Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD Gateway server.


If you have not done so already, you must also create a Remote Desktop resource authorization policy (RD RAP). Until you create both an RD CAP and an RD RAP, users cannot connect to network resources through this RD Gateway server.

Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at

To specify conditions that users must meet to connect to an RD Gateway server
  1. On the RD Gateway server, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

  2. In the Remote Desktop Gateway Manager console tree, click to select the node that represents the RD Gateway server, which is named for the computer on which the RD Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. In the results pane, right-click the RD CAP for which you want to specify conditions, and then click Properties.

  5. On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes:

    • Password

    • Smart card

    When both of these options are selected, clients that use either authentication method are allowed to connect. For information about supported Windows authentication methods for RD Gateway, see Understanding Requirements for Connecting to a Remote Desktop Gateway Server.

  6. Under User group membership (required), click Add Group, and then specify a user group whose members can connect to the RD Gateway server. You must specify at least one user group.

  7. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box. To specify more than one user group, do either of the following:

    • Type the name of each user group, separating the name of each group with a semi-colon.

    • Add additional groups from different domains by repeating step 7 for each group.

  8. To specify computer domain membership criteria that client computers should meet (optional), on the Requirements tab, under Client computer group membership (optional), click Add Group, and then specify the computer groups.

    To specify the computer groups, you can use the same steps that you used to specify user groups.

  9. Click OK as needed to close the Properties dialog box for the RD CAP.