I setup a RD Gateway on both Windows server 2016 and Windows server 2019. That should be a strainght forward process following Microsoft doc and multiple other website (https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure).
When I try to connect I received that error message Event Log Windows->TermainServices-Gateway
The user «DOMAINUsername«, on client computer «IP», did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The
authentication method used was: «NTLM» and connection protocol used: «HTTP». The following error occurred: «23003».
I found many documentation that claim that registering the NPS server (https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-register) should fix that issue, I register the server. Both are now in the «RAS
and IAS Servers» Domain Security Group. But We still received the same error. Can in the past we broke that group effect?
I continue investigating and found the Failed Audit log in the security event log:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: DOMAINUsername
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAINUsername
Client Machine:
Security ID: NULL SID
Account Name: LM-G710-8.0.0
Fully Qualified Account Name: —
Called Station Identifier: UserAuthType:PW
Calling Station Identifier: —
NAS:
NAS IPv4 Address: —
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Virtual
NAS Port: —
RADIUS Client:
Client Friendly Name: —
Client IP Address: —
Authentication Details:
Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: SERVER.FQDN.com
Authentication Type: Unauthenticated
EAP Type: —
Account Session Identifier: —
Logging Results: Accounting information was written to the local log file.
Reason Code: 7
Reason: The specified domain does not exist.
I have then found that thread which claim that I should disabled NPS authentifaction
https://social.technet.microsoft.com/Forums/windowsserver/en-US/f49fe666-ac4b-4bf9-a332-928a547cff77/remote-desktop-gateway-denying-connections
I try it but disabling the NPS authentification leave me a bad impression…
Did anyone have a clue why I cannot resolve the domain.
For the testing/debuging purpose and I install The RD Gateway on a AD member server in main network, no other firewall than the windows one.
The only thing I can suspect is that we broke the «RAS and IAS Servers» AD Group in the past.
Содержание
- The following error occurred 23003
- Asked by:
- Question
- The following error occurred 23003
- Answered by:
- Question
- Answers
- All replies
- The following error occurred 23003
- Answered by:
- Question
- Answers
- All replies
The following error occurred 23003
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
Question
Hello! Try to test MFA through RD gateway by this instruction:
Deploy 3 servers for testing technology: DC+NPS, Terminal+TSGW and MFA
I want to connect in terminal server through RD gateway with azure MFA use OTP and windows credential.
1) Unfortunately my scheme didn’t work. In Terminal_servicesgateway event i have a error message:
The user «username», on client computer «%computername%», did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: «NTLM» and connection protocol used: «HTTP». The following error occurred: «23003».
What i’m doing wrong?
2) How looks like One-Time Passcode dialog in this case? See many instructions, but no one have this screenshot!
p.s Try RD Gateway + DUO MFA — 15 min and all works. Try Azure MFA + RD Gateway — 3 days kill and nothing. 🙁
Источник
The following error occurred 23003
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I setup a RD Gateway on both Windows server 2016 and Windows server 2019. That should be a strainght forward process following Microsoft doc and multiple other website ( https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure) .
When I try to connect I received that error message Event Log Windows->TermainServices-Gateway
The user » DOMAINUsername «, on client computer «IP», did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: «NTLM» and connection protocol used: «HTTP». The following error occurred: «23003».
I found many documentation that claim that registering the NPS server ( https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-register) should fix that issue, I register the server. Both are now in the » RAS and IAS Servers» Domain Security Group. But We still received the same error. Can in the past we broke that group effect?
I continue investigating and found the Failed Audit log in the security event log:
Authentication Details:
Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: SERVER.FQDN.com
Authentication Type: Unauthenticated
EAP Type: —
Account Session Identifier: —
Logging Results: Accounting information was written to the local log file.
Reason Code: 7
Reason: The specified domain does not exist.
I have then found that thread which claim that I should disabled NPS authentifaction
I try it but disabling the NPS authentification leave me a bad impression.
Did anyone have a clue why I cannot resolve the domain.
For the testing/debuging purpose and I install The RD Gateway on a AD member server in main network, no other firewall than the windows one.
The only thing I can suspect is that we broke the » RAS and IAS Servers» AD Group in the past.
Answers
In order to narrow down the problem, detail tracing/monitoring/log files are necessary. I am afraid that we are unable to provide more detail log analyzing on the forum.
