marrj
asked on
Terminal Server 2008 WildCard Certificate Error
I have a basic Windows 2008 terminal server that I have installed my wildcard Comodo certificate on to try to rid my users of the annoying certificate error when they connect via the RDP client. Unfortunately, it is not working. The certificate in the error message has definitely changed from the self-generated one to the *.domain.com cert that I installed, but Windows is still throwing a fit because it does not match the hostname that the users must enter to access the host. Do wildcards work in TS 2008? I don't have TS Gateway or Web App set up, just a plain jane 2008 Terminal Server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The users are entering an alias of the server name created by an alias in DNS so that they don't have to remember the hostname.
That won't work.. If you don't want to throw any kind of SSL error, they have to use the full URL.
Coralon
Coralon
I am thinking of two possibilities:
a) think it may be more of a need for Subject Alternative Name (SAN) in the certificate.
E.g. SAN attributes take the following form: san:dns=dns.name[&dns=dns.
Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both of these names must be included in the SAN attributes. The resulting attribute string appears as follows: san:dns=corpdc1.fabrikam.c
@ http://support.microsoft.com/kb/931351
@ http://www.bunkerhollow.com/blogs/matt/archive/2009/01/28/install-amp-configure-ts-web-access-for-external-use.aspx
b) I also saw another forum that may have related issue DNS alias issue
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/001981f5-62a5-4234-9a09-2b442e7bbccf
a) think it may be more of a need for Subject Alternative Name (SAN) in the certificate.
E.g. SAN attributes take the following form: san:dns=dns.name[&dns=dns.
Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both of these names must be included in the SAN attributes. The resulting attribute string appears as follows: san:dns=corpdc1.fabrikam.c
@ http://support.microsoft.com/kb/931351
@ http://www.bunkerhollow.com/blogs/matt/archive/2009/01/28/install-amp-configure-ts-web-access-for-external-use.aspx
b) I also saw another forum that may have related issue DNS alias issue
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/001981f5-62a5-4234-9a09-2b442e7bbccf
Needed also RDC 6.1 and above on the client.
And For a certificate to be used for RDP it must have Server Authentication ( 1.3.6.1.5.5.7.3.1 )
http://serverfault.com/questions/201451/install-certificate-in-rdp-tcp-properties
Event ID 1054 — Terminal Services Authentication and Encryption
http://technet.microsoft.com/en-us/library/cc775272%28WS.10%29.aspx