Users on Remote Desktop Services clients must meet specific requirements before they can connect to RD Gateway. These requirements include the following:
- Supported Windows authentication method
(required). You can configure the authentication methods that
the RD Gateway server will allow by using Remote Desktop
Gateway Manager. On clients, you can configure the authentication
method to be used to connect to the RD Gateway server by using
Group Policy.
Important A client and the RD Gateway server to which the client connects must have at least one common authentication method, or the client connection attempt to the RD Gateway server will fail.
Note If you configure the authentication method on the client by using Group Policy, keep in mind that Group Policy settings for Remote Desktop Services client connections can be applied in one of two ways. These policy settings can either be suggested (that is, they can be enabled, but not enforced) or they can be enabled and enforced. For more information, see Using Group Policy to Manage Client Connections Through Remote Desktop Gateway.
- User group membership (required). You
configure the user group membership requirement by using Remote
Desktop Gateway Manager.
- Client computer group membership
(optional). You configure the client computer group membership
requirement by using Remote Desktop Gateway Manager.
- In Remote Desktop Gateway Manager, you
configure these requirements on the Requirements tab of a
Remote Desktop connection authorization policy (RD CAP). For
more information, see Create an RD
CAP.
Supported Windows authentication methods
If you configure the supported Windows authentication method by using Remote Desktop Gateway Manager, you can specify that a user must use either a password or a smart card, or both. If you select both methods, either can be used to connect.
If you configure the supported Windows authentication method by using Group Policy, the following options are available:
- Ask for credentials, use NTLM protocol
(a Windows NT challenge/response protocol). For information
about the NTLM protocol, see Logon and Authentication Technologies
(http://go.microsoft.com/fwlink/?LinkId=94215)
and Microsoft NTLM (http://go.microsoft.com/fwlink/?LinkId=94216).
- Ask for credentials, use Basic
protocol. The Basic authentication method is a widely used
industry-standard method for collecting user name and password
information. It is less secure, however, because the passwords are
transmitted in Base64-encoded form, not encrypted. For more
information, see Basic Authentication (http://go.microsoft.com/fwlink/?LinkId=94217).
- Use locally logged-on credentials. In
this case, the same credentials that users provide to log on to
their local computer will be used to connect to the RD Gateway
server. Note that if you select this option, but users have
previously connected to the same RD Gateway server and they
have selected the Remember my credentials check box in the
RD Gateway Server Settings dialog box on their client
computer, their saved credentials will be used to connect to the
RD Gateway server.
- Use smart card. Smart cards contain a
microcomputer and a small amount of memory, and they provide
secure, tamper-proof storage for private keys and X.509 security
certificates. A smart card is a form of two-factor authentication
that requires the user to have a smart card and know the PIN to
gain access to network resources. For more information, see The
Secure Access Using Smart Cards Planning Guide (http://go.microsoft.com/fwlink/?LinkId=94218).
- If all of these credentials are available to
users, and if users have already specified to save their
credentials when connecting to the RD Gateway server, their
credentials will be used in the following order:
- Saved credentials
- Locally logged-on credentials
- Other password or smart card credentials supplied by the
user
Additional references
- For information about how to configure
supported Windows authentication methods for RD Gateway by
using Group Policy, see Set the Remote Desktop
Gateway Server Authentication Method.
- For information about how to configure
supported Windows authentication methods by using Remote Desktop
Gateway Manager, see Create an RD
CAP.
- For information about how to configure user
group and client computer group membership requirements by using
Remote Desktop Gateway Manager, see Create an RD
CAP.
- Manage Remote Desktop
Connection Authorization Policies (RD CAPs)