Server 2008 R2/Windows 7 Remote Desktop certificate error

I've looked all over for a solution to this issue, but have yet to find one that works.

I've installed a fresh copy of Server 2008 R2 and enabled Remote Desktop. I connect to the server (by name or IP address) from a Windows 7 remote desktop client and get the attached error dialog.

I can certainly click "Don't ask me again" and get rid of it, but I'd rather fix the issue. If I click on "View Certificate" and then "Install Certificate", and place the certificate in the "Trusted Root Certificate Authorities," the error doesn't go away.

The server is not running AD Certificate Services. The certificate seems to be on a 6-month expiration cycle, which the server itself must regenerate on its own. I certainly didn't do anything to create it.

I can only assume I'm installing the wrong certificate, but I have no idea where the right certificate is. I've tried exporting the Remote Desktop/Certificates data from the MMC/Certificates snap-in, but I get the same results.

Any ideas?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Get a 3rd party trusted cert and install it on your server through the Remote Desktop Manager. You can issue a new one from your own CA as well, but your CA root cert needs to be trusted already. Of course you need to make sure that you're connecting using the FQDN of the server which needs to match the common name of the issued cert.
It is not an error. This is a warning letting you know that the certificate has not been accepted by a registed/trusted CA.

You can get someone like verisign to issue a certificate so this will not come up. If you are going to have customer logging onto the server to do payments or something like this then you would want to get one issued. If it is only you using the server or people in the company it may not be very important that you have a trusted certificate.

I do not think you want to pay to get a certificated issued for a test server.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Cláudio RodriguesFounder and CEOCommented:
The problem here is the Thumbprints. You need to open the certificate and look at its properties. In one place you will see its Thumbprints. You must then create a registry key on your machine with that 'signature' or use a policy to do that.
I did that last week manually on a couple machines and it does get rid of the message.

This is the key if you want to create it manually (what does work and fixes the problem):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

Cláudio Rodrigues
Citrix CTP
Cláudio RodriguesFounder and CEOCommented:
Oh now also looking at the cert, the key other thing is to make sure the CA root certificate is installed. When you get a certificate from a major CA like Entrust, Verisign, etc this usually is part of the OS (as MS installs that) but still needs to be updated every once in a while (updated through Windows Update). If the certificate was issued internally or by a not that well known company, you need to get the Root CA certificate loaded. Once you do that, all certificates signed by that authority will be trusted.

Cláudio Rodrigues
Citrix CTP
Chief_ArchitectAuthor Commented:
This server will only be connected to from a local area network, so paying for a trusted certificate from a CA really isn't what I want to do. I also have neither installed nor configured a local CA. If this is a requirement to make this work I'd like to hear that, but it seems unreasonably complicated to clear up a RD connection error message. I am connecting to the FQDN machine name as the issued certificate states (Test2k8).

Unlike the linked-to solution on EE, if I import the certificate it *doesn't* work.

I added the Registry key for "Terminal Services" (my fresh Windows 7 install didn't have it), and added a binary data field with the thumbprint of the certificate but got the same error. As for getting the root CA (from the 2008 Server) how is this done? Where is the root certificate authority stored? How do I export it, so that I can import it into trusted roots on my local client?
Cláudio RodriguesFounder and CEOCommented:
The thing is in this case you are using the self signed certificate I think. Windows Server has a CA authority that you can install (free, part of the OS) and then issue certificates to the correct names.
I would assume in this particular case you would have to go into the Certificates MMC on the TS and try to locate the CA Root certificate for the self signed certificates. I guess this would be listed on the certificate itself (who issued it) if you open it for viewing.
Of course if you install the CA then you simply distribute the CA root cert. :-)

Cláudio Rodrigues
Citrix CTP
Chief_ArchitectAuthor Commented:
Cláudio : Do you know where I can find that certificate? In the Certificates MMC snap-in the only certificate I have with the Test2k8 name is under Remote Desktop\Certificates, and is the same cert that I've tried installing on the client side that doesn't do anything.

The certificate says it was issued by "Test2k8," which is also all that appears in the Certificate path. I've attached images of the certificate to show this information.
You need to install the certificate in the trusted root certificates .
The steps in the link show you how to do it with IE8 but from the view certificate step it is all the same.
You have already got the certificate on your screen. You just need to install it.
Cláudio RodriguesFounder and CEOCommented:
Hutnor is correct. Now you need to install it on the trusted root.

Cláudio Rodrigues
Citrix CTP
Alex AppletonBusiness Technology AnalystCommented:
In all honesty you should add a CA role to a local server and have it sign certificates for your network, you can distribute the CA's certificate via GPO and basically wouldn't have to worry about this.

Try this on the computer that is attempting to connect:
run mmc.exe
File-Add/Remove Snap-In
Add the Certificates snap in for the local computer account
Expand the tree and look for 'Trusted Root Certification Authorities'
Click on Certificates and browse the list on the right pane, look for your Test2k8 certificate here.

If it doesn't appear in this list, export the certificate from Test2k8 and then import it via this mmc console.  I find importing this way sometimes get's it right where the other method fails to.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chief_ArchitectAuthor Commented:
I ran the mmc and added the Certificates snap-in on the machine from which I was trying to connect, specified that it was for the entire computer and not my local user (perhaps this was what made the difference?), and added the exported certificate to the Trusted Root Certification Authorities, and now I no longer receive the warning message. Thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.