Auto-created self-signed SSL for Remote Desktop Gateway?
I have a RD Gateway that has been secured using a GoDaddy SSL Cert. The cert expired recently so I thought I'd try a self-signed cert instead of renewing the GoDaddy Cert through the reseller we're no longer doing business with. When the self-signed cert kept giving errors on the client side, I opted to revoke the GoDaddy and purchase a new one to secure the RD Gateway. I have the cert installed, I see it in the RD Gateway Manager as the active cert and in the Certificates under Remote Desktop (also imported as Trusted Root Cert Auth). When I attempt to connect via Remote Desktop Connection, I receive an error that the name doesn't match the subject of the cert. When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject. If I delete that cert, it is automatically created when I attempt to connect via RDC.
Has anyone seen this? My Google-fu is failing me...
Has anyone seen this? My Google-fu is failing me...
VB ITS
Did you restart the Remote Desktop Gateway service after applying the new SSL certificate? Do you perhaps have a firewall (TMG, ISA, etc) where you need to publish the new certificate to?
ASKER
I've restarted the RD Gateway Service a couple times, once via the wizard and once manually. I've also restarted the server since applying the cert. Only firewall is our Cisco ASA so my internal test should negate that issue if it were an issue. FWIW, I don't remember having to install the original cert anywhere but the RD Gateway server (which is the sole RD target btw). It's just strange that the self-issued cert appears even after I delete it, leaving only the GoDaddy in the Certificates - Remote Desktop container. After the server restart, I see the new GoDaddy cert info when I look at the RD Gateway server properties. Crazy stuff...
I've seen strange things happen with SSL certs and RD Gateway. It's generally best to delete certificates from the Computer store that have conflicting friendly names - did you try this? Export the certificate (including the private key) to the Desktop or wherever you want as a backup, then delete them from the store. Let me know how this goes.
EDIT: probably best you export and delete all the certs that you don't need, leaving just the new cert in the certificate store.
EDIT: probably best you export and delete all the certs that you don't need, leaving just the new cert in the certificate store.
ASKER
Yep. I've deleted the 'computername.domain.local
ASKER
No dice. Removed self-signed cert, restarted gateway services, attempted to login and it reappeared. Removed self-signed cert, restarted SERVER, attempted to login and it reappeared again. I'm stumped.
Did you re-assign the trusted third-party SSL certificate when you removed the self-signed certificate? Just had a re-read of your original question, can you clarify what you mean when you say 'Certificates under Remote Desktop'?
When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.Is this in the RDS Host Configuration console, RD Gateway Manager, or somewhere else?
ASKER
After I deleted the self-signed cert, I verified that the attached is still showing up in the RD Gateway Manager. "Certificates under Remote Desktop" = Opened MMC, added the Certificates add-in and viewed my local computer certificates. Under the Remote Desktop - Certificates 'folder' there are two certs listed: one issued by and issued to server.internal.local and one issued by GoDaddy and issued to host.external.com.
I delete the server.internal.local cert from that container, re-import the GoDaddy cert using the RD Gateway Manager and restart the services (either from the confirmation message or manually) and attempt to login again. RDC gives me a "can't verify computer" message because the name doesn't match the cert. When I look at RD Gateway Manager, it still shows the correct cert from GoDaddy but the Certificates add-in shows the newly-created self-signed cert once again.
Grr…
Screen-Shot-2014-10-09-at-10.08.32-AM.pn
I delete the server.internal.local cert from that container, re-import the GoDaddy cert using the RD Gateway Manager and restart the services (either from the confirmation message or manually) and attempt to login again. RDC gives me a "can't verify computer" message because the name doesn't match the cert. When I look at RD Gateway Manager, it still shows the correct cert from GoDaddy but the Certificates add-in shows the newly-created self-signed cert once again.
Grr…
Screen-Shot-2014-10-09-at-10.08.32-AM.pn
Can you please post a screenshot of the certificate error you're getting? I just need to verify whether the certificate name mismatch error you are seeing is for the RD Gateway or for the actual machine you're trying to RDP into.
ASKER
Here you go. In the Windows error, I masked the computer name, but it's showing the internal dns name. I'm using the public dns name, which is on the GoDaddy SSL. When I click to view the cert, it's showing the self signed cert.
Screen-Shot-2014-10-09-at-10.40.56-PM.pn
Screen-Shot-2014-10-09-at-10.42.16-PM.pn
Screen-Shot-2014-10-09-at-10.40.56-PM.pn
Screen-Shot-2014-10-09-at-10.42.16-PM.pn
OK I think I understand what the issue now. It sounds like your RD Gateway Certificate is actually working perfectly fine with the new certificate.
These certificate mismatch errors are coming from the machine that you are trying to connect to. Before we do anything else, can you please confirm if you're using the RD Gateway to connect to just one machine inside your network or do you intend to use it to allow multiple users to log into multiple machines?
These certificate mismatch errors are coming from the machine that you are trying to connect to. Before we do anything else, can you please confirm if you're using the RD Gateway to connect to just one machine inside your network or do you intend to use it to allow multiple users to log into multiple machines?
ASKER
Currently, and for the foreseeable future, we have one dedicated terminal server. That same server is performing the RD Gateway role as well. I originally secured the machine using a GoDaddy cert when I built the server, so the setup was working until I attempted to replace the expired GoDaddy cert with a self-signed. It just seems like the self-signed cert is "stuck".
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Bingo! I wonder why I couldn't find this in any of my googling and searching of MS TIDs and Articles…
Thanks for the assist.
Thanks for the assist.