Event ID 643 — TS Gateway Server Availability

Event ID 643 — TS Gateway Server Availability

Updated: January 5, 2012

Applies To: Windows Server 2008

The Terminal Services Gateway (TS Gateway) server must be available on the network and the appropriate services must be running on the TS Gateway server. The Terminal Services connection authorization policy (TS CAP) and Terminal Services resource authorization policy (TS RAP) stores must also be available, so that these policies can be evaluated to determine whether remote clients meet policy requirements. TS CAPs specify who can connect to a TS Gateway server. TS RAPs specify the internal network resources (computers) that clients can connect to through a TS Gateway server. If TS CAPs and TS RAPs are not available, the TS Gateway server will not be available for client connections.

Event Details

Product: Windows Operating System
ID: 643
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.0
Symbolic Name: AAG_EVENT_RAP_AZMAN_APP_FAILED
Message: TS Gateway Resource access Policy engine failed to open Azman Application(TS Gateway) and the error was “%2”

Resolve
Grant the required permissions to rap.xml

To resolve this issue, grant the required permissions to the rap.xml file. If granting the required permissions to the rap.xml file does not resolve the problem, rename the rap.xml file and start the TS Gateway Manager snap-in console.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Grant the required permissions to the rap.xml file

To grant the required permissions to the rap.xml file:

  1. On the TS Gateway server, navigate to %Windir%\System32\tsgateway\rap.xml, where %Windir% is the drive on which the operating system is installed.
  2. Right-click rap.xml.
  3. In the rap.xml Properties dialog box, click the Security tab.
  4. Click Edit, and then do the following:
    1. In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
    2. Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
    3. Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.
    4. Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read.
  5. Click OK.

Rename the rap.xml file and start TS Gateway Manager

If granting the required permissions to rap.xml does not resolve the problem, try renaming rap.xml to rapbak.xml, and then starting TS Gateway Manager. Starting the console will create a new rap.xml file.

To rename the rap.xml file:

  1. On the TS Gateway server, navigate to %Windir%\System32\tsgateway\rap.xml, where %Windir% is the drive on which the operating system is installed.
  2. Right-click rap.xml, type rapbak.xml, and then press ENTER.

Note: After you rename rap.xml and restart TS Gateway Manager, no Terminal Services resource authorization policies (TS RAPs) will appear when you open the console (to confirm that no TS RAPs appear, open TS Gateway Manager, click to expand the node that represents your TS Gateway server, expand Policies, and then click Resource Authorization Policies).

To start TS Gateway Manager:

  • On the TS Gateway server, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

Verify

To verify that the TS Gateway server is available for client connections, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the TS Gateway server is available for client connections:

  1. On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.

Related Management Information

TS Gateway Server Availability

Terminal Services

Related:

Event ID 643 — RD Gateway Server Availability

Event ID 643 — RD Gateway Server Availability

Published: January 8, 2010

Applies To: Windows Server 2008 R2

The Remote Desktop Gateway (RD Gateway) server must be available on the network, and the appropriate services must be running on the RD Gateway server. The Remote Desktop connection authorization policy (RD CAP) and the Remote Desktop resource authorization policy (RD RAP) stores must also be available, so that these policies can be evaluated to determine whether remote clients meet policy requirements. RD CAPs specify who can connect to an RD Gateway server. RD RAPs specify the internal network resources (computers) that clients can connect to through an RD Gateway server. If RD CAPs and RD RAPs are not available, the RD Gateway server will not be available for client connections.

Event Details

Product: Windows Operating System
ID: 643
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_EVENT_RAP_AZMAN_APP_FAILED
Message: RD Gateway Resource access Policy engine failed to open Azman Application(Remote Desktop Gateway) and the error was “%2”

Resolve
Grant the required permissions to rap.xml

To resolve this issue, grant the required permissions to the rap.xml file. If granting the required permissions to the rap.xml file does not resolve the problem, rename the rap.xml file and start the Remote Desktop Gateway Manager snap-in console.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Grant the required permissions to the rap.xml file

To grant the required permissions to the rap.xml file:

  1. On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the drive on which the operating system is installed.
  2. Right-click rap.xml.
  3. In the rap.xml Properties dialog box, click the Security tab.
  4. Click Edit, and then do the following:
    1. In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
    2. Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
    3. Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.
    4. Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read.
  5. Click OK.

Rename the rap.xml file and start Remote Desktop Gateway Manager

If granting the required permissions to rap.xml does not resolve the problem, try renaming rap.xml to rapbak.xml, and then starting Remote Desktop Gateway Manager. Starting the console will create a new rap.xml file.

To rename the rap.xml file:

  1. On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the drive on which the operating system is installed.
  2. Right-click rap.xml, type rapbak.xml, and then press ENTER.

Note: After you rename rap.xml and restart Remote Desktop Gateway Manager, no Remote Desktop resource authorization policies (RD RAPs) will appear when you open the console (to confirm that no RD RAPs appear, open Remote Desktop Gateway Manager, click to expand the node that represents your RD Gateway server, expand Policies, and then click Resource Authorization Policies).

To start Remote Desktop Gateway Manager:

  • On the RD Gateway server, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

Verify

To verify that the RD Gateway server is available for client connections, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the RD Gateway server is available for client connections:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

Related Management Information

RD Gateway Server Availability

Remote Desktop Services

Related:

Domain Policy Changed: Domain: %1 Domain ID: %2 Caller User Name: %3 Caller Domain: %4 Caller Logon ID: %5 Privileges: %6

Details
Product: Windows Operating System
Event ID: 643
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_DOMAIN_POLICY_CHANGE
Message: Domain Policy Changed: Domain: %1 Domain ID: %2 Caller User Name: %3 Caller Domain: %4 Caller Logon ID: %5 Privileges: %6
   
Explanation

This event record indicates that a domain policy has been changed. There is no Failure Audit form of this audit event record. Domain policy changes can have security implications.

   
User Action

The person with administrative rights for the computer should check to make sure there are no security implications because of the change.

Related: