Solved

W2k8 R2 RDP-TCP Settings  - Can not assign SelfSigned certificate

Posted on 2013-11-27
4
652 Views
Last Modified: 2013-12-19
Hello Experts,

I am getting mad here :(

I have created a self signed, server authenticated certificate for my Terminalserver Farm named
“TSF-Office.domain.local” the certificate is valid but I can not assign it to the RDP-TCP Settings in Remote Desktop Session Host Configuration.

I choose the RDP-TCP properties, then  I go to certificate which names “auto generated” in the moment.
Then I choose “Select” to assign my Certificate, but instead of showing a list of my certificates there is a popup message telling me  “There are no installed Certificates on this remotedesktop Sessionhost”
But the certificates are listed under “personal\certifcates” in the certificate Snap-in what do I miss?
0
Comment
Question by:Phoenixfeuer
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:VirastaR
Comment Utility
Hi,

The certificate is installed into computer’s “Personal” certificate store correct?

if you access the certificate does it has a  private key in it?

Private Key
if you have a private key and still not working

then check this (Similar Issue),
Remote Desktop Services - How to generate and select a certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/46888694-c85a-4c48-bd90-c5fd0c3d7fc8/remote-desktop-services-how-to-generate-and-select-a-certificate

Additonal Reference:
Securing Remote Desktop Services in Windows Server 2008 R2
http://www.windowsecurity.com/articles-tutorials/misc_network_security/Securing-Remote-Desktop-Services-Windows-Server-2008-R2.html

Hope that helps :)
0
 

Author Comment

by:Phoenixfeuer
Comment Utility
Hi Virastar.
Thanks for this. I am getting closer. There was no privat Key in this Serverauthentication Certifikat.
The Problem is I want to certify a TerminalServerFarm. Lets name it
TS-Farm.contose.com
In this Farm i have to Terminal Server w2k8-tsrv01 and w2k8tsrv02. When I connect to the Farm i always get the error Message that the certificate is wron becaus i like to connect to TS-Farm.contose.com but the Server I physically reach is w2k8-tsrv01 or w2k8tsrv02
so the warning is right.

Can you help me with this?
0
 
LVL 9

Accepted Solution

by:
VirastaR earned 300 total points
Comment Utility
Hi,

Glad to hear that you got close to the issue.

OK,going as per your example;

TerminalServerFarm - TS-Farm.contose.com (Common Name)
Two Terminal Servers : w2k8-tsrv01.contose.com or w2k8tsrv02.contose.com

In your case you are getting warning sign when you try to connect becuase Certificate Authority is trying to authenticate your login based on your common name,however it does not match with the FQDN of the server you are trying to login on the common name or anywhere else,so to overcome this sceanario in case of multiple-server authentication using a single certificate we need to have something called SAN Certificate (Subject Alternate Name)

Apply SAN Certificate to your scenario:
TerminalServerFarm - TS-Farm.contose.com (Common Name)
                                       w2k8-tsrv01.contose.com (Subject Alternative Name1)
                                       w2k8tsrv02.contose.com  (Subject Alternative Name2)

So, in the above case what will have is that when a common name lookup fails it looks into Subject Alternative Name and if the FQDN matches then it will validate against it, even thiough the Common Name does not match ;)

How to generate a certificate with subject alternative names (SAN)
http://blogs.technet.com/b/isablog/archive/2011/10/09/how-to-generate-a-certificate-with-subject-alternative-names-san.aspx

Hope that helps :)
0
 

Author Closing Comment

by:Phoenixfeuer
Comment Utility
Thanks for oyur help and sorry for my late replay
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Remote Desktop Connections allow you to control remote host machines via the magic of the Internet and RDP (Remote Desktop Protocol). For the purposes of this article we will assume you are connecting from your home PC or laptop to a remote offic…
Local Printing Using Remote Desktop Windows 7 sometimes has issues with printing to a local printer using a Remote Desktop Connection (RDC). The 1st step is to verify that printers are checked on the Local Resources tab of the Remote Desktop C…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now