I would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
Thank you for your understanding.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Eve Wang Microsoft contingent staff Wednesday, February 27, 2019 9:29 AM
- Marked as answer by JonathanBilodeau Wednesday, February 27, 2019 1:24 PM
I want to confirm with you if you had configured single RD Gateway for your RDS deployment? Or, two RD Gateways for HA(high availability) configuration?
If it is RD Gateway, please check “RDS 2012 – Configuring a RD Gateway Farm” for detail configuration steps:
https://ryanmangansitblog.com/2013/03/31/rds-2012-configuring-a-rd-gateway-farm/comment-page-1/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Besides, if possible, please disable one of the gateways and check the connection result.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
I have configure a single RD Gateway for my RDS deployment. Both Gateway were not confiture and up at same time, when I try the server 2016, I already decommissions the Server 2019. I want to validate that the issue was not with the Windows 2019 server.
Currently I only have the server 2019 configure and up. And I still need to bypass the NPS authentification have the RD Gateway fonctionnal.
>Reason Code: 7. Reason: The specified domain does not exist.
We may try to narrow down the problem from communication between NPS and DC. Please reference below link and check the details:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735393(v=ws.10)
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
The log file countain data, I cross reference the datetime of the event log 2019-02-19 6:06:05 PM :
The user «DOMAINUsername» on client computer «IP«, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: «NTLM» and connection protocol used: «HTTP». The following error occurred: «23003».
I found to log entry at the same time:
«RDGW01″,»RAS»,02/19/2019,18:06:05,1,» DOMAINUsername «,» DOMAINUsername «,»UserAuthType:PW». 5. 12,7,,0,»311 1 172.18.**.** 02/18/2019 21:02:56 6″. «TS GATEWAY AUTHORIZATION POLICY»,1.
«RDGW01″,»RAS»,02/19/2019,18:06:05,3,,» DOMAINUsername «. 7,,7,»311 1 172.18.**.** 02/18/2019 21:02:56 6». «TS GATEWAY AUTHORIZATION POLICY»,1.
Based on the article that mean the RDGateway/NPS server can communicate with the DC but cannot identify my user?
Yes, as you mentioned. If domain controllers are available and NPS has received and processed connection requests, recent log file entries will appear in the file.
Please open RD Gateway Manager – Properties – RD CAP Store, by default, it uses local server running NPS. Please confirm this configuration.
Then, open Network Policy Server – Policies, if possible, please disable/enable them one by one to narrow down the problem, confirm that if it is specific policy relate problem.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
This is the default RD Gateway CAP configuration:
If the user is a member of any of the following user groups:
DOMAINDomain Users
If the client computer is a member of any of the following computer groups:
Not applicable (no computer group is specified)
If the user uses the following supported Windows authentication methods:
Password
Allow the user to connect to this RD Gateway server and disable device redirection for the following client devices:
Not applicable (device redirection is allowed for all client devices)
After the idle timeout is reached:
— Not applicable (no idle timeout)
After the session timeout is reached:
— Not applicable (no session timeout)
The RD CAP Store properties is set to «Local server running NPS»
The default configurated » TS GATEWAY AUTHORIZATION POLICY» in setting I need to change under Authentication from «Authenticate request on this server» to «Accept users without validating credentials» to allo w access. When I chose «Authenticate request on this server». I again received:
The user «DOMAINUsername«, on client computer «XXX.XXX.XXX.XXX», did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: «NTLM» and connection protocol used: «HTTP». The following error occurred: «23003».
In the security Audit event log I foundthe following 4 event:
Group membership information.
The user get authenticated, but for a unknown reason, the policy block it.
I review the default policy configuration: and everything was created by the server manager :
- Policy enabled
- Type of network access server: Remote Desktop Gateway
- NAS Port Type: virtual (VPN)
- Authenticate request on this server
Источник
The following error occurred 23003
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I setup a RD Gateway on both Windows server 2016 and Windows server 2019. That should be a strainght forward process following Microsoft doc and multiple other website ( https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure) .
When I try to connect I received that error message Event Log Windows->TermainServices-Gateway
The user » DOMAINUsername «, on client computer «IP», did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: «NTLM» and connection protocol used: «HTTP». The following error occurred: «23003».
I found many documentation that claim that registering the NPS server ( https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-register) should fix that issue, I register the server. Both are now in the » RAS and IAS Servers» Domain Security Group. But We still received the same error. Can in the past we broke that group effect?
I continue investigating and found the Failed Audit log in the security event log:
Authentication Details:
Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: SERVER.FQDN.com
Authentication Type: Unauthenticated
EAP Type: —
Account Session Identifier: —
Logging Results: Accounting information was written to the local log file.
