Terminal Server Farm .Local Domain Name Certificates
We have a Windows Server 2008 R Standard TS cluster setup using a farm name of tsfarm.domain.local FQDN with three members of tsmembers1.domain.local..
When RDP 7.1 clients connect to tsfarm.domain.local and are redirected to the member a certificate error of
"The name presented on the server's certificate (tsmember1.domain.local) does not match the server name provided (tsfarm.domain.local)"
I see these ways of getting around this:
- Create a local CA and from it create a cert for the farm members under .local and apply. Add a root trust for the CA to anything outside of the domain like thin clients. Downside of this would be the work involved and
- Purchase a .local SSL intranet cert from InstantSSL and apply to ts members. Assuming these will not expire after Nov 1, 2015. The cost for all 6 of our TS members would be $2009 which is too much. Not sure if a SSL intranet wildcard cert is available to purchase.
- Change the entire domain to .com instead of .local.
Are there any better solutions here? Is it possible to have the TS members present the SSL cert of tsmember1.domain.com and be accepted? Could a cname in the local dns server of tsmember1.domain.com pointing to tsmember1.domain.local help after the .com cert is applied?
Thank you
When RDP 7.1 clients connect to tsfarm.domain.local and are redirected to the member a certificate error of
"The name presented on the server's certificate (tsmember1.domain.local) does not match the server name provided (tsfarm.domain.local)"
I see these ways of getting around this:
- Create a local CA and from it create a cert for the farm members under .local and apply. Add a root trust for the CA to anything outside of the domain like thin clients. Downside of this would be the work involved and
- Purchase a .local SSL intranet cert from InstantSSL and apply to ts members. Assuming these will not expire after Nov 1, 2015. The cost for all 6 of our TS members would be $2009 which is too much. Not sure if a SSL intranet wildcard cert is available to purchase.
- Change the entire domain to .com instead of .local.
Are there any better solutions here? Is it possible to have the TS members present the SSL cert of tsmember1.domain.com and be accepted? Could a cname in the local dns server of tsmember1.domain.com pointing to tsmember1.domain.local help after the .com cert is applied?
Thank you
Do you have both internal and external clients who access the TS Farm, or do only internal clients access it?
ASKER
Both internal and external.
Do the external clients experience the same certificate issues as the internal clients?
ASKER
Yes the certificate error comes from the farm member, it says the root CA is not trusted as it's a locally signed certificate.
ASKER
Any idea if we can have the tsmember present the certificate of tsmember1.domain.com and be accepted even though it's fqdn is tsmember1.domain.local? It would be very helpful if we could do that. Perhaps split-dns and a cname could help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This worked, thank you for your suggestion.
If you already have an internal PKI/CA with AD you can edit the web server or server authentication templates to put the alternative names in.
Having said that, .local addresses are soon to be deprecated in certificates.
Or there's a workaround here: https://www.experts-exchange.com/questions/27238034/Create-certificate-for-2008-Terminal-Server-farm-name.html