none
RD Service using self-issued Certificate is untrusted by RD Web Access.

    Question

  • All RD Service roles are installed on the same Windows Server 2008 x64 box. Looking at  'RD Connection Manager"

    • 'Overview' = RD Broker is configured for RemoteApp is good

    • Status 'Properties' = all good

    Status 'Virtual Desktops' = RD Virtual Host Server is added, RD Session Host is added, RD Gateway is automatic, RD Licensing is Specified, Digital Certificate is being issued and signed by the same server and is valid.  I click 'Specify' for 'Digital Certificate' to get 'Virtual Desktop Properties' window. On the 'Digital Signature' tab the box is checked and a valid certificate is selected. On the 'Licensing Settings' tab, the box is checked and mode is 'Per Device' and the server name is added to the list at the bottom.

    But when I'm on a client machine, I open the RD Web Access page and get the Certificate Error page. I can still open RD Web Access by clicking 'Continue to this website'. RD Web Access and RemoteApp work fine, but how do I get rid of this Certificate Error in IE8?

    The Server and client are on the same domain subnet.

    The certificate has been 'installed' on the client from clicking the 'Certificate Error' and placed in 'Trusted Root Certificate Authorities' and imported to 'Trusted Publishers', added to 'Local Network' from 'Internet Options'.

    I need to fix this Certificate Error in order to send RemoteApp shortcuts to the client desktop. I'd prefer not to have users deal with Certificate Errors when accessing RemoteApps. Users will of course think something is wrong with thier client and will place trouble tickets.

    Sunday, February 27, 2011 5:53 PM

Answers

  • Hi,

     

    This is because your self-signed certificate does not exist in the RDS server and client PC Trusted Root CA.

     

    You can refer to the following steps:

    1.       Type MMC in the RDS server RUN text, you can open the Microsoft Management Console.

    2.       Click the File and select the Add/Remove Snap-in, select the “Certificates” in the Available snap-ins area. Then click Add and select the “Computer account”. Click Next, select Local computer: (the computer this console is running on). Click Finish and OK.

    3.       Expand the “Certificates”  tree, Personal, Certificates, you can see the Certificates in the right area. For example, the RDS server named Rds2008R2 and the domain name is fox.com, you can see a certificate named Rds2008R2.fox.com in this area.

    4.       Then you can right click this certificate, select All Tasks->Export, export this certificate as a *.cer file.

    5.       Then you must expand the Trusted Root Certification Authorities, right click the Certificates, select All Tasks->Import. Import this certificate to this area.

    6.       The same way to import this self-signed certificate to the client PC.

     

    Then you can open the IE in the client PC and type the full URL https://rds2008r2.fox.com/rdweb, this must match as the certificate name. This error message will go off on its own.

     


    Technology changes life……
    Thursday, March 03, 2011 5:50 AM
    Moderator
  • Hi,

     

    If you see a warning that there is a problem with the certificate for this website, and a link that says Continue to this website (not recommended), it indicates that there is a problem with the SSL certificate. If your client and server are behind a firewall, you might choose to click the link to verify the connection; however, you should use a trusted certificate when deploying RD Web Access in a production environment.

     

    Internal RD Web Access components can rely on self-signed certificates because the certificates are not used for authentication. Authentication for most RD Web Access components is provided by Kerberos or NTLM. However, for external client access from the Internet into the network where RD Web Access is hosted, traditional certificate trust validation is required. It is a best practice to use a certificate issued by a public CA for trust validation. In fact, when certificate authentication is required, using a self-signed certificate is not a best practice and is strongly discouraged.

     

    We recommend that you deploy a certificate issued by a public CA whenever your users are access RD Web Access components that require authentication and encryption from outside your corporate firewall. For example, all the various clients that the RD Web Access server role supports, such as RemoteApp, VDI Access, should be secured with a certificate that is issued by a public CA.

     

    You can get a new SSL third party certificate. This message will go off on its own.

     

    More information:

    Configure the Remote Desktop Web Access Server to Allow Access from the Internet

    http://technet.microsoft.com/en-us/library/cc770330.aspx

     

    Connect to Remote Desktop Web Access

    http://technet.microsoft.com/en-us/library/cc731508.aspx

     


    Technology changes life……
    Tuesday, March 01, 2011 7:43 AM
    Moderator
  • Hi,

    In general I recommend people use purchased certificates for RDS.  The exception to this is if there is an existing PKI infrastructure in place and the RDS servers will only be accessed by internal domain-joined PCs.

    Using a purchased certificate saves time and effort because the client devices will trust the cert automatically.  If all RDS roles will be on a single server and referred to using a single name then you may use a single-name certificate.  Single name certs are available for low cost ($11/year, a little less or more depending on duration) and only take minutes to purchase).  A multi-name UCC/SAN or wildcard certificate are available for $60/year (5-name UCC) or $99/year (wildcard).

    A wildcard or multi-name certificate is convenient because if you configure things right you can use the same cert for all RDS purposes, even if role services are located on separate servers.

    Yes, you can use self-signed certificates.  As you are already aware you need to manually make sure each machine trusts the certificate.  Depending on how you generated the self-signed cert it may expire in a matter of months, meaning you will have to manually import it into all of the PCs again.