Reason Code: 7
Reason: The specified domain does not exist.
I have then found that thread which claim that I should disabled NPS authentifaction
I try it but disabling the NPS authentification leave me a bad impression.
Did anyone have a clue why I cannot resolve the domain.
For the testing/debuging purpose and I install The RD Gateway on a AD member server in main network, no other firewall than the windows one.
The only thing I can suspect is that we broke the » RAS and IAS Servers» AD Group in the past.
Answers
In order to narrow down the problem, detail tracing/monitoring/log files are necessary. I am afraid that we are unable to provide more detail log analyzing on the forum.
I would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
Thank you for your understanding.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Eve Wang Microsoft contingent staff Wednesday, February 27, 2019 9:29 AM
- Marked as answer by JonathanBilodeau Wednesday, February 27, 2019 1:24 PM
I want to confirm with you if you had configured single RD Gateway for your RDS deployment? Or, two RD Gateways for HA(high availability) configuration?
If it is RD Gateway, please check “RDS 2012 – Configuring a RD Gateway Farm” for detail configuration steps:
https://ryanmangansitblog.com/2013/03/31/rds-2012-configuring-a-rd-gateway-farm/comment-page-1/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Besides, if possible, please disable one of the gateways and check the connection result.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
I have configure a single RD Gateway for my RDS deployment. Both Gateway were not confiture and up at same time, when I try the server 2016, I already decommissions the Server 2019. I want to validate that the issue was not with the Windows 2019 server.
Currently I only have the server 2019 configure and up. And I still need to bypass the NPS authentification have the RD Gateway fonctionnal.
>Reason Code: 7. Reason: The specified domain does not exist.
We may try to narrow down the problem from communication between NPS and DC. Please reference below link and check the details:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735393(v=ws.10)
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
The log file countain data, I cross reference the datetime of the event log 2019-02-19 6:06:05 PM :
The user «DOMAINUsername» on client computer «IP«, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: «NTLM» and connection protocol used: «HTTP». The following error occurred: «23003».
I found to log entry at the same time:
«RDGW01″,»RAS»,02/19/2019,18:06:05,1,» DOMAINUsername «,» DOMAINUsername «,»UserAuthType:PW». 5. 12,7,,0,»311 1 172.18.**.** 02/18/2019 21:02:56 6″. «TS GATEWAY AUTHORIZATION POLICY»,1.
«RDGW01″,»RAS»,02/19/2019,18:06:05,3,,» DOMAINUsername «. 7,,7,»311 1 172.18.**.** 02/18/2019 21:02:56 6». «TS GATEWAY AUTHORIZATION POLICY»,1.
Based on the article that mean the RDGateway/NPS server can communicate with the DC but cannot identify my user?
Yes, as you mentioned. If domain controllers are available and NPS has received and processed connection requests, recent log file entries will appear in the file.
Please open RD Gateway Manager – Properties – RD CAP Store, by default, it uses local server running NPS. Please confirm this configuration.
Then, open Network Policy Server – Policies, if possible, please disable/enable them one by one to narrow down the problem, confirm that if it is specific policy relate problem.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
This is the default RD Gateway CAP configuration:
If the user is a member of any of the following user groups:
DOMAINDomain Users
If the client computer is a member of any of the following computer groups:
Not applicable (no computer group is specified)
If the user uses the following supported Windows authentication methods:
Password
Allow the user to connect to this RD Gateway server and disable device redirection for the following client devices:
Not applicable (device redirection is allowed for all client devices)
After the idle timeout is reached:
— Not applicable (no idle timeout)
After the session timeout is reached:
— Not applicable (no session timeout)
The RD CAP Store properties is set to «Local server running NPS»
The default configurated » TS GATEWAY AUTHORIZATION POLICY» in setting I need to change under Authentication from «Authenticate request on this server» to «Accept users without validating credentials» to allo w access. When I chose «Authenticate request on this server». I again received:
The user «DOMAINUsername«, on client computer «XXX.XXX.XXX.XXX», did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: «NTLM» and connection protocol used: «HTTP». The following error occurred: «23003».
In the security Audit event log I foundthe following 4 event:
Group membership information.
The user get authenticated, but for a unknown reason, the policy block it.
I review the default policy configuration: and everything was created by the server manager :
- Policy enabled
- Type of network access server: Remote Desktop Gateway
- NAS Port Type: virtual (VPN)
- Authenticate request on this server
Источник
td;dr – The Remote Desktop Gateway policy is missing or incorrect. Solution here.
