I've been using TS Gateway to permit remote access for our staff for a few months now, and all has been well. Users either connect to a traditional terminal server desktop or hit our website and start an TS RemoteApp application- in both cases the connection is routed through a TS Gateway.

However I came into work this morning to find that has stopped authenticating users through TS Gateway, each time returning "The logon attempt failed" as seen in the image even though the credentials are correct.

alt text

It should be noted that everything works fine if the Gateway is taken out of the equation, it's the TS Gateway component that is causing these problems.

Users experience this problem whether they connect through XP SP3, Vista or 7.

On the server a total of 4 entries appear in the Windows security log at exactly the same time for each failed logon attempt: two 4624 "An account was successfully logged on" messages for the user, immediately followed by two 4634 "An account was logged off"s. This suggests that the server is accepting the credentials as correct, then booting the user off. Nothing at all is recorded in the NPS and Terminal Server logs.

A reboot doesn't change things. Neither does completely removing and reinstalling the NPS and Terminal Server roles. I'm baffled as to how this can happen suddenly without warning.

Any suggestions would be greatly appreciated.

  • 1,213
  • 3
  • 15
  • 22
  • 61
  • 1
  • 2
  • 4
  • Since I didn't get anywhere with this I've had to build up another TS Gateway box. However, since they are VMs I've kept the old problematic system to try out any other suggestions on - it would be good to get to the bottom of this. – user2059 May 18 '09 at 14:07
  • I had the same problem, thought the NPS Policy's were the problem. In ISS --> RPC --> Authentication --> Enable Windows Authentication –  Jan 27 '11 at 11:26
  • I'm coming from left field here because I don't know much about this, but maybe it's a credential issue with the Windows Service that is running the TS Gateway? Is it possible that the account for the Windows Service changed it's password or has been locked out? JFV – JFV May 15 '09 at 13:10

10 Answers10


This problem has been plaguing me for months on an SBS 2008 machine, but has never been critical enough to go to crazy measures to fix.

After resorting to uninstalling and reinstalling the TS Gateway service and it still not working, I went to IIS Manager → Sites → SBS Web Applications → Rpc → Authentication and found only "Basic Authentication" was enabled.

Though details on this particular error are scarce online, I have seen that Outlook Anywhere seems to change IIS Authentication schemes. Since this is SBS, I figured Exchange and TS Gateway might be fighting over the authentication setting.

I enabled "Windows Authentication" then ran an IIS reset. When IIS came back online, I was able to connect via TS Gateway to two servers and at least one workstation. I connected and disconnected multiple times and it had no problems.

I can't guarantee this is permanent, but I'm definitely hoping.

EDIT: Since making this change, I haven't had any problems with TS Gateway.

Stephen Jennings
  • 1,383
  • 3
  • 23
  • 30

Ok here is the answer?

2k8r2 and iis7

TSGateway repeatedly asks for credentials but does not log in...

Turns out that TSGateway doesn’t do the connection and authentication, IIS does. Surprise, Ya I know….

TSGateway only filters and routes.

So, Now, what part of IIS does the connection and authentication for TSGateway? I don’t know. And apparently, no one else really does either. But if you mess with the Authentication settings of RDWEB, RPC, RPCWCERT, Default WEB SITE, Authdiscover, you can make it work…

This is a good article. But as you see, it’s a shot in the dark with them also.

NOTE: Apparently, redirection of the Default Web Site breaks communication to RDWeb and therefore TSGateway.

HTTP – HTTPS redirection…

It looks like my default web site came as HTTPs but I wanted it to be reachable from HTTP users. So I created a redirection web site to redirect HTTP requests to the Default Web Site as HTTPS. Which works great but it stopped my TSGateway authentication. (I think it was because port 80 was being used by the redirection web site. And for some reason, RDWEB uses port 80 as well as 443 for communications…)

By the way, if you turn off Require SSL in SSL Settings on the default web site in IIS, it does work correctly and does the same thing…

Anyhow, start buy getting RDWEB working correctly then, work on TSGateway.

