none
RDS 1202 R2 Remoteapp certificate error: The certificate is not from a trusted certifying authority

    Question

  • Everything was working fine for last few years or so until this past week we started to get this certificate error. Our setup is one gateway, one web, one broker and 6 hosts collection (farm). We have an external certificate by godaddy for the gateway/broker/farm name. When we connect remotely, it takes the external certificate and everything is perfect, no error. When we connect internally, it goes to the broker first and then redirect to one of the 6 hosts. The error occurs because the self signed host certificate does not match the external certificate. Before it matched the broker certificate even though it redirected it to the host so no certificate error. For some reason, that changed so broker.domain.com does not match host.domain.com. Any ideas? Thanks


    • Edited by my3cents Wednesday, May 16, 2018 7:22 PM
    Wednesday, May 16, 2018 5:30 PM

All replies

  • do the session hosts name need to be included in the public certificate? I never needed it since RDS 2012 R2 and it's been working fine until now. 
    Thursday, May 17, 2018 10:05 PM
  • Hi,

    When launching a connection internally, is the same technique as external used?  For example, are they launching the connection via RDWeb icon?

    -TP

    Thursday, May 17, 2018 10:36 PM
    Moderator
  • Correction, connecting externally and internally result in the same error depends on the client. Not all clients connect and get this message but more than 60 percent do. Externally user connects via rdweb and through the gatewaay. Internally they connect via rdp remoteapp file that bypasses the gateway. I mean, it just started happening recently. maybe windows updates? 
    Friday, May 18, 2018 1:18 PM
  • I end up buying a wildcard certs and still it does not work. Still getting the cert error for each session host. any help? thanks
    Thursday, May 24, 2018 10:10 PM
  • Hi,

    1. Please manually download one of the .rdp files from RDWeb using a non-IE browser such as Chrome.  Using Notepad, open it up and verify that it has line like below:

    use redirection server name:i:1

    2. For the clients that are getting the message, what precise operating system build are they running?  Please use winver.exe to check the operating system version and build.  For example, Windows 10 Pro Version 1803 Build 17134.48

    Please reply back with your findings.

    Thanks.

    -TP

    Thursday, May 24, 2018 11:08 PM
    Moderator
  • Yes it does have "use redirection server name:i:1" and i don't think it's the windows version that is causing it. For example i have two win 6.1 (build 7601), one works and the other does not. I also have a windows 10 1803 build 17134.48 and it also get the cert error message. I mean it used to work for a few years with no problem but all of a sudden users are getting the cert error. Now that i got the wildcard cert and it still does not work. very strange.

    Friday, May 25, 2018 2:21 PM
  • Hi,

    Okay, please verify that DNS entries are still correct.  On the initial prompt (the one that pops up when you launch a RemoteApp or Full desktop connection from RDWeb), the FQDN next to "Remote computer:" needs to only point to the broker's private ip address.

    If necessary, please perform a quick network capture using wireshark/netmon on one of the PCs having the issue and verify each server it connects to, in order to be certain that it is connecting to the broker first as expected.  To make it easier/quicker it is better to do the capture on internal PC so gateway will not be involved.

    -TP

    Friday, May 25, 2018 2:50 PM
    Moderator
  • The DNS is correct. It's pointing to the broker only. The capture seems to be good too. It goes to the broker, then the session host.
    Friday, May 25, 2018 4:18 PM