    From your description it seems that you have everything working except for the RDWeb page.  If my understanding is incorrect please let me know.  I suggest you verify that the correct certificate is selected in the Default Web Site bindings.  Open IIS Manager, select Default Web Site in the left pane, click Bindings in the Actions pane, and then edit the binding for https.  The certificate you select needs to have a name that matches what users will enter into Internet Explorer, and it needs to be trusted by each client PC.

    Thanks.

    -TP

    Thursday, March 03, 2011 5:42 AM
    Moderator
  • This worked perfectly. I was mis-typing the URL for web access. I was entering the entire URL rather than ending at /rdweb
    Sunday, April 17, 2011 7:51 PM

All replies

  • Hi,

     

    If you see a warning that there is a problem with the certificate for this website, and a link that says Continue to this website (not recommended), it indicates that there is a problem with the SSL certificate. If your client and server are behind a firewall, you might choose to click the link to verify the connection; however, you should use a trusted certificate when deploying RD Web Access in a production environment.

     

    Internal RD Web Access components can rely on self-signed certificates because the certificates are not used for authentication. Authentication for most RD Web Access components is provided by Kerberos or NTLM. However, for external client access from the Internet into the network where RD Web Access is hosted, traditional certificate trust validation is required. It is a best practice to use a certificate issued by a public CA for trust validation. In fact, when certificate authentication is required, using a self-signed certificate is not a best practice and is strongly discouraged.

     

    We recommend that you deploy a certificate issued by a public CA whenever your users are access RD Web Access components that require authentication and encryption from outside your corporate firewall. For example, all the various clients that the RD Web Access server role supports, such as RemoteApp, VDI Access, should be secured with a certificate that is issued by a public CA.

     

    You can get a new SSL third party certificate. This message will go off on its own.

     

    More information:

    Configure the Remote Desktop Web Access Server to Allow Access from the Internet

    http://technet.microsoft.com/en-us/library/cc770330.aspx

     

    Connect to Remote Desktop Web Access

    http://technet.microsoft.com/en-us/library/cc731508.aspx

     


    Technology changes life……
    Tuesday, March 01, 2011 7:43 AM
    Moderator
  • "...Internal RD Web Access components can rely on self-signed certificates because the certificates are not used for authentication..."

    My RD server and client PC are Internal on the same subnet. THe server is issuing a self-signed certificate, but the client is still getting the 'Certificate Error' in IE. I have Installed the Certificate issued and still getting the error.

    Thursday, March 03, 2011 4:34 AM
  • Hi,

    In general I recommend people use purchased certificates for RDS.  The exception to this is if there is an existing PKI infrastructure in place and the RDS servers will only be accessed by internal domain-joined PCs.

    Using a purchased certificate saves time and effort because the client devices will trust the cert automatically.  If all RDS roles will be on a single server and referred to using a single name then you may use a single-name certificate.  Single name certs are available for low cost ($11/year, a little less or more depending on duration) and only take minutes to purchase).  A multi-name UCC/SAN or wildcard certificate are available for $60/year (5-name UCC) or $99/year (wildcard).

    A wildcard or multi-name certificate is convenient because if you configure things right you can use the same cert for all RDS purposes, even if role services are located on separate servers.

    Yes, you can use self-signed certificates.  As you are already aware you need to manually make sure each machine trusts the certificate.  Depending on how you generated the self-signed cert it may expire in a matter of months, meaning you will have to manually import it into all of the PCs again.

    From your description it seems that you have everything working except for the RDWeb page.  If my understanding is incorrect please let me know.  I suggest you verify that the correct certificate is selected in the Default Web Site bindings.  Open IIS Manager, select Default Web Site in the left pane, click Bindings in the Actions pane, and then edit the binding for https.  The certificate you select needs to have a name that matches what users will enter into Internet Explorer, and it needs to be trusted by each client PC.

    Thanks.

    -TP

    Thursday, March 03, 2011 5:42 AM
    Moderator
  • Hi,

     

    This is because your self-signed certificate does not exist in the RDS server and client PC Trusted Root CA.

     

    You can refer to the following steps:

    1.       Type MMC in the RDS server RUN text, you can open the Microsoft Management Console.

    2.       Click the File and select the Add/Remove Snap-in, select the “Certificates” in the Available snap-ins area. Then click Add and select the “Computer account”. Click Next, select Local computer: (the computer this console is running on). Click Finish and OK.

    3.       Expand the “Certificates”  tree, Personal, Certificates, you can see the Certificates in the right area. For example, the RDS server named Rds2008R2 and the domain name is fox.com, you can see a certificate named Rds2008R2.fox.com in this area.

    4.       Then you can right click this certificate, select All Tasks->Export, export this certificate as a *.cer file.

    5.       Then you must expand the Trusted Root Certification Authorities, right click the Certificates, select All Tasks->Import. Import this certificate to this area.

    6.       The same way to import this self-signed certificate to the client PC.

     

    Then you can open the IE in the client PC and type the full URL https://rds2008r2.fox.com/rdweb, this must match as the certificate name. This error message will go off on its own.

     


    Technology changes life……
    Thursday, March 03, 2011 5:50 AM
    Moderator
  • This worked perfectly. I was mis-typing the URL for web access. I was entering the entire URL rather than ending at /rdweb
    Sunday, April 17, 2011 7:51 PM
  • Hi,

    Thank you for your feedback.


    Technology changes life……
    Monday, April 18, 2011 2:15 AM
    Moderator