SBS 2011 RDS not using 3rd party cert

- Open TS Gateway Manager from Administrative Tools --- Terminal Services

- Select Properties on the Server Object, and choose the Proper SSL Certificate tab from within properties.

TechSoEasy - I followed the instructions from Sean previously.

I followed the MS KB article instructions to install the RD Gateway Manager and successfully imported the cert there.  I've restarted all the RD services, but I still get presented with the old cert when connecting?

I keep reading around that people don't use UCC certificates and they don't have any issues with regular ones... but the fact is that I always use a UCC certificate which will include the server's local host name, so I don't ever really see the type of problem you are having.

My suggestion is that you use a UCC certificate.  When you run the Trusted Certificate wizard on the SBS it will create the request for remote.domain.com
So when you paste the CSR in GoDaddy's request form you will see that  it adds "domain.com".  You should then add the following Subject Alternative Names:

servername.domain.local
autodiscover.domain.com
mail.domain.com  (this is optional -- but we like to use a different host name for MX records)

Because the cert will include a local domain name you generally have to call GoDaddy support to get the processing pushed through.  But they are always helpful in doing this.

Also, you can most likely ask them to exchange the certificate you just bought for a UCC one instead, so you won't be wasting what you've already paid.

Jeff
TechSoEasy

I have a UCC/SAN cert, my sub alt names are

remote.domain.com
servername.domain.com
servername.domain.local
autodiscover.domain.com

let me clarify my problem.

I connect to remote.domain.com/remote - no cert warnings
Log in, choose a PC to remote into
Provide credentials

This is when I receive a cert warning.  if I view the cert, it show the self-signed from the server - not the goDaddy cert.

That sounds to me like you still don't have the certificates installed correctly.

Did you install the Intermediate Certificate Bundle in IIS BEFORE running the Trusted Certificate Wizard?

Jeff
TechSoEasy

no

You do realize that is one of the steps listed in Sean's instructions, right?

Yes.  I had followed another guide prior to Sean's instructions, without installing the intermediate first, but after finding Sean's I thought because you go through the wizard again it might still work.

Is there anything I can do now?

Remove and reinstall the certificate exactly as explained in Sean's article.

You can easily rekey it at GoDaddy.  (http://community.godaddy.com/help/4976)

Jeff
TechSoEasy

Can I just use the SBS Console wizard to install a new one, or do I have to actually remove the old first?

Removed the cert, rekeyed per goDaddy instructions.

Installed new cert per Sean's instructions, intermediate was already installed, but imported again anyway.

Followed MS KB to install for RD Gateway

BUT I'm still receiving a cert warning when choosing to connect to a PC from the RWW.  It's still set to use the self signed.

Does you have TMG or ISA? If yes, then check the certificate installed on the RDS rule, it might be self signed one.

No Forefront and no ISA.

Then I would suggest that perhaps you didn't have your certificate issued correctly?

Take a look at these articles which are relevant for SBS 2011 as well:


Common Remote Web Workplace (RWW) Connect to a Computer Issues in SBS 2008

http://blogs.technet.com/b/sbs/archive/2009/06/19/common-remote-web-workplace-rww-connect-to-a-computer-issues-in-sbs-2008.aspx

 

Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

http://blogs.technet.com/b/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

Jeff
TechSoEasy

I've read both of those previously and the second one doesn't apply.

I don't think it's a problem with the certificate at all.  Otherwise why would OWA, and RWW work fine?  

Although I'm setting RDS with the correct cert, it's just not using it.  Is there somewhere else I can check it....in IIS maybe?

I haven't rebooted the server yet either....

Sorry, you're right about the second one... I copied those links from my notebook regarding these issues.

Definitely reboot.

Also, there is one section you should take careful note of:  "8.  TS Gateway Service known issues"

Make sure the settings are correct on the RPC virtual directory.

Jeff
TechSoEasy

Would I do that in IIS Manager (6 or 7) ?  I'm not sure exactly where to find that.

Definitely in IIS7 --- IIS6 is only included in SBS 2008 for an FTP server.

Jeff
TechSoEasy

And then where, I'm completely unfamiliar with IIS 7....

