The error I receive is below:
Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS Gateway, possibly due to one of the following reasons:
* You do not have permission to connect to the TS Gateway server.
* You used password authentication but the TS Gateway server is expecting smart card authentication (or vice versa).
Contact your administrator for further assistance.

RemoteApp setup was working fine and the error started unexpectedly. Client machine is XP SP3 and belongs to domain child.main.local, while TS is Server 2008 SP2 and belongs to domain.l.local. Both domains are joined via VPN. The Client machines belonging to domain.local and other forests have no issues connecting to TS. The problem is local to machines belonging to child.domain.local. No changes have been made to that specific domain it TS Gateway. Looking at the TS Gateway logs, on success I see:

The user "domain\user", on client computer "xxx.xxx.xxx.xxx", met connection authorization policy requirements and was therefore authorized to access the TS Gateway server. The following authentication method was used: "NTLM".

On failure (when client computer is a member of its domain), I see two entries in the log:

1. TS Gateway Network access Policy engine received failure from IAS and the error was "16388"
2. The user " domain\user", on client computer " xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements and was therefore not authorized to access the TS Gateway server. The following authentication method was attempted: "NTLM". The following error occurred: "23003".

I don’t think it can be related to RAP and CAP, since I haven’t made any changes to the policies that would cause the error. Suggestions?