?
Solved

RDP SSL with SAN on W2K8

Posted on 2009-04-29
20
Medium Priority
?
2,355 Views
Last Modified: 2013-11-21
I can't get SSL to work on the other names listed in the Subject Alternative Names when connecting to RDP using Remote Desktop Connection to a Windows Server 2008.

What I did:

1) Copy the "computer" certificate template and call it "computer with san", enabled san and enabled export private key.
2) Added this certificate to the domain CA.
3) Enabled SAN on the CA.
4) On the W2K8 Terminal Server, opened mmc, selected certificates, selected computer account, selected local computer, right-click on Personal container, select Request New Certificate, selected "computer with san", clicked "configure settings", selected common name and enter server's actual fqdn, selected DNS in Alternative Name, entered server's actual fqdn, entered server's secondary fqdn (both fqdn points to the same IP number), entered friendly name, description, clicked enroll.
5) The certificate gets installed in the correct location.  Checked that the subject name and san all displayed the correct information.
6) Applied the certificate to the RDP SSL via Terminal Server Configuration.
7) Logged off.
8) Logged on with the alternative name.  Error comes up as: "an authentication error has occurred (Code 0x80090303).  Remote computer: alt.domain.nam

Note that the primary name still works; just not the alternative name.

NLA enabled, FIPS chosen, TLS 1.0 SSL selected.  Changing to lower security doesn't help.

Using Windows XP RDC client version 6.0.6001.18000
0
Comment
Question by:AshlandSG
  • 13
  • 7
20 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24272891
Aside from the SAN, this sounds pretty standard, and it sounds like you avoided the most common mistake of not entering the subject name into the SAN.

Here's the Microsoft prescribed process:
http://technet.microsoft.com/en-us/library/cc740173.aspx

About the only difference I see is that they ask you to go into Certificate Purposes view mode and issue the request from the Server Authentication container instead of the default store view and requesting from Personal under the computer account context.  It may be worth a shot since things sound pretty normal for what you did, but honestly I don't give it much weight.

More specific to what you are doing, here is another guide:
http://technet.microsoft.com/en-us/library/cc731264.aspx


Okay, onto something that might actually be useful...

Have you tried rebooting the server or restarting terminal services?

Did you have a test cert installed on this box that did not have the SAN, by chance?  You may need to clear the client's SSL state (internet options - content - clear ssl state) and maybe clean the proxy if present.


Is the remote client on a different domain than the TS?  Try testing from another box in the same domain, if possible.
http://technet.microsoft.com/en-us/library/cc731435.aspx
"If the internal network computer belongs to a different domain than the TS Gateway server, users must specify the FQDN of the internal network computer."
0
 

Author Comment

by:AshlandSG
ID: 24275385
Just tried the Certificate Purposes view and requested new certificates, after clearing out the old ones, which I always do.  Always restarted the server after applying the certificate to RDP.  Still no go on the alternative name.  No problems with the primary name.

All are on the same subnet and in the same domain.  Forget about TSG for now; I'm simply trying to resolve the directly-connection certificate issue first.  (When I used TSG, I get the same error on the alt name but it works on the primary name; yes, both names are in the RAP).

The CA is a Windows 2003 Enterprise Server Domain Controller, which is why it allowed me to create templates with SAN and exportable keys.  I can't upgrade the CA to a Windows Server 2008, yet, until I've had the chance to prove Windows 2008 is stable.

Doesn't Windows Server 2008 support use of machine certificate containing SAN?

Regards,

John
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24279823
SAN is just an attribute of the certificate - both 2003 and 2008 support that just fine, you just have to enable the ability to use it in the registry, which it sounds like you already did (usually using a certutil -setreg command to add the value).  If the CA supports it, it can add that to any kind of cert.  