RDWEB should have only: Anonymous Authentication Enabled AutoDiscovery should have Anonymous, Basic and Windows Authentication Enabled. OWA: Basic Only. RPC: should have: Basic and Windows Authentication. RPCWCert: Should not have anything enabled. At lease those are the settings in My setup…

Good Luck.


  • From [PiBaSe](http://serverfault.com/users/149836/pibase), Sorry to edit your answer, but i see no other way to add a little info in this thread/post. I was running Exchange 2010 with OWA and RdWeb on 1 server. The exchange kept changing the authentication for the rpc to only basic every 5 minutes or so.. To stop this from happening i could solve it by running the following command from the exchange shell, hope it helps someone: get-outlookanywhere | set-outlookanywhere -IISAuthenticationMethods: Basic, Ntlm – Chris S Dec 16 '12 at 15:47

I had a similar problem. I found I had to edit IIS Manager → Sites → SBS Web Applications → Rpc With Cert→ Authentication and added Windows Authentication. Then performed and IISRESET and all worked as it should.


Had the same exact issues as the original post. I was also redirecting the default web site to /RDWeb/Pages/en-US, once I took that redirect off everything worked as normal.

I'm bewildered how this even caused the issue in all honesty.

  • Terminal Services runs over IIS on Port 80. Messing with it's settings (a la redirects) will cause problems. – Chris S Jan 05 '11 at 20:29

I had a similar issue. The Gateway Login Screen just kept poping up. The server security logs showed a special priveleges logon, a logon and a logoff for every attempt. The gateway logs showed nothing.

After trying everything, I noticed that the area at the bottom of the gateway logon screen that should be showing the domain was blank. I added the domain to the username logon screen: domain\username and voila, it all works as it should.

That was a waste of about 4 or 5 hours of my life searching for solutions and trying complicated fixes... Hope it saves someone else some time...

  • 11
  • 1

The Terminal Services Gateway windows service kept failing for us.

In the absence of anything useful in the event logs, I just get task scheduler to "net start tsgateway" a few times every hour. Horrible, but zero complaints ever since.

  • 3,308
  • 6
  • 33
  • 34
  • Ha, I also had that problem when I first set this up - the end user would see "terminal sevices gateway server is temporarily unavailable"? The service appears to be started fine, a restart of the service doesn't solve my problem either. – user2059 May 15 '09 at 14:03

If you're having this issue on SBS 2008, I suggest using a combination of the SBS 2008 Best Practices Analyzer and the SBS Console's "fix my network" wizard (Network -> Connectivity -> Fix my network). SBS is finicky and will sometimes override manually adjusted settings so it's best to use the wizards when possible.

In my case, BPA said to run "get-outlookanywhere |set-outlookanywhere -iisauthenticationmethods basic, ntlm -clientauthenticationmethod basic" in the Exchange Management Shell and the "fix my network" wizard also made a correction.


I had an MS support ticket going so I had them look at this. They simply changed outlook anywhere to NTLM and VIOLA!

Mark M
  • 1

Same problem for me too, SBS2008 suddenly started reporting "login failed" whenever the TS Gateway was used. Found that the RPCwithCert site in IIS had no authentication method, ticked Windows Authentication and it works again now....


For me, I got everything setup for SSO, then I made a few changes and it broke. I could get into the RemoteApps site, but when trying to launch an application I got prompted for my credentials and "the logon attempt failed" at the bottom of the logon window. Thanks to Robert's post from above, I found out that it was the redirect I put in IIS7. My setup is one server acting as Gateway, Broker, and Web Access. I left everything to run under "Default Web Site". To expand on Robert's post, I left the redirect in place, but checked the "Only redirect requests to content in this directory (not subdirectories)" since I want requests to the root site to hit RDWeb and this works perfectly for me.