locked
Remote Desktop Services Uses the wrong Certificate RRS feed

  • Question

  • I am running Remote Desktop Services Host on a single Windows Server 2008 R2 machine. We connect to the Remote Server via the Internet. I have installed an SSL Certificate in IIS...which is recognized by all the Remote Services. I have set RemoteApp Manager, Gateway Manager and Services Manager to use that certificate. I have rebooted the server. When I try to connect via Windows 7 desktop I get the message that "The Remote Desktop Gateway server address and the certificate subject do not match." It's not for the usual reason you might be thinking...the name on the certificate does match the public server name.

    When I choose to display the Certificate on the Win7 machine at the time the message, it displays a different cert that is installed to protect a particular ASP.NET commerce website that is also running on that server. That is clearly NOT the certificate that I have configured RDS to use. Why is RDS choosing to present the Client with a certificate that I have not selected for RDS to utilize?

    Note1: The Website Certificate is bound to port 443 as the website uses SSL. I cannot remove that website certificate...they must both reside on the server.

    Note2: When I connect to the same RDS server with a Win XP machine using a Remote App RDP file, I don't run into that problem.

    Any ideas? Thanks in advance to all who answer.

    Friday, December 21, 2012 5:48 PM

Answers

  • Did you install RDWeb?  Also, could you provide some screenshots of the certificate that is presented when you connect?

    RDS only supports specific types of certificates, namely a code signing or server authentication certificate, with the latter being the most commonly used.  This UCC certificate sounds like a certificate that allows you to add up to 99 SANs, which is fine for RDS.  If you look at the Details tab of the certificate, what is the "Enhanced Key Usage"?


    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    • Marked as answer by John Kotuby Tuesday, January 15, 2013 8:39 PM
    Friday, December 28, 2012 2:44 PM

All replies

  • Have you imported the Proper certificate on the GW

    To install a certificate on the Remote Desktop Gateway server
    1. On the RD Gateway server, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

    2. In the Remote Desktop Gateway Manager console tree, right-click the local RD Gateway server, and then click Properties.

    3. In the Properties dialog box for the RD Gateway server, on the SSL Certificate tab, click Import a certificate into the RD Gateway<RD Gateway Server Name> Certificates (Local Computer)/Personal store, where <RD Gateway Server Name> is the name for the computer on which the RD Gateway server is running.

    4. Click Browse and Import Certificate.

    5. In the Open dialog box, click the certificate that you want to use, and then click Open.

    6. In the Enter Private Key Password dialog box, in the Private key password box, enter the password for the certificate, and then click OK.

    7. In the Certificate Import dialog box, click OK.

    8. Click OK to close the Properties dialog box for the RD Gateway server.

      If this is the first time that you have mapped the RD Gateway certificate, after the certificate mapping is completed, you can verify that the mapping was successful by viewing the RD Gateway Server Status area in Remote Desktop Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed.

    Friday, December 21, 2012 7:21 PM
  • Thanks for the reply,

    All the Remote Services Remote Desktop Gateway server, Remote Desktop Session Host configuration and RemoteApp Manager indicate that they are configured to use the correct SSL certificate. There are no error indications on the server.

    There are several certificates resident on the server. 1 for an eCommerce website (we will call it SHOP.COM for sake of discussion from GoDaddy). 1 created by Plesk (call it PLESK.COM) and the correct one I wish to use (call it REMOTE.NET). At the time I first posted this question all remote services above ON THE SERVER displayed REMOTE.NET as the selected and correctly configured certificate. BUT when trying to run a Remote App from a Windows 7 client, the certificate displayed by the remote server was SHOP.COM.

    After following your instructions for the Import into the Gateway, which indicated success, the server is now stating to the Client that it is using the PLESK.COM certificate, even though all the Remote Services on the server show that it is using the correct one... REMOTE.NET.

    Very funny. It looks as if the Remote Server wants to advertise any certificate OTHER THAN THE ONE IT IS ACTUALLY CONFIGURED TO USE.

    Well it's time for Christmas break. Thanks to all and to all a Happy Holiday.

    Monday, December 24, 2012 2:49 PM
  •  I get the message that "The Remote Desktop Gateway server address and the certificate subject do not match."

    Did you rdgateway ssl cert match the public DNS name?It needs external DNS name which can be resolved publicly.

    For more information:
    Introduction to TS Gateway Certificates
    http://blogs.msdn.com/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx
    Certificate requirements for TS Gateway
    http://technet.microsoft.com/en-us/library/cc754252(WS.10).aspx#BKMK_ObtainCertTSGateway
    Configure a Certificate for the Remote Desktop Gateway Server
    http://technet.microsoft.com/en-us/library/cc732329.aspx

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.




    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, December 26, 2012 5:41 AM
  • Thank you Clarence for the reply,

    The certificate I have applied to RD Gateway indeed has the same public FQDN as the server. The problem appears to be that when a client tries to connect via a Remote App a DIFFERENT CERTIFICATE ALTOGETHER is displayed to the client. I first get the message that the names do not match and when I click "View Certificate" I am shown a certificate that is used for a Website Domain that lives in IIS on that server...definitely not the certificate I successfully imported into the RD Gateway.

    I have read that others were told to remove all server certificates except the one for RDS. I cannot do that as the server is also a live Web Server with an eCommerce website that uses the "extra" certificate. The Website domain name is of course different than the Server domain name. Does RDS only function properly if it is installed on a dedicated RDS server with only 1 SSL Certificate installed?

    I wish I could upload screenshots to show that the server console indeed displays that the correct certificate has been imported and configured into all facets of RDS.

    I will keep banging away at the problem. I may have to shut down the eCommerce site for a day and lose $1000 income just to see if RDS behaves correctly with only 1 certificate on the server. That may not seem like much to you but it is a significant loss to me.

    Thanks for responding.

    Wednesday, December 26, 2012 3:23 PM
  • What certificate did you sign the RemoteApps with?  This is displayed in RemoteApp manager. 

    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    Wednesday, December 26, 2012 7:03 PM
  • Hello Don,

    That is a very good question.

    I just double checked that myself. The RemoteApp signing certificate is the same server certificate that I have used in RD Gateway and RD Session Host configuration (REMOTE.NET). To make sure that something wasn't "stuck" I deleted the App and then recreated it and then a new Windows Installer file.

    The server is Windows Server 2008 R2 with all the latest patches and updates. The client is Win7 also up to date.

    I installed the MSI on my client machine and upon trying to connect to the remote app I am shown the PLESK.COM certificate as a mismatch (see a previous post about the certificates installed on the server).

    I then installed on a different Win7 machine and got a big surprise. The certificate displayed to this other client was SHOP.COM also a mismatch.

    So the same MSI installed on 2 different machines is displaying incorrect certificates but they are different mismatched certs for some reason.

    The certificate used to sign the RemoteApp is REMOTE.NET, but that one is not being displayed to either client machine. So the RDS server seems to display different certificates at random to the client machines. Except for the certificate I configured RDS with. I feel a headache coming on.

    Please note that we are not dealing with a LAN or local domain situation but an internet connection.

    Wednesday, December 26, 2012 8:58 PM
  • What are the exact steps that you follow to connect?  Are you logging on to RDWeb and then clicking on an icon to run a RemoteApp?  What happens if you logon to RDWeb and run the same app (you mentioned you use an .msi file to deploy)?  If you're running a RemoteApp, the certificate presented would be the certificate used to sign the RDP files (if used).  If you're just connecting directly to a Session Host server then the certificate would be the one configured on the RDP-TCP listener in Session Host configuration. 

    As for the subject name changing....I have no idea what is going on there, that is not something that Remote Desktop Services will do. 


