Fix for Remote Desktop Gateway authentication error from clients

Friday, November 6, 2009
If you use Remote Desktop Gateway Manager (formerly, Terminal Services Gateway) in Windows Server 2008 R2, you may find that Windows clients are unable to authenticate to the RD Gateway server.

This happens because the default configuration in Windows Server 2008 R2 Remote Desktop Gateway is to request that clients send a statement of health before the connection can be made. If this option is selected and you do not have a Remote Desktop connection authorization policy (RD CAP) for Network Access Protection (NAP) configured, clients will be unable to connect to the RD Gateway. They will repeatedly be prompted for Gateway Server Credentials as shown below:

To fix this issue, ensure that you have a valid statement of health configured in NAP. Alternatively, as in the case of clients that cannot or do not provide a statement of health (I'm looking at you, Windows XP), you can disable requesting statements of healthy entirely. Here's how to do that:
  • Logon to the Remote Desktop Gateway computer and open the RD Gateway Manager (Start > Administrative Tools> Remote Desktop Services > Remote Desktop Gateway Manager)
  • Right-click the RDG server and select Properties
  • Click the RD CAP Store tab and clear the checkbox for "Request clients to send a statement of health", as shown below and click OK.

It may take a moment for the change to go into effect. Occacionally, I've had to restart the Remote Desktop Services service.