Solved

W2k8 R2 RDP-TCP Settings  - Can not assign SelfSigned certificate

Posted on 2013-11-27
4
681 Views
Last Modified: 2013-12-19
Hello Experts,

I am getting mad here :(

I have created a self signed, server authenticated certificate for my Terminalserver Farm named
“TSF-Office.domain.local” the certificate is valid but I can not assign it to the RDP-TCP Settings in Remote Desktop Session Host Configuration.

I choose the RDP-TCP properties, then  I go to certificate which names “auto generated” in the moment.
Then I choose “Select” to assign my Certificate, but instead of showing a list of my certificates there is a popup message telling me  “There are no installed Certificates on this remotedesktop Sessionhost”
But the certificates are listed under “personal\certifcates” in the certificate Snap-in what do I miss?
0
Comment
Question by:Phoenixfeuer
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:VirastaR
ID: 39680500
Hi,

The certificate is installed into computer’s “Personal” certificate store correct?

if you access the certificate does it has a  private key in it?

Private Key
if you have a private key and still not working

then check this (Similar Issue),
Remote Desktop Services - How to generate and select a certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/46888694-c85a-4c48-bd90-c5fd0c3d7fc8/remote-desktop-services-how-to-generate-and-select-a-certificate

Additonal Reference:
Securing Remote Desktop Services in Windows Server 2008 R2
http://www.windowsecurity.com/articles-tutorials/misc_network_security/Securing-Remote-Desktop-Services-Windows-Server-2008-R2.html

Hope that helps :)
0
 

Author Comment

by:Phoenixfeuer
ID: 39680794
Hi Virastar.
Thanks for this. I am getting closer. There was no privat Key in this Serverauthentication Certifikat.
The Problem is I want to certify a TerminalServerFarm. Lets name it
TS-Farm.contose.com
In this Farm i have to Terminal Server w2k8-tsrv01 and w2k8tsrv02. When I connect to the Farm i always get the error Message that the certificate is wron becaus i like to connect to TS-Farm.contose.com but the Server I physically reach is w2k8-tsrv01 or w2k8tsrv02
so the warning is right.

Can you help me with this?
0
 
LVL 9

Accepted Solution

by:
VirastaR earned 300 total points
ID: 39683257
Hi,

Glad to hear that you got close to the issue.

OK,going as per your example;

TerminalServerFarm - TS-Farm.contose.com (Common Name)
Two Terminal Servers : w2k8-tsrv01.contose.com or w2k8tsrv02.contose.com

In your case you are getting warning sign when you try to connect becuase Certificate Authority is trying to authenticate your login based on your common name,however it does not match with the FQDN of the server you are trying to login on the common name or anywhere else,so to overcome this sceanario in case of multiple-server authentication using a single certificate we need to have something called SAN Certificate (Subject Alternate Name)

Apply SAN Certificate to your scenario:
TerminalServerFarm - TS-Farm.contose.com (Common Name)
                                       w2k8-tsrv01.contose.com (Subject Alternative Name1)
                                       w2k8tsrv02.contose.com  (Subject Alternative Name2)

So, in the above case what will have is that when a common name lookup fails it looks into Subject Alternative Name and if the FQDN matches then it will validate against it, even thiough the Common Name does not match ;)

How to generate a certificate with subject alternative names (SAN)
http://blogs.technet.com/b/isablog/archive/2011/10/09/how-to-generate-a-certificate-with-subject-alternative-names-san.aspx

Hope that helps :)
0
 

Author Closing Comment

by:Phoenixfeuer
ID: 39729252
Thanks for oyur help and sorry for my late replay
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
remote desktop services 3 35
Confirming a network firewall is blocking connections to a port 7 45
Erasing Folder Windows 2008R2 8 22
Join with a SQL Server STUFF 5 35
Let’s list some of the technologies that enable smooth teleworking. 
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question