Event ID 628 — RD Gateway Server Configuration

Event ID 628 — RD Gateway Server Configuration

Published: January 8, 2010

Applies To: Windows Server 2008 R2

For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.

Event Details

Product: Windows Operating System
ID: 628
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_EVENT_LB_TSG_EXCEPTION_DISABLE_FAILED
Message: The Windows Firewall exception “RD Gateway Server Farm” that allows network traffic through TCP port 3388 (so that Remote Desktop Services client connections can be directed to the appropriate Remote Desktop Gateway servers when load balancing is used) could not be disabled. We recommend that you disable this exception manually by modifying Windows Firewall settings as needed.

Resolve
Manually disable the Remote Desktop Gateway Server Farm exception in Windows Firewall

To resolve this issue, manually disable the Remote Desktop Gateway Server Farm exception in Windows Firewall. You can configure this exception by using Windows Firewall in Control Panel or by using Group Policy.

Note:  For optimal security, ensure that the Remote Desktop Gateway Server Farm exception is disabled for all RD Gateway servers that are not members of an RD Gateway server farm.

Disable the Remote Desktop Gateway Server Farm exception by using Windows Firewall in Control Panel

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To disable the Remote Desktop Gateway Server Farm exception by using Windows Firewall in Control Panel:

  1. Open Windows Firewall. To open Windows Firewall, click Start, click Control Panel, and double-click Windows Firewall.
  2. In Windows Firewall, click Change Settings.
  3. On the Exceptions tab, disable the Remote Desktop Gateway Server Farm exception by clearing the Remote Desktop Gateway Server Farm check box. If this check box is dimmed, Group Policy has been applied to control this exception. To modify Group Policy to disable this exception, see “Disable the Remote Desktop Gateway Server Farm exception by using Group Policy” later in this topic.
  4. Click OK.
  5. Close Windows Firewall.

Disable the Remote Desktop Gateway Server Farm exception by using Group Policy

To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.

To disable the Remote Desktop Gateway Server Farm exception by using Group Policy:

  1. On a computer running the Group Policy Management Console, start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the OU that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Inbound Rules.
  6. Right-click each of the following rules (TCP-In, RPC-EPMAP, and RPC HTTP Load Balancing Service), and then click Disable Rule.
  7. Close the Group Policy Management Console.
  8. Ensure that the update to Group Policy is applied by running the gpupdate /force command. To run the gpupdate /force command, click Start, click Run, type cmd, and then press ENTER. At the command prompt, type gpupdate /force and then press ENTER.

Verify

To verify that the RD Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the RD Gateway server is configured correctly:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

Related Management Information

RD Gateway Server Configuration

Remote Desktop Services

Related:

Event ID 628 — Trust Policy and Configuration

Event ID 628 — Trust Policy and Configuration

Updated: February 27, 2008

Applies To: Windows Server 2008

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Event Details

Product: Windows Operating System
ID: 628
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: ClaimValueFormatError
Message: The Federation Service encountered an error while loading the trust policy. The trust policy defines a claim whose format is not valid. Claim type: %1 Claim value: %2 If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Correct the claim so that it has the proper format.

Resolve
Correct the claim value with the proper format

This claim error occurs only if the trust policy (trustpolicy.xml) file has been modified without the use of the Active Directory Federation Services snap-in.

Correct the value in the claim name so that it is in the proper format. Do not use special characters as part of the claim name.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To check the claim name values in the trustpolicy.xml file:

  1. On a federation server, click Start, point to Administrative Tools, and then click Active Directory Federation Services.
  2. In the console tree, right-click Federation Service, click Properties, record the trust policy location value that is specified in Trust policy file, and then click OK.
  3. If the trustpolicy.xml file is located on a server other than the federation server, log on to that server as an administrator (in case you need to make changes), and then open Windows Explorer.
  4. Locate the folder where the trustpolicy.xml file is stored, and then open the trustpolicy.xml file using Notepad.
  5. Make sure that the claim name values specified under the CorporateClaims/GroupClaims/GroupClaim tags and under the CorporateClaims/CustomClaims/CustomClaim tags are set to the appropriate value.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.

Related Management Information

Trust Policy and Configuration

Active Directory Federation Services

Related:

User Account password set: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6

Details
Product: Windows Operating System
Event ID: 628
Source: Security
Version: 5.2
Symbolic Name: SE_AUDITID_USER_PWD_SET
Message: User Account password set:
Target Account Name: %1
Target Domain: %2
Target Account ID: %3
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6
   
Explanation

The user account password was reset by another user who has permission to do so. The user who reset the password did not have to supply the old password.

  • The Caller User Name field specifies the person who reset the password.
  • The Target Account Name field specifies the person whose password was reset.
   
User Action

No user action is required.

Related:

User Account password set: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6

Details
Product: Windows Operating System
Event ID: 628
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_USER_PWD_SET
Message: User Account password set: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6
   
Explanation

The user account password was reset by another user who has permission to do so. The user who reset the password did not have to supply the old password.

  • The Caller User Name field specifies the person who reset the password.
  • The Target Account Name field specifies the person whose password was reset.
   
User Action

No user action is required.

Related: