Event ID 103 — TS Gateway Server Configuration

Applies To: Windows Server 2008

For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.

Event Details

Product: Windows Operating System
ID: 103
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.0
Symbolic Name: AAG_EVENT_STARTED_NOCERT_ACLS
Message: The Terminal Services Gateway service does not have sufficient permissions to access the Secure Sockets Layer (SSL) certificate that is required to accept connections. To resolve this issue, bind (map) a valid SSL certificate by using TS Gateway Manager. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help. The following error occurred: "%2".

Resolve

Ensure that the required permissions are granted to the private key of the SSL certificate

To resolve this issue, ensure that required permissions are granted to the private key of the SSL certificate.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To grant the required permissions to the private key of the SSL certificate:

  1. On the TS Gateway server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in.
    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
    4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
    6. In the Add or Remove Snap-ins dialog box, click OK.
  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Personal, and then navigate to the SSL certificate for the TS Gateway server.
  3. Right-click the certificate, point to All Tasks, and then click Manage Private Keys.
  4. In the Permissions for <Name> private keys dialog box, under Group or user names, click NETWORK SERVICE. Under Permissions for NETWORK SERVICE, if Read is not allowed, select the Allow check box adjacent to Read.
  5. Click OK.

Verify

To verify that the TS Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the TS Gateway server is configured correctly:

  1. On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.

TS Gateway Server Configuration

Terminal Services