Question : Access issues on TS Web Access

Hello. I have migrated a client from a 2003 domain to a 2008 domain.

We have:

2 DCs
2 Term Servers
1 TS Gateway
1 TS Broker
Many thin clients and some PCs/laptops.
Some home/remote users

All of the servers are Windows Server 2008. Some are 32 bit, some are 64 bit.
The domain mode is 2008 Native. All of the above servers are brand-new, w/ clean installations of the 2008 OS.

The gateway and broker are the same server. The license server is the first TS.

I have successfully setup and configured the TS Gateway and have several users who can connect to the GW and launch the apps. However, I have a few random users who cannot launch any of the remoteapps.

They receive the following error: "Windows cannot start the remoteapp program. The following RemoteApp program is not in the list of authorized programs: Calculator. For assistance, contact your system administrator"

Also, I used Calculator as a test. It doesn't matter if it's an Office app, utility, or RDP link. They all get the same error. Once I click the okay button, the session seems to try to continue to connect anyway, and then I get the window that says the connection has been lost. Other times, I get a small window with the Server 2008 logon screen.

Some additional info: The site has a paid-for SSL certificate and is working properly (other users can connect just fine). One of the user accounts we have had trouble with is in the same group as the rest of the users, but is also an administrative user. We have tried from several different physical remote locations on several different comptuters. Some of the OSes we have tried this from are Windows XP Pro SP3 (RDP 6.1), XP Home Edition, and Linux (Fedora 10). The same user is able to log in to the term servers just fine. He is also able to log into the management server remotely as well.

All current patches and recommended updates have been installed. Access has been tried with both firewall on and off. It's odd how other users can connect without any issue at all, but not a few different accounts. One of the other accounts is a non-administrative account. If I log in as administrator, I can also access the apps.

Could anyone assist me in troubleshooting this issue? I would be very grateful.

Thank you,
Dave

Edit:
After reviewing some of the logs, it seems like this entry in the security log is generated when these failures are occuring:

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: (TSG server name)$
Account Domain: (Domain Name)

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x0

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: (TSG Server Name)
Source Network Address: 10.x.x.x
Source Port: 56673

Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Answer : Access issues on TS Web Access

Well, this one must have really stumped the Experts! In any case, after much troubleshooting and careful consideration of the entire environment, I think that my problem was due to the fact that my TSG was pointed to TS 1, which is part of my 2-server TS Farm (load balanced).
Some how, after being authenticated, I think that the access to the RemoteApps is somehow being load balanced. That would explain why some people could connect and others could not - same session on different TS being reconnected. It would also explain why different users were affected by the issue after a TS reboot.
To test my theory, I made the available RemoteApps on TS2 identical to TS1. Guess what? Everyone who had not had access before suddenly had access. It's been running for a couple of weeks now so I am confident that this is the solution. Also, when I initially configured the RemoteApps, they were identical on both servers. However, as time progressed, we had made many changes to the TSG and you can only point it to one of the servers, not to the farm (it errors out). During those many changes, the two servers were no longer identically configured.
I will be closing out the question with this answers as the solution.

Random Solutions

SEO Technique - Is this going to end up in my site getting penalised?

K5400 - is it Terminal server aware?

Use Access VBA to run execute an Excel macro.

How can I fix the error lsasse.exe - unable to locate component

Sybase SQL Data Recovery

ruby script to automate login

Out of Offices Replies not sent to external email accounts

Strange Vista Sidebar Gadget Problem

How to close an open relay on Sendmail?

Best domain registering