I created a Remote Desktop Environment installed on Domain X as follows:
Two load balanced Session Hosts (SH1 & SH2)
One server serving as RDWeb, RDSession Host and RD Gateway
Fronted behind an ISA
Domain X users work perfectly.
However we have a domain Y which I am having difficulty getting users to open any apps. There is a one way trust between the domains.
The RD-CAP is configured to point to an remote NPS server on the Y Domain. (This means domain X users now can't authnticate but Y domain users now can) In the Terminal Services-Gateway Event Log I can see a successful authentication.
"The user "Y\Joe.Smith", on client computer "xxx.xx.xx.xx", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
However, there is a failure in the RD-RAP...
The user "Y\Joe.Smith", on client computer "xxx.xx.xx.xx", did not meet resource authorization policy requirements and was therefore not authorized to resource "". The following error occurred: "5".
My RD-RAP is as follows:
User Groups: Y\Domain Users
Network Resources: Created a new managed group containing the farm name, session hosts (Shortname, FQDN and IP) and gateway server name
Allowed Ports: TCP 3389
Has anyone else got a similar setup?
Is it possible to put an RD-RAP policy in domain Y?
Is there a better way to debug why the problem is occuring? The event log really doesn't help.