The server that the cert is created for should support it for anything MS puts out and most 3rd party software as well.  MS developed a common middleware component MS-CryptoAPI (MS-CAPI, or commonly just CAPI even though there are others).  This makes it easier for hardware vendors to write to a common, well-known middleware from the lower levels of OSI, and the application developers enjoy the same convenience coming down from the higher levels of OSI - CAPI works as an abstraction layer, so almost everyone uses it since it is pretty stable, well documented, and much more convenient than writing custom code to work with every vendor on the planet.  Very few programs still write their own entire middleware layer instead of plugging into capi.

From my earlier link http://technet.microsoft.com/en-us/library/cc731264.aspx we see documented that RDP does support SAN usage, but beyond the domain thing does not sound like there should be further issue.

What is the remote client using for its RDP software version?  If the client does not have the latest service pack, install that as RDP gets updated in pretty much every service pack.  For 2008, current hotfixes are installed?

You might try using a smaller subset of SAN attributes for testing - try just the FQDN and the hostname or one alias.  Leave IP addresses and everything else out for now - keep it simple for this and expand from there.  Not sure if you have a lot of names in there or how long they may be - I'm working under the assumption that there are just a few names of normal lengths - not hundreds of characters or extremely long names.  Regardless, reducing down to 2 names for testing might be worth it.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AshlandSG
ID: 24281222
In my first posting, I mentioned I am using Windows XP SP3 x32 RDC client version 6.0.6001.18000.

Windows Server 2008 Standard x32 has the latest updates Microsoft has given me via Windows Updates.

There are only two items in the SAN, one with the CN in FQDN and one with the alternative name.  Both are defined in DNS and both are 24 characters or less (xxxxxxxxxx.xxxxxxxxx.xxx).

I've tried these formats:

1)
CN = server1.test.com
san:dns=server1.test.com&dns=english.test.com

2)
CN = server1.test.com
san:dns=english.test.com&dns=server1.test.com

3)
CN = english.test.com
san:dns=server1.test.com&dns=english.test.com

4)
CN = english.test.com
san:dns=english.test.com&server1.test.com

Only 1 and 2 worked when I use server1.test.com to connect, not english.test.com.

I enabled SAN on the CA only since I thought it was related to allowing creating certificates with SAN.  Do I also need to enabled it on the terminal server, too, so that it can recognize and use the SAN attributes from the installed certificate?  Perhaps I should give that a shot.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24281788
No, you do not need to enable the SAN registry key on the clients - the key that is set is within the certificate services portion of the registry, which will not exist on boxes that are not CA, so will have no real bearing on anything by being set.

Aha - apparently there is yet an even newer version of the client!  And apparently that version is necessary...
http://blogs.msdn.com/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx

Download XP RDP 6.1 client:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6e1ec93d-bdbd-4983-92f7-479e088570ad
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24281839
XP SP3 should have had RDP 6.1 by the look of it...  might want to doublecheck winver...  otherwise there may have been an issue with the SP install that didn't make it stop the overall progress?


0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24281888
Ack - stupid versioning system...  6.0.6001.18000 is the version for 6.1 that is specified in KB952155...  sorry...

http://support.microsoft.com/kb/952155
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24281944
On the Advanced tab you could enable "Warn me if authentication fails" - this might provide more detail into the issue, although given the circumstances I would assume a name mismatch warning.  Should allow you to connect anyways...

Let me dig around a little more...
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24281973
Do you have ISA running by chance?  Need ISA2006 SP1 to support SAN
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24282050
You aren't connecting using the /admin switch are you?  They don't explicitly say it from what I've seen so far, but using that disabled pretty much all of the new features of 6.1 over 6.0, so maybe that is one of them as well for the SAN?
0
 

Author Comment

by:AshlandSG
ID: 24282117
I am not using ISA.  Must I in order to support SAN?

I am not using the /admin switch though I did add monitor span:i:1 to the default.rdp so I can view RDC in spanned mode.

