none
Connection has been terminated because an unexpected server authentication certificate received from the remote computer

    Question

  • Hi all,

     

    I got the error "Connection has been terminated because an unexpected server authentication certificate received from the remote computer" when connecting to a windows 2008 R2 RDS environment from a vista client with the latest RDP version 6.1.7600.16722

     

    The workaround is to go back to version 6.0...

     

    But is there a way to get it fixed in the latest version?

    • Moved by Bruce-Liu Thursday, November 24, 2011 4:19 PM (From:Security)
    Wednesday, November 23, 2011 1:01 PM

Answers

  • Hello sader82,

    CRL (Certificate Revocation List) is just a "list" of all revoked certificates of a Certification Authority. RDP Client 7.0 does a validation before starting the remote session to check if this certificate is revoked or not. I think this validation is not passing in your workstations. Thawte should have this CRL published to the internet, and their URL to get to this CRL is available one the "CRL Distribution Point" on the Details tab when viewing a certificate (.cer).

    You have two options, an easy one (but not the most secure) and a difficult one :

    - Easy one:

    Disable this CRL validation on the registry by following these instructions (on clients PCs):

    - Run regedit.exe

    - Find key:  HKLM\System\CurrentControlSet\Control\LSA\CredSSP

    - Add DWORD key in the registry named: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

    - Value: 1 (hexadecimal)

    If this works you can deploy this registry change by GPO to all domain workstations.

     

    - Difficult:

    On one client PC:

    -  run this command: certutil.exe -urlcache * delete

    - run this command: certutil –verify –urlfetch MyServer.cer   (replace MyServer.cer with your thawte certificate name)

    This will do the same validation process as the RDP client, but you will be able to see where it is failing. It will try to reach an HTTP destination (URL), check if you have access to that destination using your browser.

    Your firewall might be blocking that URL, or there might be multiple reasons to not passing the validation.

    So troubleshoot using that information.

    NOTE: I recommend you to try the Easy solution first, if it works, then the problem is definitely caused by the CRL check. If not, then the difficult solution is not going to be useful either.

     

    Let me know how it goes.


    goDog
    Tuesday, November 29, 2011 10:21 PM

All replies

  • If you are using Windows XP & Vista for you client, you should install the RDC 7.0.

    Remote Desktop Connection 7.0

    http://support.microsoft.com/kb/969084/en-us

     

    Please also refer to this thread: http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/394e15eb-2aeb-4aea-aea4-d28c0b867db6

    Friday, November 25, 2011 9:31 AM
  • Hi Horizonsky,

    The installed the RDC 7.0. but that did not solve the issue it only works with the old version 6.0....

    I also read the thread:  http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/394e15eb-2aeb-4aea-aea4-d28c0b867db6

    But I do not get the CRL? We use certificates from thawte, and did not see any option to install CRL.

    If I get it worked with 7.0 i'm very happy

    Tuesday, November 29, 2011 1:41 PM
  • Hello sader82,

    CRL (Certificate Revocation List) is just a "list" of all revoked certificates of a Certification Authority. RDP Client 7.0 does a validation before starting the remote session to check if this certificate is revoked or not. I think this validation is not passing in your workstations. Thawte should have this CRL published to the internet, and their URL to get to this CRL is available one the "CRL Distribution Point" on the Details tab when viewing a certificate (.cer).

    You have two options, an easy one (but not the most secure) and a difficult one :

    - Easy one:

    Disable this CRL validation on the registry by following these instructions (on clients PCs):

    - Run regedit.exe

    - Find key:  HKLM\System\CurrentControlSet\Control\LSA\CredSSP

    - Add DWORD key in the registry named: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

    - Value: 1 (hexadecimal)

    If this works you can deploy this registry change by GPO to all domain workstations.

     

    - Difficult:

    On one client PC:

    -  run this command: certutil.exe -urlcache * delete

    - run this command: certutil –verify –urlfetch MyServer.cer   (replace MyServer.cer with your thawte certificate name)

    This will do the same validation process as the RDP client, but you will be able to see where it is failing. It will try to reach an HTTP destination (URL), check if you have access to that destination using your browser.

    Your firewall might be blocking that URL, or there might be multiple reasons to not passing the validation.

    So troubleshoot using that information.

    NOTE: I recommend you to try the Easy solution first, if it works, then the problem is definitely caused by the CRL check. If not, then the difficult solution is not going to be useful either.

     

    Let me know how it goes.


    goDog
    Tuesday, November 29, 2011 10:21 PM
  • I'm encountering the same error on a Thin client running WES 2009 (XP SP3 & RDP 7.0). The RDP server is running Server 2012 with a Starfield Class 2 certificate. I have tried all of the solutions previously mentioned, but nothing seems to work. The root CA is installed, the intermediate CA is installed, the CRL is installed.

    Regarding your steps, I created the key, but to no effect.  For the difficult one, it seems to have completed successfully without errors.  Screen dump is below.

    Any assistance would be appreciated.

    C:\Documents and Settings\admin\Desktop>certutil -verify -urlfetch sf_intermedia
    te.crt
    402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
    Issuer:
        OU=Starfield Class 2 Certification Authority
        O=Starfield Technologies, Inc.
        C=US
    Subject:
        SERIALNUMBER=10688435
        CN=Starfield Secure Certification Authority
        OU=http://certificates.starfieldtech.com/repository
        O=Starfield Technologies, Inc.
        L=Scottsdale
        S=Arizona
        C=US
    Cert Serial Number: 0201

    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 31 Days, 21 Hours, 13 Minutes, 27 Second
    s

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 31 Days, 21 Hours, 13 Minutes, 27 Seconds


    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologie
    s, Inc.", C=US
      Subject: SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, O
    U=http://certificates.starfieldtech.com/repository, O="Starfield Technologies, I
    nc.", L=Scottsdale, S=Arizona, C=US
      Serial: 0201
      7e 18 74 a9 8f aa 5d 6d 2f 50 6a 89 20 ff 22 fb d1 66 52 d9
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      Verified "Base CRL (10)" Time: 0
        [0.0] http://certificates.starfieldtech.com/repository/sfroot.crl

      ----------------  Base CRL CDP  ----------------
      No URLs "None" Time: 0
      --------------------------------
        CRL 10:
        Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technolog
    ies, Inc.", C=US
        52 b3 6e b3 9d 24 15 76 70 12 e6 c3 91 55 53 77 ab 9c 33 73

    CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
      Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologie
    s, Inc.", C=US
      Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologi
    es, Inc.", C=US
      Serial: 00
      ad 7e 1c 28 b0 64 ef 8f 60 03 40 20 14 c3 d0 e3 37 0e b5 8a
      Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      --------------------------------

    Exclude leaf cert:
      1d 99 44 4c 30 f2 f2 79 3c 47 33 aa e3 02 59 ad f5 72 98 8b
    Full chain:
      52 1e bd 59 7e b6 44 7a eb a3 41 b3 4e 30 e1 7e 15 80 b7 df
    ------------------------------------
    Verified Issuance Policies: All
    Verified Application Policies: All
    Cert is a CA certificate
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.

    Monday, May 13, 2013 8:44 PM
  • daedalus7 - Did you get your issue resolved? I am having difficulty with this as well on Thin clients with Embedded 2009 on them.

    Thanks,

    Brian

    Monday, June 24, 2013 10:59 PM