Specify a New Central TS CAP Store

  • Article

Applies To: Windows Server 2008

Terminal Services connection authorization policies (TS CAPs) allow you to specify who can connect to a TS Gateway server. You can specify a local TS CAP store (TS CAPs that are stored on the TS Gateway server) or a central TS CAP store [TS CAPs that are stored on a central Network Policy Server (NPS server), formerly known as a Remote Authentication Dial-In User Service (RADIUS) server].

By using a central NPS server for TS Gateway, you can centralize the storage, management, and validation of TS CAPs.

If you use a central TS CAP store, you must establish a network connection from the TS Gateway server to the NPS server. To do this, you must specify a shared secret.

When you create and use the shared secret, you must use the same case-sensitive shared secret that you specified when configuring the TS Gateway server as a RADIUS client on the central NPS server.

We also recommend that you do the following:

  • Generate long shared secrets (more than 22 characters) comprised of a random sequence of letters, numbers, and punctuation.

  • Change the shared secret often.

Important

If you have not done so already, you must also create a Terminal Services resource authorization policy (TS RAP).

Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To specify a new central TS CAP store

  1. Open TS Gateway Manager.

  2. In the console tree, click to select the node that represents the local TS Gateway server, which is named for the computer on which the TS Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. Right-click the Connection Authorization Policies folder, and then click Configure Central TS CAP.

  5. On the TS CAP Store tab, click Central NPS server, type the name or IP address of the NPS server that you want, and then click Add.

  6. In the Shared Secret dialog box, in the Enter a new shared secret box, type the shared secret.

  7. Click OK to close the Shared Secret dialog box, and then click OK to close the TS Gateway server Properties dialog box.

  8. The new central TS CAP store that you specified appears in the TS Gateway Manager results pane.

  9. After you specify the new central TS CAP store, you must also configure settings and policies as needed on the central NPS server. For information, see the TS Gateway Server Step-by-Step Setup Guide (https://go.microsoft.com/fwlink/?LinkId=79605)

Additional references