I don't think the content of default.rdp is going to be helpful but here goes nothing:
screen mode id:i:2
desktopwidth:i:1280
desktopheight:i:1024
session bpp:i:16
winposstr:s:0,1,1335,54,2358,781
compression:i:1
keyboardhook:i:2
displayconnectionbar:i:1
disable wallpaper:i:1
disable full window drag:i:1
allow desktop composition:i:0
allow font smoothing:i:0
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
full address:s:xxxx.xxxx.xxxx
audiomode:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
authentication level:i:2
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewayhostname:s:xxxx.xxxx.xxxx
gatewayusagemethod:i:0
gatewaycredentialssource:i:0
gatewayprofileusagemethod:i:1
promptcredentialonce:i:0
span monitors:i:1

Of course I covered the addresses with x's.

Regards,

John
0
 

Author Comment

by:AshlandSG
ID: 24282149
Oh, and it's already set to warn me.  The error is what I described in the first post, item #8.  Not exactly helpful.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24282378
Not seeing much else yet for direct connect, but for RDP gateway - I'm not seeing a requirement for ISA to be there, but I'm seeing stuff about if you have ISA it needs to be 2006 SP1.

Here are the instructions for installing the cert for the gateway manager:
To import a certificate to be used by the RD Gateway server
Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

In the RD Gateway Manager console tree, right-click the local RD Gateway server, and then click Properties.

On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.

In the Install Certificate dialog box, click the certificate that you want to use, and then click Install.

Click OK to close the Properties dialog box for the RD Gateway Manager server.

If this is the first time that you have mapped the RD Gateway Manager certificate, after the certificate mapping is completed, you can verify that the mapping was successful by viewing the RD Gateway Server Status area in RD Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 24282410
Found something that says that this hotfix might help, and the problem description in the posting matched pretty well to your situation - sounds like more of a connection issue than a cert related issue.
http://support.microsoft.com/kb/953760
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24282424
Make sure to read the article for that hotfix - note restart is required and there are post-installation things that may need to be done for enabling CredSSP.

Hotfix updates kerberos.dll only - guess that's where the issue is deep down if this does it.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24282455
Also sounds like Vista/2008 boxes shouldn't have this issue, if you happen to have any of those.  Hotfix backs up that statement in the posting from the MS guy - applies to XP SP3.
0
 

Author Comment

by:AshlandSG
ID: 24282457
I do have an SSL certificate mapped on the TSG.  However, the problem is passed from the TS destination to the TSG gateway with the same error response, the very same error as the direct connection.  So, I believe I need to get the direct connection error resolved before I can even use the TSG one.

I completely agree that the problem may be with Kerberos and that KB953760 may indeed be the solution I need.  I already enabled CredSSP or otherwise wouldn't have been able to get in due to NLA.

Going to give that KB solution a try!
0
 

Author Comment

by:AshlandSG
ID: 24282822
Yahoo!  The two downloadable hotfixes resolved my problem.  I didn't even need to modify the CredSSP Group Policy settings.  I don't even have the below registry so it must be using the defaults, which is good enough for me:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation

I tried with the primary name, alternative name, and both directly and through TSG.  All works!

Good job on finding this KB and thank you very much!  I hope the moderator stick this in somewhere because I am pretty sure this is a very obscure issue, and I rate myself as an expert!

Regards,

John Babbitt
Systems Administrator
Ashland Support Group
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24282938
Glad it all worked out!  Had me wondering what was up there for a bit - helped make a slow Friday go along a little better:)
EE normally archives posts that are not deleted by the user (or sometimes by mod if abandoned).  Shows up nicely in google searches too usually within a few hours, and EE gets enough traffic that they tend to be near the top of the search results.  As it gets viewed more by other EE users it goes up in preference as you would expect.  I added a few tags to help searches out too.
0
 

Author Comment

by:AshlandSG
ID: 24282966
Again, thank you very much, including adding additional tags.  I really think this post is worthwhile.  While SP4 for Windows XP is not yet available, when it does come out, this is no longer going to be an issue as this hotfixes are going to be included in SP4, says the KB.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question