Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 46
  • Last Modified:

Help with remote desktop certificate on cloud server 2008 R2

Recently my organization moved to a cloud server and everyone connects via remote desktop.  I wasn't the one who set up the server and person who did is gone so I can't just ask them. We don't user the server for any web services thus we have no FQDN for it.

Just over the last few days, when users go in via remote desktop they get the warning that the computer cannot be authenticated due to problems with the certificate.  It says the certificate is not from a trusted authority and if, from there choose to view the certificate, it tells me that "This CA root certificate is not trusted.  To enable trust install this certificate in the Trusted Root Certification Authorities store"    the valid from and to dates are current (the from date started a couple days ago, when people started getting this warning) and the from and to issuer are the same and appear to be the name of the server.
But if I ignore the warning and go on the server I don't know what to do.  I tried to do what they say and install this certificate in the Trusted Root (i.e. mmc-> add snap in blah blah ) but when it gets to the point of actually adding it to the root I can't find the certificate.  I tried searching the whole server for a certificate with that name or something similar and and it can't find it.  Where the heck is it if it's already there and waiting to be put in the trusted root?
Then I tried buying a certificate but that didn't work either because the issuer rejects the CSR I create because we don't have a FQDN.  Then they ask me to get a FQDN. If that's all required, how was it working for 3 months?  
I know this cannot be that difficult but have searched for days online and can't find a solution that applies to this particular issue of apparently having (I guess) a self-signed certificate for Remote Desktop.
0
mignonnedavis
Asked:
mignonnedavis
  • 4
  • 3
1 Solution
 
Thomas WERNHERConfiguration ManagerCommented:
Hi,

My guess would be that the certificate was selfsigned.
If i understand you right, you added the certificate in the trusted root of the server when it's your clients who are receiving the warning.
Thus, i would recommand pushing through a gpo the certificate in your trusted root store of your clients...

One other question :
If you server is in the cloud (i understand what you called cloud as hosted somewhere in the web...) and you don't have an fqdn, it's simply impossible for you to join it, unless you have a GNZ or WINS wich point to an ip (or fqdn)...
In the old school days, guys (and we're cleaning that up at work actually) were working with the host and hosts files on the client computers...

Have you checked those few places  ?

Thanks for your update.

Cheers.
T
0
 
mignonnedavisAuthor Commented:
I understand your first point - that I can install the certificate on the certificate on the clients' computers.  I tried, it doesn't work. I get the same message the next time I try, even though the client computer tells me it did install it successfully in the root store.
The other things you say I don't understand.  "If you don't have an FQDN, it's simply impossible for you to join it"  I'm not sure what it is.  Do you mean it's impossible to get an SSL certificate?
Finally, I'm not sure what I'm looking for on the host files of the client computer.  What would be there?  I'm looking for the certificate on the server, I'm not sure what I'm looking for on the client computer.
I am totally lost.  How was this working up to 2 days ago?  Wouldn't the fact that it was working for 3 months mean it's possible to do?  If there is a current self-signed certificate on the server, why can't I use it?
0
 
Thomas WERNHERConfiguration ManagerCommented:
Hi,

don't worry, we're gonna sort that out...

so, just for an example, na.dx.french.be is an fqdn (fully qualified domain name)
www is the computername

if you just enter www to join a host on the web, it won't work.
but if you enter www.na.dx.french.be you'll join the host named www in the na.dx.french.be domain name. (www.na.dx.french.be is the fqdn of the www server)

so, from hier, what address do you enter to join your host in the cloud via RDP ?

Cheers.

T
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
mignonnedavisAuthor Commented:
We specify an IP address.  I would rather not post it here.  Can I get it to you some other way?
0
 
Thomas WERNHERConfiguration ManagerCommented:
sure,

you can send it to my mailbox : tom_w777 <at> Hotmail <dot> com
btw, could you post screenshots (pass them in paint to strip the confidential datas) of  the error msg?

cheers
T
0
 
mignonnedavisAuthor Commented:
OK, I attached the file and emailed you
0
 
Thomas WERNHERConfiguration ManagerCommented:
Hi,

Sorry for the late answer. lot of work these days :)

think i found.
i setup a little lab with a single RDP host, a selfsigned certificate and despite adding it to the trusted stores (users & computers) and a lot of other cert stores it kept showing me the warning.

Poking around, i found a usefull option :
Mstsc Warnings
so, i choose "don't warn me" and it's now ok...

Cheers.
T
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now