We’ve now installed quite a lot of Windows 2012 Essentials servers. Overall they’re very well behaved, low-resource and easy to manage with one caveat. Remote Access (whether using Remote Web Access or VPN) seems to be fraught with authentication problems.
The most recent one that I’ve found the correct solution for is the following error from the RDP client when connecting to a computer through the Remote Web Workplace:
"The user attempted to use an authentication method that is not enabled on the matching network policy."
Server-side, the “Audit Failure” error in the Security log was equally unhelpful:
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: Account Name: Account Domain: Fully Qualified Account Name: Client Machine: Security ID: NULL SID Account Name: Fully Qualified Account Name: - OS-Version: - Called Station Identifier: UserAuthType:PW Calling Station Identifier: - NAS: NAS IPv4 Address: - NAS IPv6 Address: - NAS Identifier: - NAS Port-Type: Virtual NAS Port: - RADIUS Client: Client Friendly Name: - Client IP Address: - Authentication Details: Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY Network Policy Name: -- RDG Marker Policy Authentication Provider: Windows Authentication Server: Authentication Type: Unauthenticated EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 65 Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Other reason codes that seem to crop up for the same issue:
48 - The connection request did not match a configured network policy, so the connection request was denied by Network Policy Server. 49 - The connection request did not match a configured connection request policy, so the connection request was denied by Network Policy Server.
And the Microsoft –> Windows –> Terminal Services Gateway –> Operational event log contains the following:
The user "XXXXXX", on client computer "XX.XX.XX.XX", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "RPC-HTTP". The following error occurred: "23003".
A bit of googling on this error leads here, which doesn’t fix the problem in this instance but is quick and easy so worth trying if you’re struggling with this issue.
Digging through the Network Policies (Administrative Tools –> Network Policy Server) didn’t reveal any clues – the policies appear to be correctly scoped and allow the types of authentication being used:
These are the default policies configured by the Anywhere Access wizard. I tried recreating them from scratch, and setting them to be as permissive as possible, none of which made any difference.
Eventually searching against the Terminal Services Gateway error led to this page from Microsoft, which explains that the error is caused by problems with the Terminal Services Gateway policy and *not* the Network Policy as the Security Log error suggests.
The Fix
2012 Essentials doesn’t include the Terminal Services Gateway management tools as the Wizard and Dashboard are supposed to manage all the relevant settings automagically. This means we can’t check the Terminal Services Gateway policy without installing them.
dism /online /Enable-Feature:Gateway-UI
Once these are installed, open the RD Gateway Manager (Administrative Tools –> Remote Desktop Services –> RD Gateway Manager) and either check that the policies listed have suitable settings or, more likely, note that there aren’t any policies present at all:
Just use the “Create New Policy” wizard to create a suitable policy; most likely you’ll want to allow access for the WseAllowComputerAccess group – this is how the Essentials wizard will create the policy on the rare occasions that it actually works.
I struggled with getting a new Server 2016 Remote Desktop Gateway Service running. I followed the official documentation from Microsoft, configuring two servers as a farm, and creating a single CAP and RAP identically on each server. But every time I tried to connect, I received an error message from the client that my account:
I found a corresponding entry in the Microsoft-Windows-TerminalServices-Gateway/Operational log with the following text:
The user “CAMPUS[username]”, on client computer “132.198.xxx.yyy”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: “NTLM” and connection protocol used: “HTTP”. The following error occurred: “23003”.
I double-checked the groups I had added to the CAP and verified the account I was using should be authorized. I even removed everything and inserted “Domain Users”, which still failed.
I found different entries that also corresponded to each failure in the System log from the Network Policy Service (NPS) with Event ID 4402 claiming:
“There is no domain controller available for domain CAMPUS.”
I know the server has a valid connection to a domain controller (it logged me into the admin console). But I double-checked using NLTEST /SC_QUERY:CAMPUS. Yup; all good.
A few more Bingoogle searches and I found a forum post about this NPS failure. The marked solution just points to a description of the Event ID, but one of the comments contains the solution: the Network Policy Service on the gateway systems needs to be registered. This instruction is not part of the official documentation, though upon re-reading that doc, I now see that someone has mentioned this step in the comments.
In this case, registration simply means adding the computer objects to the RAS and IAS Servers AD group (requires Domain Admin privs). Once I made this change, I was able to successfully connect to a server using the new remote desktop gateway service.
Many thanks to TechNet forum user Herman Bonnie for posting the very helpful comment.