RDS2012 - Gateway error - intermittent, mainly when reconnecting to existing sessions

Piotr Ostrowski 21 Reputation points
2021-06-16T14:22:53.903+00:00

Hi !
RDS2012R2, windows 10.
NTLMv1 only in the secpol on the RDSH, and whole infra of RDSD
NTLMv2 only in secpol on the clients

Certificates on the RDS ok. regular deployment with RDCB HA. Same AD forest.
On the collection level: Negotiate and Client Compatible.

Users, when they left their sessions and they try connecting resources again are receiving following error:

Your computer can not connect to the remote dekstop Gateway Server. Contact your administartor for assistance.

There is no pattern with it, but people sometimes roam within networks trying to reconnect to their resources.
Plenty of 4265 eventID's.
on the gateway - event ids like 312,311 (use can not be authenticated yet)
users got the gateway error also from the insight (logically from the LAN)
it lasts for particular user for few hours, or quarter, and then suddenly event ID 200 came in, and user can reach the resources

the question is:
* does the NTLMv2 has to be configured on RDSH, or RDCB, RDGW and RDWI (all estate along with the collection session hosts ?)
* or does it have to be configured only on the session hosts ?

Where could I stumble upon some useful information, which can leads me to some resolution of this problem which is very frustrating to the end users ?

Any route highly appreciated.

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,551 questions
0 comments No comments
{count} votes

Accepted answer
  1. Leila Kong 3,696 Reputation points
    2021-07-15T09:55:11.043+00:00

    Hello @piotro-7338 ,

    For further professional help, we sincerely recommend that you open a case to Microsoft support: https://support.microsoft.com/en-us/help/4341255/support-for-busines
    Thanks for your cooperation!

    0 comments No comments

6 additional answers

Sort by: Most helpful
  1. Leila Kong 3,696 Reputation points
    2021-06-17T06:54:20.95+00:00

    Hello @piotro-7338 ,

    Thanks for your query.

    Please try to change the registry key for HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibiltyLevel to a value of 3.

    your computer can't connect to the remote desktop gateway server: https://social.technet.microsoft.com/Forums/en-US/d442305b-f383-403e-9ed2-0511e5b3d8ff/your-computer-cant-connect-to-the-remote-desktop-gateway-server?forum=winserverTS
    Ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960646(v=technet.10)
    and
    https://support.microsoft.com/en-us/help/2903333/terminal-services-client-connection-error-0xc000035b-when-you-use-lmco

    FYI:
    Can't connect to RD Gateway server from Windows 10 1709? : https://social.technet.microsoft.com/Forums/office/en-US/8d7a95eb-9508-4725-8f13-5992c19cfb9f/cant-connect-to-rd-gateway-server-from-windows-10-1709?forum=winserverTS
    “Your computer can´t connect to the Remote Desktop Gateway server. Contact your network administrator for assistance.”: https://social.technet.microsoft.com/Forums/windows/en-US/b6ddf8a5-81dc-4a7a-a967-e8601f3d66b7/8220your-computer-cant-connect-to-the-remote-desktop-gateway-server-contact-your-network?forum=winserveressentials

    Best regards,
    Leila

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Leila Kong 3,696 Reputation points
    2021-06-22T10:26:52.8+00:00

    Hello @piotro-7338 ,

    Just checking in to see if the information provided was helpful.
    Please let us know if you would like further assistance.

    0 comments No comments

  3. Piotr Ostrowski 21 Reputation points
    2021-06-23T19:13:38.137+00:00

    thank you,

    1. as of changing the registry LmCompatibilityLevel to 3 - do you mean changing this on the endpoints ?
    2. the referenced link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960646(v=technet.10) does not work - the page does not exist any longer...
    3. in case for some reason changing the NTLMv2 on the client back to NTLMv1 is not allowed by your security team, and you pick method 2 which is the channel binding on the Gateway (https://learn.microsoft.com/en-US/troubleshoot/windows-server/remote/0xc000035b-when-you-use-lmcompatibility) then what are the implications ? Are the any on security ? is it becoming less secure or actually nothing changes ? What are those channels actually ? Are those virtual channels which passes by the media, clipboard etc or something else ?
    4. Changing the protcol to RPC-HTTP indeed did the trick at least for the most cases when this has been applied, but I saw this problem with the gateway error comming most frequenly with reconnecting to existing sessions, or when you roam between networks, and tried using the same web session within the RDWA opened to / authorized upfront you changed the network (so you login to the RDWA, got your icons, then launch the resource, then you roam (switch to wifi for instance) got disconnected, and within the same web browser session to the web interface being still opened, you hit the application shortcut again).
      All on windows 10 19XX mariaged with RDS2012R2.

    thank you for any hints or routing somewhere

    0 comments No comments

  4. Leila Kong 3,696 Reputation points
    2021-06-24T06:34:39.973+00:00

    Hello @piotro-7338 ,

    Thanks for your feedback.

    1.Will the same issue occur if you remote to the session host bypass RDgateway when using client that enabled NTLMv2 in corporate network? If so, we need to configure NTMLv2 on RDSH, or RDCB, RDGW and DC. Please try to set up a test environment.

    2.You may also Enable NTLM Authentication Audit Logging to check if you can track down some problems based on the following document:
    How to Enable NTLM Authentication Audit Logging?
    http://woshub.com/disable-ntlm-authentication-windows/

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.