Discussion:
TS Gateway configuration/issues with non-domain membership
(too old to reply)
Alex Borleis
2009-07-20 09:13:46 UTC
Permalink
Hi!

I tried to setup a W2k8 TS Gateway in our test environment. It worked
pretty good when the TS Gateway was a domain member. Unfortunately I was
not able to setup it up when it should be installed on a standalone
server. The client could not connect to TS gateway - the error was: '...
no certificate was configured to use at the TS Gateway...'

The certificate was issued by an internal PKI, it is trusted and valid.
The client uses the DNS name that is stated on the subject of the
certificate. The certificate of the TS Gateway still remains mapped to
the service even after refreshing the console
(http://support.microsoft.com/kb/959120) and the TS gateway service is
running...

I read the prerequisites for the TS Gateway
(http://technet.microsoft.com/en-us/library/cc754010(WS.10).aspx). It
said that domain membership is not a necessity.

Any ideas?

Thanks in advance!
Alex
Alex Borleis
2009-07-20 09:30:28 UTC
Permalink
One more point - it works pretty good with a self-signed certificate...
but it does not worked if I choose the certifate from the AD integrated PKI.
If I choose that certifcate, a critical event occurs (ID 103): The
Terminal Services Gateway service does not have sufficient permissions
to access the Secure Sockets Layer (SSL) certificate that is required to
accept connections. To resolve this issue, bind (map) a valid SSL
certificate by using TS Gateway Manager. For more information, see
"Obtain a certificate for the TS Gateway server" in the TS Gateway Help.
The following error occurred: "2148081675".

I checked the read permission for the network service. Seemed to be ok...

Greetings,
Alex!
Kaus
2009-07-21 06:06:01 UTC
Permalink
Hi Alex,
The error no "2148081675" is :
2148081675 CRYPT_E_NO_KEY_PROPERTY: The certificate doesn't have a private
key property

Are you sure that the certificate installed on the gateway had a
corresponding private key (pfx file format) . If yes, can you please try
installing the certificate on the gateway once more and see if the problem
still persists.

Thanks,
Kaustubh
Post by Alex Borleis
One more point - it works pretty good with a self-signed certificate...
but it does not worked if I choose the certifate from the AD integrated PKI.
If I choose that certifcate, a critical event occurs (ID 103): The
Terminal Services Gateway service does not have sufficient permissions
to access the Secure Sockets Layer (SSL) certificate that is required to
accept connections. To resolve this issue, bind (map) a valid SSL
certificate by using TS Gateway Manager. For more information, see
"Obtain a certificate for the TS Gateway server" in the TS Gateway Help.
The following error occurred: "2148081675".
I checked the read permission for the network service. Seemed to be ok...
Greetings,
Alex!
Alex Borleis
2009-07-21 09:54:32 UTC
Permalink
Hi Kaustubh,

thanks for your reply!
Yes - it seems that the network service (the service account for the TS
Gateway) has no access to the private key. When I use a different
account to run the TS gateway service and use the same account to import
the certificate, the error won't appear.
But the clients are still not able to connect to TS gateway - Microsoft
says, the TS gateway has to be a domain member
/http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/27c39b63-9e4d-4c30-ab24-aabde8ae93af)

But this is not the same information as in
http://technet.microsoft.com/en-us/library/cc754010(WS.10).aspx

I'm not sure, which information is correct...

Greetings,
Alex
Post by Kaus
Hi Alex,
2148081675 CRYPT_E_NO_KEY_PROPERTY: The certificate doesn't have a private
key property
Are you sure that the certificate installed on the gateway had a
corresponding private key (pfx file format) . If yes, can you please try
installing the certificate on the gateway once more and see if the problem
still persists.
Thanks,
Kaustubh
Post by Alex Borleis
One more point - it works pretty good with a self-signed certificate...
but it does not worked if I choose the certifate from the AD integrated PKI.
If I choose that certifcate, a critical event occurs (ID 103): The
Terminal Services Gateway service does not have sufficient permissions
to access the Secure Sockets Layer (SSL) certificate that is required to
accept connections. To resolve this issue, bind (map) a valid SSL
certificate by using TS Gateway Manager. For more information, see
"Obtain a certificate for the TS Gateway server" in the TS Gateway Help.
The following error occurred: "2148081675".
I checked the read permission for the network service. Seemed to be ok...
Greetings,
Alex!
Kaus
2009-07-22 11:39:01 UTC
Permalink
What is the error coming when the clients are trying to connect ?
If TSG is deployed in workgroup mode, you cannot use domain accounts to
authenticate or authorize users.

Thanks,
Kaustubh
Post by Alex Borleis
Hi Kaustubh,
thanks for your reply!
Yes - it seems that the network service (the service account for the TS
Gateway) has no access to the private key. When I use a different
account to run the TS gateway service and use the same account to import
the certificate, the error won't appear.
But the clients are still not able to connect to TS gateway - Microsoft
says, the TS gateway has to be a domain member
/http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/27c39b63-9e4d-4c30-ab24-aabde8ae93af)
But this is not the same information as in
http://technet.microsoft.com/en-us/library/cc754010(WS.10).aspx
I'm not sure, which information is correct...
Greetings,
Alex
Post by Kaus
Hi Alex,
2148081675 CRYPT_E_NO_KEY_PROPERTY: The certificate doesn't have a private
key property
Are you sure that the certificate installed on the gateway had a
corresponding private key (pfx file format) . If yes, can you please try
installing the certificate on the gateway once more and see if the problem
still persists.
Thanks,
Kaustubh
Post by Alex Borleis
One more point - it works pretty good with a self-signed certificate...
but it does not worked if I choose the certifate from the AD integrated PKI.
If I choose that certifcate, a critical event occurs (ID 103): The
Terminal Services Gateway service does not have sufficient permissions
to access the Secure Sockets Layer (SSL) certificate that is required to
accept connections. To resolve this issue, bind (map) a valid SSL
certificate by using TS Gateway Manager. For more information, see
"Obtain a certificate for the TS Gateway server" in the TS Gateway Help.
The following error occurred: "2148081675".
I checked the read permission for the network service. Seemed to be ok...
Greetings,
Alex!
Loading...