none
Error concerning intended use of SSL cert for RDP

    Question

  • I have a third-party SSL certificate installed in the personal certificate store on my server

    It lists 'Server Authentication' as one of the Intended Purposes of the certificate in cert store. If I view the properties in cert store on the server it lists the intended purposes as:
    1.3.6.1.4.1.6449.1.2.1.3.4
    1.3.6.1.4.1.311.10.3.3
    2.16.840.1.113730.4.1

    I selected this certificate to be used under Terminal Services Configuration and set the Security layer to SSL and Encryption Level to High

    However I keep getting an error on the RDP client when I connect that 'The certificate is not valid for this usage'

    If I click on View Certificate from this screen is says the certificate is intended for the following purposes:
    1.3.6.1.4.1.6449.1.2.1.3.4

    Any idea what is wrong?

    PS. I should probably mention that the cert I'm using is a Wildcard cert, but I don't see why that would make any difference
    Saturday, September 19, 2009 2:38 AM

Answers

All replies

  • Gareth0101

    My SSl certs are for Server Auth 1.3.6.1.5.5.7.3.1 (I have my own CA) and they work.
    Sorry, I know this is not a solution, but I would contact the CA and get them to help you.

    Or have you done this?  If so, then what did they say?





    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 
    Sunday, September 20, 2009 6:24 PM
    Moderator
  • Hi,

    The cert must have Server Authentication listed in the Enhanced Key Usage (EKU).  Server Authentication is 1.3.6.1.5.5.7.3.1 as Kristin already mentioned.  This has been the case since the TLS authentication feature was added to 2003 SP1 Terminal Services.  I think Server Authentication may be the most widely used EKU for public certificates since it is used for secure websites (SSL).  Please see these:

    Event ID 1054 — Terminal Services Authentication and Encryption

    http://technet.microsoft.com/en-us/library/cc775272(WS.10).aspx

    OID Repository: serverAuth

    http://www.oid-info.com/cgi-bin/display?oid=1.3.6.1.5.5.7.3.1&action=display

    I did some research so that I could point you to MS documents that mentioned 1.3.6.1.5.5.7.3.1 specifically (as related to RDP listener certificate), but most refer simply to Server Authentication, however, this blog post regarding RemoteApp Single Sign On does:

    Introducing Web Single Sign-On for RemoteApp and Desktop Connections

    http://blogs.msdn.com/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

    I have always used 1.3.6.1.5.5.7.3.1 on my TS certificates.  I use the IIS wizard to make my cert requests so that they are correct for TS/RDS usage.  You do not need IIS installed on your TS, you can use another machine to make the request/install the cert, then export/import it to your TS.

    Thanks.

    -TP

    Tuesday, September 22, 2009 8:13 AM
    Moderator
  • I contacted the certificate provider (Comodo) and they replied with the following:

    "The cause of the issue is the RDP for whatever reason can't validate a long certificate chain(1 root and 3 intermediates). So please send us the new CSR we will issue it in a shorter certificate chain(1 root and 1 intermediate)."

    I installed the re-issued single-root certificate and all is working now.
    Tuesday, September 22, 2009 6:14 PM
  • I contacted the certificate provider (Comodo) and they replied with the following:

    "The cause of the issue is the RDP for whatever reason can't validate a long certificate chain(1 root and 3 intermediates). So please send us the new CSR we will issue it in a shorter certificate chain(1 root and 1 intermediate)."

    I installed the re-issued single-root certificate and all is working now.


    Garreth,

     

    Thanks for posting this.  I had a certificate from Comodo for PEAP that had 3 intermediates (and of course a root) as well, and it wasn't being validated by Windows clients.  I had them give me a new certificate with only one intermediate, and now the clients are validating the PEAP cert correctly.

    Not and RDP issue, but still an issue with Windows validating long certificate chains. 

    Thanks for getting me on the right track!

    Todd

    Thursday, April 08, 2010 4:36 PM