As an administrator, you publish Remote Desktop Services or RemoteApps through Microsoft Forefront Unified Access Gateway 2010 so that users can connect to a Remote Desktop Virtualization Host (RD Virtualization Host) server. This process is also known as publishing a personal virtual desktop or virtual desktop pool that is hosted on a Hyper-V server. However, when a user cannot connect to the RD Virtualization Host server, you may find the following errors logged in the Windows Terminal Services Gateway operation event log:
The user "\UserA", on client computer "127.0.0.1", did not meet resource authorization policy requirements and was therefore not authorized to resource "IPv4:IPv6 address". The following error occurred: "23002".
Additionally, the user may receive the following error message at the same time:
Remote Desktop can't connect to the remote computer rdshost.contoso.com for one of the following reasons:
1) Your user account is not listed in the RD Gateway's permission list 2) You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format (for example, computer1.fabrikam.com or 188.8.131.52).
Contact your network administrator for assistance.
This problem may occur because Forefront United Access Gateway 2010 does not support publishing Windows 7 Personal Virtual Desktops or a Virtual desktop pool.
To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2710791 Description of Service Pack 2 for Forefront Unified Access Gateway 2010
After you apply Service Pack 2, follow these steps on the Unified Access Gateway 2010 server to enable Virtual Desktop Infrastructure (VDI) functionality:
Locate the following registry subkey, and create the following new value:
DWORD Value: TSDontCheckResources Value data: 1
Apply the Unified Access Gateway 2010 configuration.
Restart the IIS services, or restart the Unified Access Gateway 2010 server.
Create a new Remote Desktop application for VDI in Unified Access Gateway 2010, and then apply the configuration.
If VDI desktop pool is configured on the back-end, you can add certain parameters to the rd-template.txt file. This file is located in the following folder:
Add the following parameters to the rd-template.txt file in the Custom Update folder:
use redirection server name:i:1
The use redirection server name parameter enables you to specify the redirection server name where you want to go.
The LoadBalanceInfo property contains the load balancing cookie. If you know your VDI Pool ID, you can change this property to the following:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
A user is connected to a personal virtual desktop in the following way:
A user starts the connection to the personal virtual desktop by using RemoteApp and Desktop Connection through Forefront United Access Gateway.
The request is sent to the RD Session Host server that is running in redirection mode.
The RD Session Host server that is running in redirection mode forwards the request to the RD Connection Broker server.
The RD Connection Broker server queries Active Directory Domain Services and retrieves the name of the virtual machine that is assigned to the requesting user account.
The RD Connection Broker server sends a request to the RD Virtualization Host server to start the virtual machine.
The RD Virtualization Host server returns the IP address of the fully qualified domain name to the RD Connection Broker server. The RD Connection Broker server then sends this information to the RD Session Host server that is running in redirection mode.
The RD Session Host server that is running in redirection mode redirects the request to the client computer that initiated the connection.
The client computer connects to the personal virtual desktops.
For more information about how to modify RDP parameters, go to the following Microsoft TechNet website: