none
Support for self-signed certificates on Windows Server 2012 Essentials?

    Question

  • So I recently upgraded my Windows Home Server 2011 to Windows Server Essentials 2012 although one significant difference in support I've noticed is the new requirement to use an externally signed certificate.   For small business scenarios is self-signed certificates a supported scenario?

    I was able to successfully create a self-signed cert using the IIS manager, although getting this cert to function for RDP access via the Remote Web Gateway has been extremely frustrating.  

    Is this a supported scenario or am I stretching the limits of this product?

    Friday, October 19, 2012 9:28 PM

All replies

  • Joe,

    Did you migrate your WHS server shares and client backups to the server once you installed WSE 2012?  If so/not what did you do?

    Stephen

    Monday, October 22, 2012 11:55 PM
  • Use the remotewebaccess.com vanity domain.  Self signed certs are not
    supported on Essentials.
     
    Tuesday, October 23, 2012 5:48 PM
  • Thanks for confirming Susan.   Is this documented anywhere?   I don't see any reference to remotewebaccess.com in the wizard.   Prior, on WHS 2011 I used the homeserver.com domain.   Can I assume what you are referring to provides the same functionality?

    Tuesday, October 23, 2012 8:57 PM
  • Yup same scenerio.  You go through the domain setup wizard and let MS control the domain and sign in with a MS/Live ID.  You then choose to do the domain on MS's servers.  Let me see if it's documented anywhere.
    Tuesday, October 23, 2012 9:03 PM
  • Thanks Susan, I'm going to try the vanity URL tonight, although I'm a bit disappointed that this scenario isn't supported, as there doesn't seem to be a technical reason that it shouldn't work.

    On a side note.  I was able to get the self-signed cert working for the Remote Web Access IIS site.  The trick was that I had to create it using the SelfSSL.exe from the IIS 6.0 Toolkit.   

    I can now access my folders and browse content without an issue.   Still no luck getting the RD Gateway working correctly.   Receiving this error:


    "...no certificate was configured to use at the Remote Desktop Gateway server..."  

    The Best Practices analyzer is also spitting errors regarding certs not being setup correctly for the Gateway server.    Unfortunately the BPA is recommending that I fix this using the Remote Desktop Gateway Manager MMC.   Installed the MMC, yet I am unable to connect to my server with it.   "....Unrecognized settings..."  

    Anyway to load the cert on the RD Gateway server using PowerShell or another toolset?

    -Joe 

    Tuesday, October 23, 2012 10:41 PM
  • It wasn't supported in Home Server 2011 either to use a self signed cert/nor SBS 2011 essentials nor is it good surfing advice to hand out self signed certs that throw off browser warnings.  Given that it too used RDgateway... exactly how did you do this the last time? 

    I apologize for being a bit rude here but given that I have a moral problem with telling someone to take a server/domain controller out of the boundaries of support, given that there is a Microsoft supported solution, given that you aren't without free options here, is there a reason you don't want to use the remotewebaccess.com way?

    Not to mention you are adding a deployment issue whereby you have to get the self signed cert installed all over the place.

    Tuesday, October 23, 2012 10:49 PM
  • http://technet.microsoft.com/en-us/library/jj635067.aspx

    That's the section on remotewebaccess.com

    Tuesday, October 23, 2012 10:50 PM
  • IMHO there is nothing wrong with using self-signed certs on Remote Desktop Gateway, in the RDG manager console there is a possibility to generate such certificate and bind it to RDG. The console could be installed from the features even on WS2012 Essentials.

    I would recommend to use a semi self-signed cert, I mean a certificate created on the CA which is available on the server. There is how-to on http://forum.wegotserved.com/index.php/topic/24772-windows-server-2012-essentials-w2012e-anywhere-access-with-own-homemade-certificate/

    Be aware that you will be able to connect to this server only from PCs where the CA root certificate is installed. The Connect App installs the root cert automatically while adding the PC to the server.

    I am using this setup inclusive the Windows Phone app without any issue.

    Regards

    LH


    Saturday, November 24, 2012 3:40 PM
  • Thanks Susan, I'm going to try the vanity URL tonight, although I'm a bit disappointed that this scenario isn't supported, as there doesn't seem to be a technical reason that it shouldn't work.

    On a side note.  I was able to get the self-signed cert working for the Remote Web Access IIS site.  The trick was that I had to create it using the SelfSSL.exe from the IIS 6.0 Toolkit.   

    I can now access my folders and browse content without an issue.   Still no luck getting the RD Gateway working correctly.   Receiving this error:


    "...no certificate was configured to use at the Remote Desktop Gateway server..."  

    The Best Practices analyzer is also spitting errors regarding certs not being setup correctly for the Gateway server.    Unfortunately the BPA is recommending that I fix this using the Remote Desktop Gateway Manager MMC.   Installed the MMC, yet I am unable to connect to my server with it.   "....Unrecognized settings..."  

    Anyway to load the cert on the RD Gateway server using PowerShell or another toolset?

    -Joe 

    I am not sure, but it could be because the cert was created using the IIS console. I can imagine that such certificate might have just the Server Authentication Key Usage.

    Looking at the properties of the original cert I would assume that both Client and Server Authentication Key usages are necessary.

    Did you try to create the cert with the RD gateway manager?

    regards

    LH

    PS: check also the event logs at Event Viewer/Applications and Services Logs/Microsoft/Windows/TerminalServices-Gateway/Operational the logs are prety verbose in the default state.

    PS2: you can use the WMI commands to read and configure the RDG certificate

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="CertificateThumbPrint"

    Saturday, November 24, 2012 3:54 PM
  • rerun the certificate and try it again.
    Saturday, November 24, 2012 5:42 PM
  • Hi Lubomir

    I have setup everything and it seems to work with the exception of the windows phone app. I have a Lumia 800 and I just keep getting "The specified server could not be reached. Confirm your server address and verify your network connectivity." It works perfectly when using the phone browser.

    Have you done anything special to get it working on the phone? Hope you can help.

    Best regards

    Steve

    Thursday, January 17, 2013 5:39 PM
  • Hi Steve,

    You need to install a CA root certificate onto the phone. You can install it by downloading it from the following site http://DNSnameOfServer/certsrv/ . Choose the option to download CA certificate chain, the other options don't work.

    Bad news is that it doesn't help on Windows Phone 8 :(

    regards

    Lubomir


    • Edited by Lubomir Hozak Thursday, January 17, 2013 7:23 PM
    • Proposed as answer by Tom-_- Wednesday, June 12, 2013 10:10 AM
    • Unproposed as answer by Tom-_- Wednesday, June 12, 2013 10:10 AM
    Thursday, January 17, 2013 7:22 PM
  • Here's the solution that worked for me,

    On the WSE server, Open Microsoft Management Console and add the Certificates snap-in for the local computer.

    Open the personal container and open the <domain><servername>-CA certificate.

    Click Export to a file, choose to export the private key, choose .pfx and set a password.

    Follow the Anywhere Access configuration wizard from the WSE console, and import your .pfx file.

    Simples.

    PS, good for testing, not recommended for production.

    ---

    FYI All, after the wizard enables the site, you can then edit the bindings in IIS manager and install any certificate you want. :-)
    • Edited by Tom-_- Wednesday, June 12, 2013 10:43 AM
    Wednesday, June 12, 2013 10:23 AM