none
Certificate Error - SBS 2011

    Question

  •  I do IT support for a small business and they used to be able to remote in to their PCs from home. Now, there appears to be a certificate error.

    I get the following:

    "This computer can't connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server's certificate is not valid...".

    I've tried a number of things to try to fix it, but so far, no luck.  This worked a week ago.

    Thursday, December 15, 2011 8:56 PM

Answers

  • It might be wise to check what certificate is installed for the Remote Desktop Gateway (a.k.a. Terminal Services Gateway).

    To do this, try the following:

    • Log on to the SBS
    • Click "Start"
    • Click "Administrative Tools"
    • Click "Remote Desktop Services" (it's a folder, hence at the very top, not alphabetically in the middle)
    • Click "Remote Desktop Gateway Manager"
    • In the window that you get, at the very top-left it should list the name of your SBS machine. Right-click on this server name
    • Click "Properties"
    • Click "SSL Certificate"
    • On this page, check the following:
    1. "issued to", this should be the FQDN (address) using which you can reach your SBS from the internet.
    2. "issued by", this would normally be a public CA (such as Comodo, Thawte, GoDaddy, etc), but if this is set wrong, I believe you'd get different errors than the one you are getting. You would likely just get a warning that you need to acknowledge. So, this is not likely the cause
    3. "Expiration date" this is the most likely culprit, if your certificate is expired, then you would get errors about the certificate being invalid.

    If the wrong certificate is listed here, then you can select the right one using the "Import Certificate" button. This will list all eligible certificates present on the SBS machine.

    If there is something wrong with your certificate that can't be immediately fixed, such as renewing an expired certificate (although most 3rd party CA's can do this pretty much instantly using automated processes) then you can create a temporary self-signed certificate using the "Create and Import Certificate" right above it (or choose an already-present self-signed certificate using "Import Certificate"). If you use a self-signed certificate, users will get warnings about the certificate but they should be able to login, after acknowledging the warnings, I believe (I'm not 100% sure about this).

    Please let us know whether one of these suggestions helped, or -- if it didn't -- what information you have listed on this SSL Certificate tab.

    Frederik

    Thursday, December 15, 2011 11:04 PM
  • Hi mcpurple,

     

    Thanks for posting here.

     

    Please also start form the introductions in the post below if you are running SBS 2008/2011 in this scenario:

     

    Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

    http://blogs.technet.com/b/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

     

    Thanks.


    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 19, 2011 8:10 AM

All replies

  • It might be wise to check what certificate is installed for the Remote Desktop Gateway (a.k.a. Terminal Services Gateway).

    To do this, try the following:

    • Log on to the SBS
    • Click "Start"
    • Click "Administrative Tools"
    • Click "Remote Desktop Services" (it's a folder, hence at the very top, not alphabetically in the middle)
    • Click "Remote Desktop Gateway Manager"
    • In the window that you get, at the very top-left it should list the name of your SBS machine. Right-click on this server name
    • Click "Properties"
    • Click "SSL Certificate"
    • On this page, check the following:
    1. "issued to", this should be the FQDN (address) using which you can reach your SBS from the internet.
    2. "issued by", this would normally be a public CA (such as Comodo, Thawte, GoDaddy, etc), but if this is set wrong, I believe you'd get different errors than the one you are getting. You would likely just get a warning that you need to acknowledge. So, this is not likely the cause
    3. "Expiration date" this is the most likely culprit, if your certificate is expired, then you would get errors about the certificate being invalid.

    If the wrong certificate is listed here, then you can select the right one using the "Import Certificate" button. This will list all eligible certificates present on the SBS machine.

    If there is something wrong with your certificate that can't be immediately fixed, such as renewing an expired certificate (although most 3rd party CA's can do this pretty much instantly using automated processes) then you can create a temporary self-signed certificate using the "Create and Import Certificate" right above it (or choose an already-present self-signed certificate using "Import Certificate"). If you use a self-signed certificate, users will get warnings about the certificate but they should be able to login, after acknowledging the warnings, I believe (I'm not 100% sure about this).

    Please let us know whether one of these suggestions helped, or -- if it didn't -- what information you have listed on this SSL Certificate tab.

    Frederik

    Thursday, December 15, 2011 11:04 PM
  • Hi mcpurple,

     

    Thanks for posting here.

     

    Please also start form the introductions in the post below if you are running SBS 2008/2011 in this scenario:

     

    Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

    http://blogs.technet.com/b/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

     

    Thanks.


    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 19, 2011 8:10 AM
  • I tried this and am still getting the same error.  I even tried creating a new one to no avail.  Now, I'm not sure where it stands and I'd like to start fresh.  I'm at a loss why this is happening--it used to work just fine. 

    Matt
    Thursday, December 22, 2011 7:51 PM

  • Matt
    Thursday, December 22, 2011 9:16 PM
  • Thursday, December 22, 2011 9:41 PM
  • I tried this as well, but it's still not working.

    Matt
    Tuesday, December 27, 2011 9:14 PM
  • Any other suggestions on this?  It's still not working.  Thanks.

     

    - Matt


    Matt
    Thursday, January 5, 2012 8:03 PM
  • Any updates for this?

    Matt
    Tuesday, January 24, 2012 8:23 PM
  • Still struggling with this one.  Any other suggestions?  Nothing has worked thus far. - Matt

    Matt

    Thursday, February 23, 2012 8:27 PM


  • Matt, <o:p></o:p>



    If you have
    a SBS 2011 / or SBS 2008 server, there are only 3 steps you need to follow to
    make this work properly. First, run the "connect to internet wizard".
    Next, run the "setup your internet address" wizard. Finally, run the
    Add a Trusted Certificate wizard. That is all you need to do. In SBS this
    allows everything to work properly, and utilize the same certificate for RWW, SharePoint,
    and OWA. Manipulating the certificate in another fashion often causes issues. <o:p></o:p>



    Let me know
    if you have any questions on running these wizards. <o:p></o:p>



    Jeremy

    Thursday, February 23, 2012 9:05 PM
  • Thank you.  I will give this a try.

    Matt

    Thursday, February 23, 2012 9:07 PM
  • Matt, did Jeremy's suggestions work out?

    Arturo

    Friday, October 26, 2012 3:18 PM