RDP SSL with SAN on W2K8
Posted on 2009-04-29
I can't get SSL to work on the other names listed in the Subject Alternative Names when connecting to RDP using Remote Desktop Connection to a Windows Server 2008.
What I did:
1) Copy the "computer" certificate template and call it "computer with san", enabled san and enabled export private key.
2) Added this certificate to the domain CA.
3) Enabled SAN on the CA.
4) On the W2K8 Terminal Server, opened mmc, selected certificates, selected computer account, selected local computer, right-click on Personal container, select Request New Certificate, selected "computer with san", clicked "configure settings", selected common name and enter server's actual fqdn, selected DNS in Alternative Name, entered server's actual fqdn, entered server's secondary fqdn (both fqdn points to the same IP number), entered friendly name, description, clicked enroll.
5) The certificate gets installed in the correct location. Checked that the subject name and san all displayed the correct information.
6) Applied the certificate to the RDP SSL via Terminal Server Configuration.
7) Logged off.
8) Logged on with the alternative name. Error comes up as: "an authentication error has occurred (Code 0x80090303). Remote computer: alt.domain.nam
Note that the primary name still works; just not the alternative name.
NLA enabled, FIPS chosen, TLS 1.0 SSL selected. Changing to lower security doesn't help.
Using Windows XP RDC client version 6.0.6001.18000