Solved

Auto-created self-signed SSL for Remote Desktop Gateway?

Posted on 2014-10-07
13
551 Views
Last Modified: 2014-10-24
I have a RD Gateway that has been secured using a GoDaddy SSL Cert.  The cert expired recently so I thought I'd try a self-signed cert instead of renewing the GoDaddy Cert through the reseller we're no longer doing business with.  When the self-signed cert kept giving errors on the client side, I opted to revoke the GoDaddy and purchase a new one to secure the RD Gateway.  I have the cert installed, I see it in the RD Gateway Manager as the active cert and in the Certificates under Remote Desktop (also imported as Trusted Root Cert Auth).  When I attempt to connect via Remote Desktop Connection, I receive an error that the name doesn't match the subject of the cert.  When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.  If I delete that cert, it is automatically created when I attempt to connect via RDC.

Has anyone seen this?  My Google-fu is failing me...
0
Comment
Question by:rpmahony
  • 7
  • 6
13 Comments
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Did you restart the Remote Desktop Gateway service after applying the new SSL certificate? Do you perhaps have a firewall (TMG, ISA, etc) where you need to publish the new certificate to?
0
 

Author Comment

by:rpmahony
Comment Utility
I've restarted the RD Gateway Service a couple times, once via the wizard and once manually.  I've also restarted the server since applying the cert.  Only firewall is our Cisco ASA so my internal test should negate that issue if it were an issue.  FWIW, I don't remember having to install the original cert anywhere but the RD Gateway server (which is the sole RD target btw).  It's just strange that the self-issued cert appears even after I delete it, leaving only the GoDaddy in the Certificates - Remote Desktop container.  After the server restart, I see the new GoDaddy cert info when I look at the RD Gateway server properties.  Crazy stuff...
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
I've seen strange things happen with SSL certs and RD Gateway. It's generally best to delete certificates from the Computer store that have conflicting friendly names - did you try this? Export the certificate (including the private key) to the Desktop or wherever you want as a backup, then delete them from the store. Let me know how this goes.

EDIT: probably best you export and delete all the certs that you don't need, leaving just the new cert in the certificate store.
0
 

Author Comment

by:rpmahony
Comment Utility
Yep.  I've deleted the 'computername.domain.local' cert from every place I could find in the Certificates mmc plug-in and it still pops up in the RD container.  As soon as I attempt to connect via RDC, it reappears in the RD container.  I'll try once more during lunch - remove the cert, restart the gateway service and try again.  I think I tried this on Friday but can't be certain.
0
 

Author Comment

by:rpmahony
Comment Utility
No dice.  Removed self-signed cert, restarted gateway services, attempted to login and it reappeared.  Removed self-signed cert, restarted SERVER, attempted to login and it reappeared again.  I'm stumped.
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Did you re-assign the trusted third-party SSL certificate when you removed the self-signed certificate? Just had a re-read of your original question, can you clarify what you mean when you say 'Certificates under Remote Desktop'?
When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.
Is this in the RDS Host Configuration console, RD Gateway Manager, or somewhere else?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:rpmahony
Comment Utility
After I deleted the self-signed cert, I verified that the attached is still showing up in the RD Gateway Manager.  "Certificates under Remote Desktop" = Opened MMC, added the Certificates add-in and viewed my local computer certificates.  Under the Remote Desktop - Certificates 'folder' there are two certs listed: one issued by and issued to server.internal.local and one issued by GoDaddy and issued to host.external.com.

I delete the server.internal.local cert from that container, re-import the GoDaddy cert using the RD Gateway Manager and restart the services (either from the confirmation message or manually) and attempt to login again.  RDC gives me a "can't verify computer" message because the name doesn't match the cert.  When I look at RD Gateway Manager, it still shows the correct cert from GoDaddy but the Certificates add-in shows the newly-created self-signed cert once again.

Grr…
Screen-Shot-2014-10-09-at-10.08.32-AM.pn
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Can you please post a screenshot of the certificate error you're getting? I just need to verify whether the certificate name mismatch error you are seeing is for the RD Gateway or for the actual machine you're trying to RDP into.
0
 

Author Comment

by:rpmahony
Comment Utility
Here you go.  In the Windows error, I masked the computer name, but it's showing the internal dns name.  I'm using the public dns name, which is on the GoDaddy SSL.  When I click to view the cert, it's showing the self signed cert.
Screen-Shot-2014-10-09-at-10.40.56-PM.pn
Screen-Shot-2014-10-09-at-10.42.16-PM.pn
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
OK I think I understand what the issue now. It sounds like your RD Gateway Certificate is actually working perfectly fine with the new certificate.

These certificate mismatch errors are coming from the machine that you are trying to connect to. Before we do anything else, can you please confirm if you're using the RD Gateway to connect to just one machine inside your network or do you intend to use it to allow multiple users to log into multiple machines?
0
 

Author Comment

by:rpmahony
Comment Utility
Currently, and for the foreseeable future, we have one dedicated terminal server.  That same server is performing the RD Gateway role as well.  I originally secured the machine using a GoDaddy cert when I built the server, so the setup was working until I attempted to replace the expired GoDaddy cert with a self-signed.  It just seems like the self-signed cert is "stuck".
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
Comment Utility
Sorry rpmahony, forgot to follow up on this one. The certificate mismatch warnings you are seeing is actually unrelated to the RD Gateway service.

The warning that you're seeing is to do with the certificate used to sign remote desktop connections. The auto-generated certificate is actually set in the following area:
Go to Administrative Tools > Remote Desktop Services > Remote Desktop Services Host Configuration > right click on RDP-Tcp > Properties
RDP-Tcp-Properties.PNG
You can try and import the third party certificate you used for your RD Gateway to the local Computer store on the Terminal Server, then assign it using the Select button from my screenshot. I'm just not sure how well this will work when you are logging in via the RD Gateway.

You can actually safely ignore the message as well, you'll still be able to connect to the Terminal Server.
0
 

Author Closing Comment

by:rpmahony
Comment Utility
Bingo!  I wonder why I couldn't find this in any of my googling and searching of MS TIDs and Articles…

Thanks for the assist.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now