locked
remote desktop service farm -certificate help. RRS feed

  • Question

  • Hi all,

    Build remote deskto service farm between two windows 2008 R2 SP1 servers.

    When I use RDC to connect to the farm, I got the certificate error:

    -------------------------------------

    The identity of the remote computer cannot be verified.Do you want to connect anyway?

    The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.

    Name mismatch
    Requested remote computer is <computer name 1>
    Name in the certificate is <computer name 2>

    Certificate errors
    The server name on the certificate is incorrect
    the certificate is not from a trusted certiying authority.

    Do you want to connect despite these certificate errors?

    ------------------------

    Our users only use remote desktop connection to the remote desktop farm (no web access).  Do I need to purchase the trusted public certificate for the farm?  Is there a way to get rid of this warning ?

    Thank you.

    Thursday, February 2, 2012 4:48 PM

Answers

  • Hi there,

    There are two issues here. 

    The first issue is with the name.  Are you connecting to a name that is different from the server name?  I'm guessing you're connecting to the farm name.  At that point, the server that you reach has a certificate with it's own name on it, hence the mis-match.  You will need to generate a certificate with a name corresponding to the farm name (do you have Certificate Service Infrastructure?).  You will then need to modify the RDP-TCP settings (i think) to ensure that the server is using the new certificate (need to isntall the certificate first).

    The second issue is to do with the PCs not trusting the certificate.  Wherever you issue the certificate from for the farm name, you will need the certificate of the signing server installed to each client in the Trusted root certificate authorities container within the Certificates snapin on each PC.

     

    Hope this helps


    MCTS, MCSE 2000/2003, MCSA 2000/2003, CNA
    • Marked as answer by SGryzbowski Friday, February 3, 2012 3:21 PM
    Thursday, February 2, 2012 6:50 PM

All replies

  • Hi there,

    There are two issues here. 

    The first issue is with the name.  Are you connecting to a name that is different from the server name?  I'm guessing you're connecting to the farm name.  At that point, the server that you reach has a certificate with it's own name on it, hence the mis-match.  You will need to generate a certificate with a name corresponding to the farm name (do you have Certificate Service Infrastructure?).  You will then need to modify the RDP-TCP settings (i think) to ensure that the server is using the new certificate (need to isntall the certificate first).

    The second issue is to do with the PCs not trusting the certificate.  Wherever you issue the certificate from for the farm name, you will need the certificate of the signing server installed to each client in the Trusted root certificate authorities container within the Certificates snapin on each PC.

     

    Hope this helps


    MCTS, MCSE 2000/2003, MCSA 2000/2003, CNA
    • Marked as answer by SGryzbowski Friday, February 3, 2012 3:21 PM
    Thursday, February 2, 2012 6:50 PM
  • Hi Djames,

    I'm running our own CA, and I've already issued certs to to the session providers, but when a remoteapp wants to connect using the farm name, the mismatch issue happens.

    My question is how to get my CA to issue a certificate based on my farms DNS name, so I can import them to my session providers and fix the mismatch issue?

    Friday, June 15, 2012 5:45 AM