I setup a RD Gateway on both Windows server 2016 and Windows server 2019. That should be a strainght forward process following Microsoft doc and multiple other website (https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure).
When I try to connect I received that error message Event Log Windows->TermainServices-Gateway
The user "DOMAIN\Username", on client computer "IP", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".
I found many documentation that claim that registering the NPS server (https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-register) should fix that issue, I register the server. Both are now in the "RAS and IAS Servers" Domain Security Group. But We still received the same error. Can in the past we broke that group effect?
I continue investigating and found the Failed Audit log in the security event log:
Security ID: NULL SID
Account Name: DOMAIN\Username
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\Username
Security ID: NULL SID
Account Name: LM-G710-8.0.0
Fully Qualified Account Name: -
Called Station Identifier: UserAuthType:PW
Calling Station Identifier: -
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -
Client Friendly Name: -
Client IP Address: -
Authentication Details:
Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: SERVER.FQDN.com
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 7
Reason: The specified domain does not exist.
I have then found that thread which claim that I should disabled NPS authentifaction
https://social.technet.microsoft.com/Forums/windowsserver/en-US/f49fe666-ac4b-4bf9-a332-928a547cff77/remote-desktop-gateway-denying-connections
I try it but disabling the NPS authentification leave me a bad impression...
Did anyone have a clue why I cannot resolve the domain.
For the testing/debuging purpose and I install The RD Gateway on a AD member server in main network, no other firewall than the windows one.
The only thing I can suspect is that we broke the "RAS and IAS Servers" AD Group in the past.