none
TS Gateway and wildcard cert

    Question

  •  

    I just installed a 2008 RC1 server in order to test Terminal Services Gateway. I imported my organization's wildcard digital certificate onto the server. But when I try to connected using a Windows XP Remote Desktop 6.0 client, I get the error saying "...server address requested and the certificate subject do not match".

     

    I believe I saw posts from a year ago saying there were issues using a wildcard cert, but was hoping that had been resolved with RC1. If not, this should work if I purchase a non-wildcard certificate, correct? I worked when I created a cert on the server itself but I don't want to deal with giving the cert to users and have them import it onto their home Windows XP machines.

    Tuesday, January 29, 2008 6:52 PM

Answers

  • Hi yes it was all in place. I got it working for anyone else having problems.. 

    in IIS snapin under bindings  and 443. when you select the cert. you need to apply the host name that you want to use. I just put in tsg. thinking Mikkysoft had done there homework..  :) but I had to put in the whole fqdn of the cert. tsg.mydomain.com. So it does not autfill inn this as IMA it should..

    Well after that I had to change the published apps .rdp files to read "gatewayhostname:s:tsg.mydomain.com" it was reading my old selfsignd cert her.. so thats wy.. I got error.. makes sens now...

    Hope this helps someone else in their strugles
    Friday, October 16, 2009 8:57 PM

All replies

  • Hi!

     

    Can you please try connecting to the server with RDP client 6.1? This will help narrowing down the problem.

     

    Thanks,

    Geanina

     

    Friday, February 1, 2008 5:50 PM
    Moderator
  •  

    Hi Geanina

     

    I've the same problem in my lab (tsg = server 2008 sp1, client = vista sp 1) My server works as terminal server gateway and outlook webaccess. I've created a *.domain.name certificate and testet with owa. The webacces works fine (ca certificate is imported to clients trusted ca) with every url and don't show any certificate errors. When I try to connect the tsg I get the no connection possible, no certificate found error. When I binds IIS to the (also selfsigned) other (tsg.domain.name) certificate, it works fine. Any idea ? Thanks, Markus

    Saturday, April 5, 2008 7:41 AM
  • Can you please answer the following questions to help us arrow down the problem?

     

     

    1 Do you try to connect to the TSG through the web access or through mstsc.exe?

    2. What is the name you are using for TS Gateway during the connection?

    3. What error you exactly see?

     

    Thanks,

    Vikash

     

    Saturday, April 5, 2008 11:34 AM
    Moderator
  •  

    Hello Vikash

     

    1) I use RDP

    2) tsg.anditworks.ch, the certificate is *.anditworks.ch and DNS is configured with the a-record that points to the TSG Server

    3) The connection could not be established, because there is no certificate configured on the terminal service gateway server

     

    When I use tsg.anditworks.ch/owa, I could successfully connect to my webaccess whitout a certificate warning in IE.

    The client trust to the root ca cert and the wildcard cert, so I asume I've imported them correctly.

     

    Kind regards,

    Markus

    Saturday, April 5, 2008 9:53 PM
  •  

    How do you associate the wildcard certificate to TS Gateway.... through the IIS Manager Snapin? If yes, then try restarting ts gateway service after doing so. It should solve your problem.

     

    Thanks,

    Vikash

    Sunday, April 6, 2008 4:19 AM
    Moderator
  •  

    Yeah, I've assigned the wildcard certificate thru IIS Manager Snapin. But your hint was part of the solution. Iv'e checked the certificate within the terminal server gateway Snapin. There was the self-signed certificate that was created by installing/enabling TSG role assigned (don't know why - I've changed allready before). Assigning the wildcard certificate again solved my problem, Thank you.

     

    Regards,

    Markus

    Sunday, April 6, 2008 9:23 AM
  • Hi could you please do a step by step how you did alll this..

    I did in the IIS snapin. import the Wildcard SSL cert. and in bindings select the host on the 443 and then choos the cert *.somedomain.com..

    after that I went into the TSG snapin and choose properties then choose the "Select an existing cert...." Then hit "browse Certificates" and choose the *.somedomain.com and then hit the install button.... Now I still get the "...server address requested and the certificate subject do not match".

    Please help her.
    Wednesday, September 16, 2009 11:25 AM
  • Have you restarted gateway service after you selected the wild card certificate?

    Thanks, Vikash
    Wednesday, September 16, 2009 11:56 AM
    Moderator
  • Yes I have . even restarted the server.. :) maby i'ts the certificat. I made it using openssl.. and made a p12 cert. from the Tawthe .cer and .key files then imported that into IIS.??
    Thursday, September 17, 2009 9:12 PM
  • I am having the same issue, did you ever fix this??

    I have a wildcard cert form digicert.  I apply it in IIS and then in the TS Gateway Manager.  Restart the server and the cert is not applied anymore.  Funny thing is, it was working for about day after I installed the gateway. 
    Thursday, September 24, 2009 8:05 PM
  • Hi,
       I presume you are using WS 08.
       Please make sure of the following - the ip address in IIS server for the binging set is "All Unassigned" -  http://support.microsoft.com/default.aspx/kb/959120   .
       If this still does not solve the problem, please tell us if you have any other bindings set on port 443 in the machine.

    Thanks,
    Kaustubh

    Friday, September 25, 2009 5:23 AM
  • Hi yes it was all in place. I got it working for anyone else having problems.. 

    in IIS snapin under bindings  and 443. when you select the cert. you need to apply the host name that you want to use. I just put in tsg. thinking Mikkysoft had done there homework..  :) but I had to put in the whole fqdn of the cert. tsg.mydomain.com. So it does not autfill inn this as IMA it should..

    Well after that I had to change the published apps .rdp files to read "gatewayhostname:s:tsg.mydomain.com" it was reading my old selfsignd cert her.. so thats wy.. I got error.. makes sens now...

    Hope this helps someone else in their strugles
    Friday, October 16, 2009 8:57 PM