SBS 2011 Remote Web Access Certificate Problems

Hello,

We have a Windows SBS 2011 server with Remote Web Access enabled.. However when a user tries to remote into their machine ,they are prompted with this message:

"This computer can't verify the identity of the RD Gateway "mail.domain.com". It's not safe to connect to servers that can't be identified. Contact your network administrator for assistance."

When you view the certificate, there is no option to install it. Upon doing research I found a way that users can actually download and install the certificate themselves by following these directions:
http://blogs.technet.com/b/sbs/archive/2011/04/19/how-to-obtain-the-certificate-distribution-package-in-sbs-2011-standard-through-remote-web-access.aspx - But that is alot of work for an end user, especially a non tech savvy user.

Is there a way for me to install this certificate on the server itself so that users aren't required to go download the certificate to their computers locally? This article is the only one that I found in regards to my question but it doesn't seem clear: http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

Any input would be appreciated.

Thanks!
LVL 4
bsidfwAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
Is this a self-signed certificate or one issued by a trusted provider ?
0
bsidfwAuthor Commented:
Self signed.
0
becraigCommented:
Ok so unless your users are all domain users this will persist unless the users individually install your certificate into the trusted root store.

Is this a domain based scenario ?
If so we can use a GPO to push out the certificate and eliminate the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

bsidfwAuthor Commented:
They are all domain users, but they are accessing their domain machines remotely from their own personal laptops and computers, which are not domain machines from home... So they will need to install the certificate locally on their personal machines?
0
becraigCommented:
If you want them to be able to trust the certificate they will have to.

You can simply create a batch file with the public key portion of the cert and distribute to all users to install.
0
bsidfwAuthor Commented:
That basically accomplishes the same thing as this, right?
http://blogs.technet.com/b/sbs/archive/2011/04/19/how-to-obtain-the-certificate-distribution-package-in-sbs-2011-standard-through-remote-web-access.aspx

I just wasn't sure if there was a way to get third party, non domain computers to trust the certificate for their server automatically without requiring the user to install the certificate themselves. I will probably just sent that link out to the users if that is the case.

Thank you for your help.
0
David AtkinTechnical DirectorCommented:
The easiest thing for you to do here email them Certificate Disribution Package for them to install.  It can be found here on the server:
\\SERVERNAME\Public\Downloads

Email the Install Certificate Package.zip to them and get them to run the InstallCertificate Application which will install the cert for them.

If it is a big network I would think about purchasing and implementing a third party trusted certificate. Doing so will mean that the remote users won't have to install a cert.

There isn't a way for you to install the self certificate without the users input. Unless you want to remote onto the machines yourself and install it for them.
0
becraigCommented:
Yup that will accomplish the same thing as suggested.

The overall issue is the local computer certificate store has already been told which certificates to trust, so in order to trust your certificate they will have to install to the local store.

Happy to help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.