none
Is the NetBIOS name of the RMS cluster required in the SSL certificate?

    Question

  • I installed AD RMS on a computer with the NetBIOS name W12-rms1 and the FQDN W12-RMS1.Win12.local. I specified that the RMS cluster should use the URL https://adrms.win12.local:443. Adrms.win12.local is a CNAME record in DNS pointing to W12-RMS1.Win12.local.

    If the SSL certificate used by IIS has only a subject name of ADRMS.Win12.local then I get a security alert every time I open the AD RMS MMC stating “The name of the security certificate is not valid or does not match the name of the site”. If I select that I do not want to proceed I can see that the MMC wants to connect to W12-RMS1, the NetBIOS name of the computer.

    As soon as I use a certificate with a subject alternative name including the NetBIOS name W12-RMS1 (DNS Name=W12-RMS1) the security alert is gone.

    This issue already occurred several times in the past with different RMS test labs.

    Did I make a mistake during the RMS setup or is this a known bug?

    I do not call it a feature – I really do not like to include the NetBIOS name in the SSL certificate. Additional names increase the cost for a third party certificate. We should use CNAMES for the database server and the RMS cluster URL, why do I have to specify the name of the computer where I have installed RMS?

    Thursday, December 12, 2013 9:48 PM

Answers

  • Hi,

    that is because the RMS console is using the netbios name of the server. I would not put the netbios name in the certifcate, just accept the SSL warning. This shotcoming exists in all previous server versions as well.

    Regards,

    Lutz

    • Marked as answer by J-H Thursday, January 09, 2014 9:48 PM
    Friday, December 13, 2013 8:30 PM

All replies

  • Hi,

    that is because the RMS console is using the netbios name of the server. I would not put the netbios name in the certifcate, just accept the SSL warning. This shotcoming exists in all previous server versions as well.

    Regards,

    Lutz

    • Marked as answer by J-H Thursday, January 09, 2014 9:48 PM
    Friday, December 13, 2013 8:30 PM
  • Hi Lutz,

    Thank you for sharing your experience.
    So, I call it a bug.

    Regards
    Juergen

    Sunday, December 15, 2013 9:16 AM