none
Deleted RRS feed

Answers

All replies

  • Hi,

     

    In this case, I think you need to install and choose the same certificate on several places including RD session host server, RD Web Access, RD Gateway server, RemoteApp Manager. I’d like to perform the following steps to check the certificate if is installed correctly.

     

    1.       Start by importing the SSL certificate into the Computer Account.  MMC (Add/Remove Snapins - Certificates -Computer Account).  I imported the cert into the Pesonal and Remote Desktop stores.

     

    2.       Import the SSL certificate into IIS.  Run IIS Manager, select the ServerName (left side Connections), under the IIS section, open Server Certificates, import the SSL certificate here.  Select the Web site (left side Connections), open Bindings (on the right side Actions) and associate/bind the wildcard cert with the appropriate https,host,port(443).

     

    3.       TS RemoteApp Manager, Overview Section, Digital Signature Settings, Change, Digital Signature, Sign with a digital certificate checked Change, select the SSL certificate.

     

    4.       TS Gateway Manager, select ServerName, Properties, SSL Certifcate tab, select an existing certificate for SSL encryption (recommended), Browse Certificates, select the SSL certificate.

     

    5.      Remote Desktop Session Host Configuration, Connections area, select appropriate connection, Properties, General tab, Select, select the SSL certificate.

     

    On the other hand, please check if this certificate is in the trust root store on the Windows XP SP3 machine? And also please set the Security layer and the Encryption level as Negotiate and Client compatible on the RD session host server.

     

    Hope this helps.

    Monday, December 6, 2010 7:53 AM
    Moderator
  • Deleted
    Monday, December 6, 2010 8:57 AM
  • Deleted
    Monday, December 6, 2010 9:52 AM
  • Deleted
    Monday, December 6, 2010 11:32 AM
  • Hi,

     

    According to the event ID 8, there is something wrong with the Automatic Root Certificates Update Configuration on the client machine. To resolve this issue, you must connect to the Internet or turn off the Update Root Certificates component. To turn off the Update Root Certificates component, follow these steps:

     

    1.       In Control Panel, double-click Add/Remove Programs.

    2.       Click Add/Remove Windows Components.

    3.       Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.

     

    For more information:

     

    Event ID 8 is logged in the Application log

    http://support.microsoft.com/kb/317541

     

    Meanwhile, it’s fine to see the self-sign certificate store on the server side.

     

    Finally, could you find the rds.external.com on the XP client? Where is it stored?

     

    BTW, does this issue happen if you use the RDC client (MSTSC) to connect this server? Please make sure you input the FQDN which can also be matched with the certificate on the client side.

     

     

    Thanks.

    Tuesday, December 7, 2010 2:23 AM
    Moderator
  • Deleted
    Tuesday, December 7, 2010 9:07 AM
  • Deleted
    Tuesday, December 7, 2010 10:33 AM
  • Deleted
    Wednesday, December 8, 2010 12:05 PM
  • Hi,

     

     

    Have you tried to upgrade your RDC client to 7.0, it’s available for XP and Vista?

     

    Description of the Remote Desktop Connection 7.0 client update for Remote Desktop Services (RDS) for Windows XP SP3, Windows Vista SP1, and Windows Vista SP2

    http://support.microsoft.com/kb/969084

     

     

    Thanks.

    Thursday, December 9, 2010 1:21 AM
    Moderator
  • We are also experiencing this issue in our environment.  We have a Server 2008R2 Terminal Services server, with XP SP3 clients connecting.  All of the computers that have RDP 7 (KB969084) are getting the certificate error mentioned in agvonline's original post.  Removing that update fixes the issue.  We have additionally performed the registry changes required for credssp, from kb 951608, but that doesn't seem to have any effect on this specific error.

    There definitely seems to be a bug in XP's RDP 7.

    Thursday, December 9, 2010 2:50 PM
  • Deleted
    Friday, December 10, 2010 12:04 PM
  • Hi all

    I experiencing the same identical issue on my identical configurated system too. I also convinced me it's a bug (or an incompatibility) with XP SP3 RDP client (upgraded) and Windows 2008 R2 RDP Server introduced by KB969084 that resolve an issue and creating another one.

     

     

    Wednesday, December 15, 2010 9:06 AM
  •  

    OP's mention of event id 8 reminded of this particular problem we had to work through.

