locked
Win2012 R2 - Problem with certificate in RDS Farm RRS feed

  • Question

  • Hello,

    I installed a RDS farm in Windows 2012 R2 with 1 server acting as RDS Broker and WebApp, and 3 RDS Hosts. When we access the webapp site using the alias rds.company.com there is no warning with the certificate (internal CA). When we access a desktop by clicking in the collection name, there is a first warning like this:

    And then one like this:

    How do I make this messages disappear? Why is not trusting the certificate if it is trusting it for the web site?

    Thanks in advance

    Regards


    IT Support / Administrator

    Thursday, April 24, 2014 2:37 AM

Answers

  • you can disable it client side by performing the following powershell command on your broker

    Get-RDSessionCollection | Set-RDSessionCollectionConfiguration -CustomRdpProperty "authentication level:i:0"


    MCITP:SA:EA:EMA2010:VA2008R2

    Thursday, April 24, 2014 3:57 PM
  • Hi Sebastián.Graña,

    The first warning may be removed for your domain-joined PCs by configuring the following group policy setting and applying it to the domain PCs:

    Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Connection Client

    Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

    For the second warning I recommend you switch to using a certificate issued from a trusted public authority such as GoDaddy, Thawte, GeoTrust, VeriSign, etc.  This will allow both domain and non-domain PCs to connect without extra steps like configuring your internal PKI environment properly, adding certs to the local client PCs' trusted store, etc.

    -TP

    Friday, April 25, 2014 9:10 PM
  • Hi Sebastián,

    The first warning is invoked by the ActiveX in the WebSite. Although the ActiveX runs client-side, there's no way to turn it off as far as I know.

    Are the non-domain joined machines the same OS / SP / Patch level as the domain joined machines?


    There's a new blog in town: http://msfreaks.wordpress.com

    Thursday, April 24, 2014 1:02 PM

All replies

  • Something I forget to tell is that these two messages appear with computers not domain joined. With domain joined computers is just the first message.

    Thanks

    Regards


    IT Support / Administrator

    Thursday, April 24, 2014 2:58 AM
  • Hi Sebastián,

    The first warning is normal. It just tells the user he's about to connect to a server and which resources are mapped through that connection.

    The second warning is on non-domain joined computers and you're using an internal CA for certificates in your deployment.

    To get rid of the second warning on non-domain joined computers you need to add the CA's certificate to the local certificate store.

    As for not getting the warning on the website itself: Not a clue. Are you using a browser with default settings? Have you tried accessing the website with different browsers and still no warning?


    There's a new blog in town: http://msfreaks.wordpress.com

    Thursday, April 24, 2014 7:22 AM
  • Hi Arjan,

    In the non domain joined computer I had already loaded the internal CA cert in the trusted root certification authorities container. In fact, the web site, which uses the same cert, does not give any warnings.

    About the first warning, there is no way to disable it? Anything in the client side? If I RDP directly to the server, this warning is not shown.

    Thanks

    Regards


    IT Support / Administrator

    Thursday, April 24, 2014 12:15 PM
  • Hi Sebastián,

    The first warning is invoked by the ActiveX in the WebSite. Although the ActiveX runs client-side, there's no way to turn it off as far as I know.

    Are the non-domain joined machines the same OS / SP / Patch level as the domain joined machines?


    There's a new blog in town: http://msfreaks.wordpress.com

    Thursday, April 24, 2014 1:02 PM
  • Arjan,

    Ok, thanks. 

    I will collect the SO and SP version of the clients and let you know.

    Thanks

    Regards


    IT Support / Administrator

    Thursday, April 24, 2014 1:18 PM
  • you can disable it client side by performing the following powershell command on your broker

    Get-RDSessionCollection | Set-RDSessionCollectionConfiguration -CustomRdpProperty "authentication level:i:0"


    MCITP:SA:EA:EMA2010:VA2008R2

    Thursday, April 24, 2014 3:57 PM
  • Hi Razwer,

    It actually did the trick, from non-domain-joined computers now I'm not experiencing the second warning. The first one seems to be not possible to disable. So I think this closes my issue.

    Thank you all.

    Regards


    IT Support / Administrator

    Friday, April 25, 2014 6:21 AM
  • Hi Sebastián.Graña,

    The setting Razwer gave you disables server authentication, which in effect simply masks the problem you were seeing.  If you know that the connection between the client and your servers is secure and there is no chance of MITM attack, then it is okay to use it from a security perspective.  There are unique cases where disabling server authentication is acceptable, however, you have not provided enough information for me to judge whether or not yours is one of those cases.

    My recommendation would be for you to solve the certificate issue rather than disabling server auth.  One way would be to use a certificate from a trusted public authority rather than your internal CA.

    -TP

    Friday, April 25, 2014 8:59 PM
  • Hi Sebastián.Graña,

    The first warning may be removed for your domain-joined PCs by configuring the following group policy setting and applying it to the domain PCs:

    Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Connection Client

    Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

    For the second warning I recommend you switch to using a certificate issued from a trusted public authority such as GoDaddy, Thawte, GeoTrust, VeriSign, etc.  This will allow both domain and non-domain PCs to connect without extra steps like configuring your internal PKI environment properly, adding certs to the local client PCs' trusted store, etc.

    -TP

    Friday, April 25, 2014 9:10 PM
  • Hello TP,

    I understand that this settings disables the auth, and for me and my environment this is ok.

    I don't think that purchasing a public CA auth will solve the problem. The internal cert I was using was from a CA that the non domain-joined PC already trust. The same cert was used for the web site and there was no error there.

    Regards


    IT Support / Administrator

    Saturday, April 26, 2014 5:56 PM
  • Hello TP,

    Will give a try to this. It will be perfect if no warnings were shown to the clients.

    I saw that is also possible to do it with local gpo, for the non domain-joined.

    Thanks


    IT Support / Administrator

    Saturday, April 26, 2014 5:59 PM
  • Thanks TP, no more warnings.

    Best Regards


    IT Support / Administrator

    Saturday, April 26, 2014 6:06 PM
  • After weeks of testing this was the fix

    Just to clarify

    the issues I was having. Multiple Collection farms but two of them had some strange errors ranging from An authentication error has occured (Code: 0x607) when trying to log to the Client popping with a warning that logging into the machine "insert local FQN of the RDSSH" had a name mismatch with the Certificate issued to "Insert real world FQN of Collection farm RDS Public Cert"

    IE: it appeared as though the Client was trying to log into the Local name of the RDS Host not the FQN name of the farm

    The Main users of these two sites never complained about anything and it always worked for them but I could not get any new users into this farm

    The Issues started after windows updates some months back. I built a new farm and used that at the time as I could not work out what changed

    Just thought I would add this here for those have the same issues maybe this will help some one

    Monday, June 15, 2015 12:06 AM