locked
Remote Desktop Connection With Custom Certificate on Windows 8.1 fails RRS feed

  • Question

  • I'm trying to establish a secured remote desktop connection without success.

    The setting
    There are some local pcs with windows 8.1 Pro and windows 7 Pro, no server-edition. I've created a self signed ca-certificate with openssl for Windows. I used this to sign custom certs for the local windows-pcs, which are installed at mmc -> certificate snap-in for local computer -> My Certificates -> Certificates. The networkdriver has the right to read the key. The sha1-fingerprint of the custom signed certs are registered at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp -> SSLCertificateSHA1Hash = sha-1 hash of the custom local cert. Additionally the revocation-list is restrained to the local list by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp -> UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors = 1.

    The results
    The connection form win 8.1 to win 7 works. The connection info confirms that it is a veryfied connection. The connection to windows 8.1 fails after entering the credentials with error: No connection possible. Network Level Authentication is set, but other level don't work as well. The log (Event Views -> Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-RemoteConnectionManager -> Admin) says "Remote Desktop Services has taken too long to load the user configuration from server" and "The Local Security Authority Cannot Be Contacted" (error 0x80090304)

    Aditional information
    The connection via linux (remmina) works for win 7 and win 8.1, but I have no information about the encryption. It is the same with the Microsoft Remote Desktop Tool for Android.

    Maybe it is accociatet with a different cert handling by Windows 8.1 but I couldn't find further information or a solution in the internet.

    Best regards

    abditus



    • Edited by abditus Saturday, June 7, 2014 7:31 PM
    Tuesday, June 3, 2014 11:19 AM

Answers

  • I solved the problem!

    The default openssl certificate signature algorithm is md5RSA but it doesn't work with windows 8.1.

    It is at least sha1RSA needed.

    By adding "default_md = sha1" to the openssl.cnf you create certs with sha1RSA and it works fine.

    Beste Gegards

    abditus

    • Marked as answer by abditus Saturday, June 7, 2014 7:37 PM
    Saturday, June 7, 2014 7:37 PM