locked
The server name on the certificate is incorrect RRS feed

  • Question

  • I've just setup a 2012 R2 RDS deployment which consists of the following:

    RDGWY01 - Gateway and Web Access

    RDBroker01 - Connection Broker

    RDSH01 - Session Host

    I've published remoteapp applications and I can launch them just fine internally and externally. However I keep getting a certificate message after clicking the remoteapp (or desktop) icon. After I click the icon to launch the remoteapp icon I'm prompted for my userid and password which tells me single signon isn't working. After putting in my credentials I get an error message asking to confirm the identity of the computer...

    Name Mismatch

    Requested remote computer - RDBRoker01.ad.092674.jdisonsite.com

    Name in the certificate from the remote computer - *.jdisonsite.com

    Certificate Errors - The server name on the certificate is incorrect.

    We have a wildcard cert from godaddy that we are using and I've configured it in the deployment settings for all 4 areas (including SSO). I've also imported the wildcard SSL to the RDSH01 server in the personal computer store. I've seen posts about setting the published name if the domain is .local but that doesn't help me much since my domain matches the cert.

    I was hoping to use the wildcard cert for the session host servers as well rather than setting up an internal CA, is that my only option?

    Thursday, October 15, 2015 2:23 PM

Answers

  • Hi,

    A wildcard certificate only works for hosts at a single level.  For example, a wildcard cert of *.jdisonsite.com would be fine for broker.jdisonsite.com, gateway.jdisonsite.com, rdsh01.jdisonsite.com, but would not work for rdweb.subdomain.jdisonsite.com.

    In your case there are multiple potential ways to solve the issue you are seeing.  One way would be to keep the existing certificate configuration, create DNS A records on internal network pointing to private ip addresses of broker, RDWeb/RDG, and use Set-RDPublishedName script to rename the published name to broker.jdisonsite.com.  You would keep external DNS entries the way they are now.

    Another way would be to get a new wildcard certificate with *.ad.092674.jdisonsite.com and use that for RD Connection Broker - Enable Single Sign On purpose in Deployment Properties.  You should be able to leave the other 3 certificate purposes as they are now.  Since I'm guessing you are using rdgwy01.jdisonsite.com as the FQDN for your RD Gateway in Deployment Properties you should make sure you have a DNS A record on your internal network pointing to the private ip address of your RDG.

    -TP

    • Marked as answer by TK4787 Thursday, October 15, 2015 5:39 PM
    Thursday, October 15, 2015 4:44 PM