🟠 High   ⏱ 5–30 min  Last verified: 30 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Admins cannot RDP through gateway to manage guest systems during incidents.

Environment & Reproduction

CAP/RAP policies are misaligned or NPS restrictions block target resource groups.

Test-NetConnection rdgw01 -Port 443

Root Cause Analysis

Gateway authorization policy does not permit source user group or destination host set.

Quick Triage

Review RD Gateway and NPS logs for denied auth reason codes.

Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-Gateway/Operational' -MaxEvents 100

Step-by-Step Diagnosis

Validate CAP, RAP, certificate trust, and DNS for target hosts.

Resolve-DnsName hvmgmt01
Get-ChildItem Cert:LocalMachineMy
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
RD Gateway diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Correct CAP/RAP mappings and ensure NPS policy order is explicit.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

# Update RD CAP/RAP in Server Manager and apply
Restart-Service TSGateway
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
RD Gateway remediation β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Provide break-glass bastion path for urgent hypervisor access.

# Bastion host RDP fallback process

Verification & Acceptance Criteria

Gateway sessions establish and host management tasks execute normally.

qwinsta /server:rdgw01

Rollback Plan

Revert policy changes to last known good export.

# Import prior NPS and RD Gateway policy backup

Prevention & Hardening

Implement policy-as-code for RD access controls and periodic policy tests.

Get-WinEvent -LogName Security -MaxEvents 200 | ? Id -in 4624,4625

Related: MFA challenge failures and TLS certificate CN mismatches.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RD Gateway deployment and NPS policy design recommendations.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.