Solved

Help with remote desktop certificate on cloud server 2008 R2

Posted on 2013-02-03
9
36 Views
Last Modified: 2015-06-23
Recently my organization moved to a cloud server and everyone connects via remote desktop.  I wasn't the one who set up the server and person who did is gone so I can't just ask them. We don't user the server for any web services thus we have no FQDN for it.

Just over the last few days, when users go in via remote desktop they get the warning that the computer cannot be authenticated due to problems with the certificate.  It says the certificate is not from a trusted authority and if, from there choose to view the certificate, it tells me that "This CA root certificate is not trusted.  To enable trust install this certificate in the Trusted Root Certification Authorities store"    the valid from and to dates are current (the from date started a couple days ago, when people started getting this warning) and the from and to issuer are the same and appear to be the name of the server.
But if I ignore the warning and go on the server I don't know what to do.  I tried to do what they say and install this certificate in the Trusted Root (i.e. mmc-> add snap in blah blah ) but when it gets to the point of actually adding it to the root I can't find the certificate.  I tried searching the whole server for a certificate with that name or something similar and and it can't find it.  Where the heck is it if it's already there and waiting to be put in the trusted root?
Then I tried buying a certificate but that didn't work either because the issuer rejects the CSR I create because we don't have a FQDN.  Then they ask me to get a FQDN. If that's all required, how was it working for 3 months?  
I know this cannot be that difficult but have searched for days online and can't find a solution that applies to this particular issue of apparently having (I guess) a self-signed certificate for Remote Desktop.
0
Comment
Question by:mignonnedavis
  • 4
  • 3
9 Comments
 
LVL 4

Expert Comment

by:Thomas WERNHER
ID: 38848537
Hi,

My guess would be that the certificate was selfsigned.
If i understand you right, you added the certificate in the trusted root of the server when it's your clients who are receiving the warning.
Thus, i would recommand pushing through a gpo the certificate in your trusted root store of your clients...

One other question :
If you server is in the cloud (i understand what you called cloud as hosted somewhere in the web...) and you don't have an fqdn, it's simply impossible for you to join it, unless you have a GNZ or WINS wich point to an ip (or fqdn)...
In the old school days, guys (and we're cleaning that up at work actually) were working with the host and hosts files on the client computers...

Have you checked those few places  ?

Thanks for your update.

Cheers.
T
0
 

Author Comment

by:mignonnedavis
ID: 38848608
I understand your first point - that I can install the certificate on the certificate on the clients' computers.  I tried, it doesn't work. I get the same message the next time I try, even though the client computer tells me it did install it successfully in the root store.
The other things you say I don't understand.  "If you don't have an FQDN, it's simply impossible for you to join it"  I'm not sure what it is.  Do you mean it's impossible to get an SSL certificate?
Finally, I'm not sure what I'm looking for on the host files of the client computer.  What would be there?  I'm looking for the certificate on the server, I'm not sure what I'm looking for on the client computer.
I am totally lost.  How was this working up to 2 days ago?  Wouldn't the fact that it was working for 3 months mean it's possible to do?  If there is a current self-signed certificate on the server, why can't I use it?
0
 
LVL 4

Expert Comment

by:Thomas WERNHER
ID: 38848644
Hi,

don't worry, we're gonna sort that out...

so, just for an example, na.dx.french.be is an fqdn (fully qualified domain name)
www is the computername

if you just enter www to join a host on the web, it won't work.
but if you enter www.na.dx.french.be you'll join the host named www in the na.dx.french.be domain name. (www.na.dx.french.be is the fqdn of the www server)

so, from hier, what address do you enter to join your host in the cloud via RDP ?

Cheers.

T
0
 

Author Comment

by:mignonnedavis
ID: 38848661
We specify an IP address.  I would rather not post it here.  Can I get it to you some other way?
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 4

Expert Comment

by:Thomas WERNHER
ID: 38848695
sure,

you can send it to my mailbox : tom_w777 <at> Hotmail <dot> com
btw, could you post screenshots (pass them in paint to strip the confidential datas) of  the error msg?

cheers
T
0
 

Author Comment

by:mignonnedavis
ID: 38848812
OK, I attached the file and emailed you
0
 
LVL 4

Accepted Solution

by:
Thomas WERNHER earned 500 total points
ID: 38860630
Hi,

Sorry for the late answer. lot of work these days :)

think i found.
i setup a little lab with a single RDP host, a selfsigned certificate and despite adding it to the trusted stores (users & computers) and a lot of other cert stores it kept showing me the warning.

Poking around, i found a usefull option :
Mstsc Warnings
so, i choose "don't warn me" and it's now ok...

Cheers.
T
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40845607
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now