locked
RDS 2008R2 certificate mismatch RRS feed

  • Question

  • Current environment:

    • 1x RD Connection Broker
    • 2x RD Session Hosts

    The farm is set up and working with DNS round-robin.

    The issue I'm having is that we're using "myserver.domainname.com" to connect to the farm. So when we try to connect we get a name mismatch on the certificate. I've tried issuing a web certificate with a SAN and storing it in the Computer/Personal certificate store but the RDP-Tcp Properties doesn't detect the certificate.

    I've spent many hours online reading many articles trying to work this out, but it's doing my head in. Any help would be appreciated.


    Cheers,

    Ryan.

    Tuesday, December 14, 2010 1:37 AM

Answers

  • Hi Ryan,

     

     

    The Web certificate does not support on RDS server, you should request a computer certificate for the RDS server.

     

    Certificates for RD Gateway must meet these requirements:

    • The name in the Subject line of the server certificate (certificate name, or CN) must match the FQDN, or the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.

    Note

    If you are using the SAN attributes of certificates, clients that connect to the RD Gateway server must be running Remote Desktop Connection (RDC) 6.1. (RDC 6.1 [6.0.6001] supports Remote Desktop Protocol 6.1.). RDC 6.1 is included with Windows Server 2008 and Windows Vista SP1 and Windows XP SP3.

    • The certificate is a computer certificate.
    • The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
    • The certificate has a corresponding private key.
    • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
    • A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.

      For more information about these values, see Advanced Certificate Enrollment and Management (http://go.microsoft.com/fwlink/?LinkID=74577).
    • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.

     

    Thanks.

    • Marked as answer by Alan Zhu Tuesday, December 21, 2010 2:47 AM
    Wednesday, December 15, 2010 6:26 AM

All replies

  • Anyone?
    Tuesday, December 14, 2010 10:06 PM
  • Hi Ryan,

     

     

    The Web certificate does not support on RDS server, you should request a computer certificate for the RDS server.

     

    Certificates for RD Gateway must meet these requirements:

    • The name in the Subject line of the server certificate (certificate name, or CN) must match the FQDN, or the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.

    Note

    If you are using the SAN attributes of certificates, clients that connect to the RD Gateway server must be running Remote Desktop Connection (RDC) 6.1. (RDC 6.1 [6.0.6001] supports Remote Desktop Protocol 6.1.). RDC 6.1 is included with Windows Server 2008 and Windows Vista SP1 and Windows XP SP3.

    • The certificate is a computer certificate.
    • The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
    • The certificate has a corresponding private key.
    • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
    • A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.

      For more information about these values, see Advanced Certificate Enrollment and Management (http://go.microsoft.com/fwlink/?LinkID=74577).
    • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.

     

    Thanks.

    • Marked as answer by Alan Zhu Tuesday, December 21, 2010 2:47 AM
    Wednesday, December 15, 2010 6:26 AM
  • I still don't understand.

    Here are three servers:
    gateway.mydomain.com
    connectionbroker.mydomain.com
    remotedesktop.mydomain.com

    The certificate is:
    www.mydomain.com

    This certificate is installed on all three servers. When the Remote App is connected to the Remote Desktop Server the following Server Certificate Error with the Yellow Header appears.

    Name mismatch
    Requested remote computer:
    remotedesktop.mydomain.com

    Name in the certificate from the remote computer:
    www.mydomain.com

    Certificate errors

    The server name on the certificate is incorrect.

    So if you have to install the same certificate onto the three servers, obviously, each server will have a different name. So I'm not understanding something.

    Sunday, February 6, 2011 12:30 AM