    We had this problem with a similar setup for  end users (who do not work for our company).  At the same time I was able to connect fine from my home WinXP SP3 computer.

    Here is what I learned

     

    • This end user's network only allowed outbound traffic via proxy configured in IE. 
    • The newer RDP clients validate the certificate handed down by the server.   Part of the validation is to check that the certificate hasn't been revoked.   Our cert was from GoDaddy.   The end user's machine was trying to dial out to the GoDaddy CRL update url to download the latest CRL.   Their list expires every 24 hrs.   So once a day if the user tried to connect it would try to dial out and fail.  Once it got the CRL it would work for roughly 24 hours after which it would fail again.
    • On a hunch that the RDP client would be using WinHttp to dial out instead of WinInet (which uses the proxy configured in IE),  we manually forced WinHTTP to use the same proxy as IE using proxycfg.exe.    
    • This fixed the problem we are seeing.

    Hope this helps.
    Friday, February 4, 2011 6:58 AM
  • Deleted
    Wednesday, February 9, 2011 11:25 AM
  • In our case we were seeing that the same root cause manifest itself as 2 different error messages depending on the client OS.

    In case of WinXP we got the "unexpected server authentication certificate" error.  On Vista and Windows 7 we got he 'a revocation check could not be performed' error.   Configuring WinHttp to use the proxy fixed the problem in all cases.

    Out of curiosity ... Have you tried watching outbound traffic on the machine - using netmon or wireshark, to see if you are able to get some additional clues about what might be causing the error.   In my case,  that is how I found the problem (wireshark).

    Thursday, March 3, 2011 7:08 AM
  • Deleted
    Tuesday, March 8, 2011 1:11 PM
  • Hi,

    I was experiencing the exact same problem as Agvonline on about 5% of the XP workstations here (whereas for the other XP workstations everything worked fine).

    The problem goes away on these workstations if you uninstall KB969084, as Agvonline suggested.

    However, in our case, I found out making sure the XP workstation is not capable of connecting use NLA (Network Level Authentication) is enough. Downgrading to RDP 6 will do that, but you can also just remove the registry keys needed for NLA on Windows XP.

    Key/value: HKLM\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SecurityProviders
    data (append): credssp.dll
    Key/value: HKLM\ SYSTEM\ CurrentControlSet\ Control\ Lsa\Security Packages
    data (append): tspkg

    I just undid the changes above by removing the appended values and rebooted. (To check that the XP client is not NLA capable start mstsc, click the computer icon in the left upper corner and click 'About' on the menu. In the window that appears, check that it says: Network Level Authentication not supported.

    Anyway, after that, it worked, even with RDP 7 (KB969084 installed).

    Too bad though, that I can't use NLA.

    Vincent


    (Oh: and you need the RDS hosts to allow connections without NLA). This can be configured in "Remote Desktop Session Host Configuration" console. I believe "not requiring NLA" is the default but you should just check anyway).
    Monday, August 29, 2011 10:39 AM
  • Deleted
    Friday, October 28, 2011 10:13 AM
  • I came across this old article whilst googling for the same error message.  Just in case anyone hadn't thought of this, go check the system time and date on the machine that is trying to connect to the server.  In my case today after a lot of head scratching, I checked the date and time on the machine having the problem and it was set as the wrong month. I set the month to be correct and the problem went away. This simple but easily missed tip I hope will stop people from trying all kinds of fixes and spending hours doing so!
    • Proposed as answer by Martin Summers Wednesday, July 25, 2012 1:53 PM
    Wednesday, July 25, 2012 1:53 PM
  • Hi,

    I also came across this post when troubleshooting (or Go-ogling) this error. I did all the changes in the post before I decided on something else to try. I came across the fact that the DNS settings on the machine were not right so I altered them and guess what?? It worked !!!! Me and a colleague were joking about this working when we noticed it and were even more surprised when it did. Well there you go, hope this helps someone else who was like me struggling and editing registry settings etc.

    Wednesday, June 19, 2013 9:37 PM
  • For those arriving here via search engine and frustrated: The instant fix that worked for me on XPsp3 with all credsso/nla updates is to install the latest root certificate update for XP (rootsupd.exe). No reboot required, works immediately!
    • Proposed as answer by Andrew Austen Thursday, August 22, 2013 1:27 AM
    Thursday, August 22, 2013 1:26 AM