In IIS7 Manager, expand SERVER (DOMAIN\Username) > Sites > SBS Web Applications > and click on Rpc

Then click on "SSL Settings" in the Features panel

You will see the settings as pictured below.

Jeff
TechSoEasy



sslsettings.jpg

I found RPC under Server > Sites > Default Web Site > RPC ( I don't have SBS Web Apps)

Clicking on the SSL Settings feature I see the same settings as you have specified.

I also see SSLwithCert.  Clicking on SSL Settings feature I see:
Require SSL - checked
Client certificates - Require

Sorry, the SBS Web Apps was for 2008...

Switch Client Certificates to "Ignore"

Then Restart IIS  (command prompt "iisreset")

Jeff
TechSoEasy

Nope, still show cert warning with local cert when connecting to a PC from RWW.

I think I'm out of ideas then... sorry.

Thank you very much for all your efforts.  I was ready to give up long before you were. So how do I get other "Geniuses" to comment?

You would click the "Request Attention" button in the body of the original question.  I've done that for you though, so a moderator will send out a request to Experts in this zone.

Jeff
TechSoEasy

ok, thanks again.

Ok, new info!

It turns out I was previously only trying to connect to the server, which was presenting the local cert and thus the warning.

I tried to connect to a workstation and I did not receive a cert warning.

So the question remains, why do I continue to receive one for the server?

Is autodiscover set to ignore also?

Forgive me but I'm not sure what you are talking about?

autodiscover.domain.com is part of the cert.

I believe what he's saying is to make sure that the Autodiscover Application (Below Default Web Site in IIS Manager) has the same settings as I suggested for RPC.

Jeff
TechSoEasy

They are the same,  Require SSL is checked and Client Certificates is set to Ignore.

i too have the same problem, and i folowed the go daddy import of the ssl cert
i also enabled the ts gateway manager then installed the certifcate

so i can log into http://mail.affrdputerservices.com
get redirected to https://mail.affrdputerservices.com/remote

enter user name and passwrd and enter Remote Web Anywhere of SBS 2011
then select connect t computer
select connect to the server server
get a certificate from go daddy for mail.affordputerservices.com
next get a windows security dialog box to connect to the remote deskto gateway
enter user name and password again then received a certificate waning that the certificate is wrong
however the certificate is for server.ipelec.local and is a self signed certificate
i see that this certificate expires in 6 months frm a fresh server install i have worked on and off on this
for 6 months on my server to fix this. I even see there is an experets exchange questin which has not been answered.

**********Contact info deleted by TechSoEasy***********

a1 - Can you confirm you don't get a warning when choosing a workstation to connect to, but do receive a cert warning when choosing the server.

oops meant i recieve a certificate of eots server name
mail.affordputerservices.local

new info if i do this internally it works.
so if i go to http://mail.affordputerservices.com from my pc
i get routed to https://mail.affordputerservices.com/remote
i then select to connect to the server eots
i then get a ssl cert from go daddy
then a security log in screen name password
and then i am in.

**********Contact info deleted by TechSoEasy***********

The difference is i do not get a self issued cert after the security log in screen.

i have only two workstations in my small business and they are configured to connect to a sbs 2003 machine
i wanted to get this fixed frist as i saw that the cert expired n 6 months, so this is the only machine i can connect to at this time.
This install was from the action pack but it took the keys for a retail sbs license, i  initially  thought that it was because this was a action pack install that the cert was good ony for 6 months, however on a brand new install with oem media this same eror hapens on a production server and will time out in 6 months.

i really can't believe that there is not a better answer for ths as 2011 has been out for 6 months now.

i take it you never gt an answer. Can you connect to your server internally throgh the web http://servername.remte
then cnnect t comuter, and select server and havve it work withought prompting about a local self issued cert.

dale

I haven't tried.  Since this is for a client, it's not really an issue for them, since they don't connect to the server.  I just want to fix for my own benefit and to know what is wrong.  Also, it still works after clicking through the cert warning.

BTW, The expiration is not an issue.  You just renew it in SBS console, as needed.

The other business that has this sbs installed only connects to the server so they can use quickbooks.  The users will not connect to their pc on the weekend as they are laptops and will take them with them.  

so i have two installations that give the same error as you when i connect to a server.

