Solved

W2k8 R2 RDP-TCP Settings  - Can not assign SelfSigned certificate

Posted on 2013-11-27
4
692 Views
Last Modified: 2013-12-19
Hello Experts,

I am getting mad here :(

I have created a self signed, server authenticated certificate for my Terminalserver Farm named
“TSF-Office.domain.local” the certificate is valid but I can not assign it to the RDP-TCP Settings in Remote Desktop Session Host Configuration.

I choose the RDP-TCP properties, then  I go to certificate which names “auto generated” in the moment.
Then I choose “Select” to assign my Certificate, but instead of showing a list of my certificates there is a popup message telling me  “There are no installed Certificates on this remotedesktop Sessionhost”
But the certificates are listed under “personal\certifcates” in the certificate Snap-in what do I miss?
0
Comment
Question by:Phoenixfeuer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:VirastaR
ID: 39680500
Hi,

The certificate is installed into computer’s “Personal” certificate store correct?

if you access the certificate does it has a  private key in it?

Private Key
if you have a private key and still not working

then check this (Similar Issue),
Remote Desktop Services - How to generate and select a certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/46888694-c85a-4c48-bd90-c5fd0c3d7fc8/remote-desktop-services-how-to-generate-and-select-a-certificate

Additonal Reference:
Securing Remote Desktop Services in Windows Server 2008 R2
http://www.windowsecurity.com/articles-tutorials/misc_network_security/Securing-Remote-Desktop-Services-Windows-Server-2008-R2.html

Hope that helps :)
0
 

Author Comment

by:Phoenixfeuer
ID: 39680794
Hi Virastar.
Thanks for this. I am getting closer. There was no privat Key in this Serverauthentication Certifikat.
The Problem is I want to certify a TerminalServerFarm. Lets name it
TS-Farm.contose.com
In this Farm i have to Terminal Server w2k8-tsrv01 and w2k8tsrv02. When I connect to the Farm i always get the error Message that the certificate is wron becaus i like to connect to TS-Farm.contose.com but the Server I physically reach is w2k8-tsrv01 or w2k8tsrv02
so the warning is right.

Can you help me with this?
0
 
LVL 9

Accepted Solution

by:
VirastaR earned 300 total points
ID: 39683257
Hi,

Glad to hear that you got close to the issue.

OK,going as per your example;

TerminalServerFarm - TS-Farm.contose.com (Common Name)
Two Terminal Servers : w2k8-tsrv01.contose.com or w2k8tsrv02.contose.com

In your case you are getting warning sign when you try to connect becuase Certificate Authority is trying to authenticate your login based on your common name,however it does not match with the FQDN of the server you are trying to login on the common name or anywhere else,so to overcome this sceanario in case of multiple-server authentication using a single certificate we need to have something called SAN Certificate (Subject Alternate Name)

Apply SAN Certificate to your scenario:
TerminalServerFarm - TS-Farm.contose.com (Common Name)
                                       w2k8-tsrv01.contose.com (Subject Alternative Name1)
                                       w2k8tsrv02.contose.com  (Subject Alternative Name2)

So, in the above case what will have is that when a common name lookup fails it looks into Subject Alternative Name and if the FQDN matches then it will validate against it, even thiough the Common Name does not match ;)

How to generate a certificate with subject alternative names (SAN)
http://blogs.technet.com/b/isablog/archive/2011/10/09/how-to-generate-a-certificate-with-subject-alternative-names-san.aspx

Hope that helps :)
0
 

Author Closing Comment

by:Phoenixfeuer
ID: 39729252
Thanks for oyur help and sorry for my late replay
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question