Remote Desktop can't connect to the remote computer / Event 301

[daurrutia]

Deployed "RD Gateway into a new VPC"

Walked through Post-Deployment Tasks

• create sg for private instance(s) w/ 3389 inbound from RDGW SG
• added fqdn host record to host file on admin client, matching the self signed certificate subject fqdn
• installed the root cert from RDgateway's c:\servername.cer on admin client within trusted root cert auth store
• added tcp 443 inbound to rdgw sg, from admin client ip
• verified instance associated with sg allowing 3389 from the rdgw sg
• configured rdp connection as described (instance private IP in general field, rdgw fqdn (as in host file) in rdgw settings)

Attempting to connect to a Windows Server 2016 instance (administrator, with aws generated password) in private subnet 1A.

• Get prompted for RDGW credentials
• Never get prompted to enter credentials for the private instance, RDP error pops up.

Receive the following error: Remote Desktop can't connect to the remote computer "10.XXX.XXX.XXX" for one of these reasons:

1) Your user account is not listed in the RD Gateway's permission list 2) You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format (for example, computer1.fabrikam.com or 157.60.0.1).

TS event log on RDGW displays Event 301 (error 23002) at each attempt, detailing a resource authorization error.

Screenshots attached.

• All attempted deployments have been made with intention of utilizing standalone RDGW.
• Have made attempts with default domain (example.com), as well as ec2.internal and compute-1.amazonaws.com (for us-east-1).
• All attempts made with StackAdmin account to authenticate to RDGW
• Standard RDP from rdgw to private instance tested working
• TS Event Log states CAP authorization successful/allowed
• Verified RAP is configured to allow all network resources
• Tested RAP with local group (instance IP and AWS private DNS record); same error

Anyone come across this or can provide guidance?

[szmulder]

I had same problem with StackAdmin account, but when I use the administrator (with aws generated password) account to authenticate to RDGW then works fine.

[daurrutia]

Verified @szmulder's method using the default Administrator account is a workaround.

[daurrutia]

An additional workaround is to:

• add the StackAdmin account to a new or existing group
• add the group to the RDGW RAP

[ghost]

thanks @daurrutia - I had this and not only did I need to add to the RDGW RAP, but also to the CAP.

[tbugfinder]

I run into this issue also. Maybe the userdata scripts could do some work work and create additional users/groups.