Do you think the answer is getting a cert that will support both mail.affordputerservices.com
and affordputer.local

do they make such a cert and if all sbs installs use .local why have i not seen more people with this problem?

dear ez zone advisor
actually i have the same error (receive self signed certificate with .local) and was wondering if it occurs when he connects to his server, which he says he has not tried.

Secondly i did supply new info in that i do not have the problem when connecting to the web site internally,  


third i gues i should not have included personl info  name address phone number i just have nothing to hide and have even included the web serrver links so that people can see the errors for themselves i will not include my contact info again but i do not see how including the specificc web links can casue a problem but instead provide more info to solve it.

i have had this same problem for 6 months now and have been search off and on for a solution and

in desperation to solve my problemm i have joined experts exchange now with a 1 year membership for 100 dollars for a year.  having spent this much i guess i jumped right in to see if this user knew anything new and if i could contribute something. I do not have any external clients hooked up to my test machine so i can't check to see if i connect to a client i get the same error, i just know i get the same error connecting to a server.

Having not read any info but trying to jump start this i did state that i would hire someone if needed. no i did not know that is possible somehow

so i guess i'd am willing  to hire you if you have a solution
sincerely dale

ps if you want to call me i guess you know how to look up the info and are welcome to and encouraged to.
Let's all work together to help resolve this 1 1/2 month old question and make both of us happy and probably many more
dale new user

FYI, I did come across this article today:

http://blog.bruteforcetech.com/index.php/archives/748

Haven't really looked into whether or not it will help, but thought I'd pass it along.

Jeff
TechSoEasy

i have the almost the answer

Open mmc from run line

add certificate

then navigate to remote desktop \ certificates

full path consol1\certificates\local comnputer\remote desktop\certificates
you will notice that the 6 month server, self signed cert with .local is stored there

I will attempt to delete it tomorrow on my test server and verify it is not needed

if it is needed ( not able to connect to the server after removal) why not import the 3rd part cert from go daddy that was purchased earlier and already imported into intermediate and through wizard.

Dale Bush

I tried deleteating that cert after backing it up, and i tried imprtng the g daddy cert wow

did that break things. Leave it as the stupid 6 month .local ca self  signed cert
after removal i had a all kings of prob

web.config complained in the remote section and i was not able to get a intiial lg in page
 i even  tried importing the go daddy ssl one
still problems remailed with ssl web page errors
 then reimprted cert that i delete  then found the new cert it created also showed up so there were 2 self issued 6 month certs in the remote folder. with differnt start and end dates

i am going to have to start the reimporting of the ssl key from scratch and rekey the server from g daddy

so either the go daddy intermediate cert has problems with the .local and a different key is needed or mabey just buy a to level one

i am placing a call t go daddy tonight sun 7/10/11 and lloking at thawt
There has t be an answer somewhere
This question needs more points awarded mabey that would help

On a completely different server, followed Sean's article (see above) and it works correctly.  I do not get a cert warning when choosing to connect to a desktop, nor do I get a warning when choosing to connect to the server.

I have not tried to compare the two servers settings, in the areas we have been working in, but will try to identify any differences and post what I find.

Have you taken a look at the installed certificates to see if perhaps there is an extra?  Did you run the Connect to the Internet Wizard more than once on the first server?  (Changing anything at all?)

Jeff
TechSoEasy

The idea of importing your trusted certificate into the Remote Desktop \ Certificates store may be a good idea.

What I found is that even if you delete the self-signed cert from there, then import the trusted cert... the self-signed will be returned after you run the "Fix My Network" wizard...

HOWEVER... this did stop the warning when connecting to machines from outside the network.

So I'd suggest that you give this a try...

Steps to follow:

1. Delete the self-signed .crt file from Remote Desktop \ Certificates Store
2. Import the Trusted (GoDaddy) certificate into that store (so you now have that cert installed in both personal and remote desktop stores)
3. Run the Fix-My-Network wizard found in the SBS Console > Network > Connectivity tab


Let me know if that works.

Jeff
TechSoEasy

I haven't had a chance to compare the two servers, nor try TechSoEasy last suggestion.  Following Sean's article to the letter is the best suggestion for avoiding this problem in the first place.