Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD Gateway server. You can specify a local RD CAP store (RD CAPs that are stored on the RD Gateway server) or a central RD CAP store [RD CAPs that are stored on a central server that is running Network Policy Server (NPS), formerly known as a Remote Authentication Dial-In User Service (RADIUS) server].

By using a central server running NPS for RD Gateway, you can centralize the storage, management, and validation of RD CAPs.

If you use a central RD CAP store, you must establish a network connection from the RD Gateway server to the server running NPS. To do this, you must specify a shared secret.

When you create and use the shared secret, you must use the same case-sensitive shared secret that you specified when configuring the RD Gateway server as a RADIUS client on the central server running NPS.

We also recommend that you do the following:


If you have not done so already, you must also create a Remote Desktop resource authorization policy (RD RAP).

Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at

To specify a new central RD CAP store
  1. On the RD Gateway server, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

  2. In the console tree, click to expand the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. Right-click the Connection Authorization Policies folder, and then click Configure Central RD CAP.

  5. In the Properties dialog box for the RD Gateway server, on the RD CAP Store tab, click Central server running NPS, enter the name or IP address of the server running NPS that you want to add, and then click Add.

  6. In the Shared Secret dialog box, in the Enter a new shared secret box, enter the shared secret.

  7. Click OK to close the Shared Secret dialog box, and then click OK to close the Properties dialog box for the RD Gateway server.

    The new central RD CAP store that you specified appears in the Remote Desktop Gateway Manager results pane.

    After you specify the new central RD CAP store, you must also configure settings and policies as needed on the central server running NPS. For more information about RD Gateway, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (