical drive to a VHD for use with VirtualPC?
Document Control Software
What does $0^+$ mean [closed]
A generating set of cardinality $n$ in the free group $F_n$ is a free basis.
What are the asymptotic bounds for the $L^1$-norm of the Dirichlet kernel?
Consider $g_n(x)= \sqrt{x^2+1/n}$ for $x \in [-1,1]$ and $n$ be a natural number. Find the limit $g(x)$ of $g_n(x)$. Is the convergence uniform? [duplicate]