    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    Wednesday, December 26, 2012 10:00 PM
  • I'm sorry if I didn't make myself clear. I am just learning to implement the RDS technologies on Windows Server 2008 R2 64-bit.

    Our small business is leasing a dedicated remote server. We wish to use the server as an IIS Server for ASP.NET applications as well as an Application Server to present our Visual Basic client-server desktop apps.

    There are several distinct SSL Certificates installed in IIS 7.5. Two of them are meant to protect website domains. They were purchased and installed separately and named to match the public website domain names. Neither of these was ever installed or imported into RDS Services.

    The 3rd one is a "Standard Multiple Domain (UCC) SSL Up to 5 Domains" from GoDaddy. It was purchased specifically for use with RDS Services.

    GoDaddy's explanation of UCC certs:

    "Unified Communications Certificates (UCC) are SSL Certificates that secure multiple domains and multiple hostnames within a domain. They allow you to secure a primary domain, and up to 99 additional Subject Alternative Names, in a single certificate. UC Certificates are ideal for Microsoft® Exchange Server 2007, Exchange Server 2010, and Microsoft Live® Communications Server."

    "UCC Certificates are compatible with shared hosting however, the site seal and certificate "Issued To" will only list the primary domain. Please note that any secondary hosting accounts will be listed in the certificate as well, so if you do not want sites to appear 'connected' to each other, you should not use this type of certificate."

    The primary name of that certificate is the top level domain name for the server such as REMOTE.NET (an accurate example for discussion). The first and only "secondary" name is SRV1.REMOTE.NET which is the Public domain name of the Session Host.

    "What are the exact steps that you follow to connect?"

    From within RemoteApp Manager I created a Windows Installer Package for the Remote App that we wish to run. I then copied it to my Windows 7 desktop and installed it. To connect I click on the program icon in the All Programs menu.

    It's not just "subject name changing" that we see. Even though I imported the UCC Certificate into RD Gateway and configured the RD Session Host and RemoteApps to use it (with no errors)... when we try to connect to the remote app we are not presented with it. Instead we are shown the before-mentioned Web Site certificates. Even though I have never associated them with RDS in any way shape or form.

    It makes no sense to me.

    Wednesday, December 26, 2012 11:07 PM
  • Hi,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
    Thank you for your understanding and support.

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, December 28, 2012 8:15 AM
  • Did you install RDWeb?  Also, could you provide some screenshots of the certificate that is presented when you connect?

    RDS only supports specific types of certificates, namely a code signing or server authentication certificate, with the latter being the most commonly used.  This UCC certificate sounds like a certificate that allows you to add up to 99 SANs, which is fine for RDS.  If you look at the Details tab of the certificate, what is the "Enhanced Key Usage"?


    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    • Marked as answer by John Kotuby Tuesday, January 15, 2013 8:39 PM
    Friday, December 28, 2012 2:44 PM
  • Thank you for looking into this.

    I can report some progress. I had not installed RDWeb...just discovered that this morning before I read your post.

    After installing RDWeb and enabling the remote app, I now see the correct certificate being displayed when connecting through RDweb website.

    You may view that certificate by navigating to https:\\srv1.dmedi.net\rdweb .

    However, that is NOT the certificate that is displayed when I try to connect with the installed menu pick from the Windows Installer version of the connection.

    I am thinking that the confusion between SSL certs may be that 3 were installed on SSL port 443 with "All Unassigned" IP addresses. There are some websites that share an IP address via Host Headers. Maybe those certificates are competing with the UCC Cert that is intended for RDS usage.

    We are closer to resolution. Thank you

    Friday, December 28, 2012 5:44 PM
  • Nothing wrong with the certificate on that website, and that certificate clearly comes from the IIS server.  I can't go any further without logging on.

    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging


    Friday, December 28, 2012 6:39 PM
  • Thanks for your help. Installing RDWeb properly made things right.
    Tuesday, January 15, 2013 8:40 PM