Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 2012 R2 remote desktop gateway - "The identity of the remote computer cannot be verified.  Do you want to connect anyway?"

Posted on 2014-01-28
8
Medium Priority
?
8,137 Views
Last Modified: 2014-02-03
Hi,

We have a enviroment with remote desktop configured.
The servers are:

Windows server 2012 R2 - RD Web connection broker (Publishing)/RD Web/RD Gateway
Windows server 2012 R2 x 2 - RD Session hosts

The servers are configured and we can logon to the sessions hosts externally both from RDWeb published remote desktop/remote app and using remote desktop/remote app application in windows manually configured.

But we have one problem when we logon, everytime we try to logon to an remote app or remote desktop session we get a certificate error for each RD Session host we have saying "The identity of the remote computer cannot be verified.  Do you want to connect anyway?"  

We have assigned a certificate to RD Gateway and through deployment settings for RD Web, RD Gateway and RD Connection broker (publishing)
The certificate is bought at godaddy.

The domain used internally is not the same as the external one, guessing that's the reason for the error but hopefully there is possible to resolve this problem.

Thanks!

Brg
Thomas B
0
Comment
Question by:thbor83
  • 4
  • 3
8 Comments
 
LVL 40

Expert Comment

by:Philip Elder
ID: 39815776
Workaround is to check the "Don't Bug Me Again" setting on the certificate warning since it is hung on the _local_ certificate generated by the RDS servers.

Make sure the GoDaddy cross_intermediate and intermediate certificates are installed on the RD Gateway server into the Intermediate Certificate Authorities container (Computer).

Philip
0
 

Author Comment

by:thbor83
ID: 39815874
Hello Philip, thanks for your suggestions.

Have added the intermediate and cross_intermediate certificates to the RD Gateway server, but this didn't help anything.

When we check the "Don't bug me again" setting but the certificate error pops up again next time I logged again.

Brg,
Thomas B
0
 
LVL 40

Expert Comment

by:Philip Elder
ID: 39815913
Under Deployment Properties make sure the GoDaddy certificate is only hooked into your RDWeb and RD Gateway setup.

Do not hook the GoDaddy certificate into the server itself as this will take away the option to turn off the cert nag. If that is what happened then change the certificate back to the server's self-issued certificate.

Philip
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:thbor83
ID: 39818346
Thanks Philip for your suggestion ,have tried this without any luck.

Starting to think I have to configure everything on the same external domain with wildcard certificate.

Or is there other configuration I should try? Or other setup that is better than the one I suggested now?
0
 
LVL 40

Expert Comment

by:Philip Elder
ID: 39819619
We have quite a few RD Gateway with RDWeb and RemoteApp along with RDS going with GoDaddy certificates with no issue.

RDS Certificates
That's the setup that allows users to click away the certificate nag.

Philip
0
 

Author Comment

by:thbor83
ID: 39820142
Thanks Philip,

I changed the settings for the certificate in the deployment properties but for me that didn't help.

So I changed the setup so that everything is on the same external domain external.com and bought a wildcard certificate.

When I now open app from the RDweb it doesn't ask for the internal certificate but if I open the app from remoteapp application in windows 7 it asks for the certificate (But I can click away the certificate nag)

The same goes for "connect to remote computer" from RDweb I get a certificate warning.
Have tried to figure out how I can change the certificate for remote desktop so that it choose the wildcard certificate instead of the local certificate.

Has anyone done this in RDS 2012 before? When checking online everyone is talking about RDS 2008 but since everything has been changed that doesn't work for me.
0
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 2000 total points
ID: 39820949
You need to issue a command to change the RDP-tcp listener on the RDS Session Host servers to use the certificate you have (the wildcard one). That should fix it.

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="YOUR_CERT_THUMBPRINT"

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
0
 

Author Comment

by:thbor83
ID: 39829238
Hi Cláudio,

Thanks for your reply :)
That resolved my issue. But it seems that it might have opened a new one.

When a users logons to remoteapp they get a message saying that they can't find \\tsclient\c\
(It's an ini file used by the program this string is located in.)

This behaviour seems to mostly be in IE and not with remoteapp in windows or chrome. And doesn't happen all the time.
If you receive the error message you can then just connect again to the application and you don't get any error.

Has any of you seen this problem before?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
It is a real story and is one of my scariest tech experiences. Most users think that IT experts like us know how to fix all computer problems. However, if there is a time constraint and you MUST not fail the task or you will lose your job, a simple …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question