Solved

Auto-created self-signed SSL for Remote Desktop Gateway?

Posted on 2014-10-07
13
922 Views
Last Modified: 2014-10-24
I have a RD Gateway that has been secured using a GoDaddy SSL Cert.  The cert expired recently so I thought I'd try a self-signed cert instead of renewing the GoDaddy Cert through the reseller we're no longer doing business with.  When the self-signed cert kept giving errors on the client side, I opted to revoke the GoDaddy and purchase a new one to secure the RD Gateway.  I have the cert installed, I see it in the RD Gateway Manager as the active cert and in the Certificates under Remote Desktop (also imported as Trusted Root Cert Auth).  When I attempt to connect via Remote Desktop Connection, I receive an error that the name doesn't match the subject of the cert.  When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.  If I delete that cert, it is automatically created when I attempt to connect via RDC.

Has anyone seen this?  My Google-fu is failing me...
0
Comment
Question by:rpmahony
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40366287
Did you restart the Remote Desktop Gateway service after applying the new SSL certificate? Do you perhaps have a firewall (TMG, ISA, etc) where you need to publish the new certificate to?
0
 

Author Comment

by:rpmahony
ID: 40366339
I've restarted the RD Gateway Service a couple times, once via the wizard and once manually.  I've also restarted the server since applying the cert.  Only firewall is our Cisco ASA so my internal test should negate that issue if it were an issue.  FWIW, I don't remember having to install the original cert anywhere but the RD Gateway server (which is the sole RD target btw).  It's just strange that the self-issued cert appears even after I delete it, leaving only the GoDaddy in the Certificates - Remote Desktop container.  After the server restart, I see the new GoDaddy cert info when I look at the RD Gateway server properties.  Crazy stuff...
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40366360
I've seen strange things happen with SSL certs and RD Gateway. It's generally best to delete certificates from the Computer store that have conflicting friendly names - did you try this? Export the certificate (including the private key) to the Desktop or wherever you want as a backup, then delete them from the store. Let me know how this goes.

EDIT: probably best you export and delete all the certs that you don't need, leaving just the new cert in the certificate store.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:rpmahony
ID: 40366381
Yep.  I've deleted the 'computername.domain.local' cert from every place I could find in the Certificates mmc plug-in and it still pops up in the RD container.  As soon as I attempt to connect via RDC, it reappears in the RD container.  I'll try once more during lunch - remove the cert, restart the gateway service and try again.  I think I tried this on Friday but can't be certain.
0
 

Author Comment

by:rpmahony
ID: 40367347
No dice.  Removed self-signed cert, restarted gateway services, attempted to login and it reappeared.  Removed self-signed cert, restarted SERVER, attempted to login and it reappeared again.  I'm stumped.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40369589
Did you re-assign the trusted third-party SSL certificate when you removed the self-signed certificate? Just had a re-read of your original question, can you clarify what you mean when you say 'Certificates under Remote Desktop'?
When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.
Is this in the RDS Host Configuration console, RD Gateway Manager, or somewhere else?
0
 

Author Comment

by:rpmahony
ID: 40370908
After I deleted the self-signed cert, I verified that the attached is still showing up in the RD Gateway Manager.  "Certificates under Remote Desktop" = Opened MMC, added the Certificates add-in and viewed my local computer certificates.  Under the Remote Desktop - Certificates 'folder' there are two certs listed: one issued by and issued to server.internal.local and one issued by GoDaddy and issued to host.external.com.

I delete the server.internal.local cert from that container, re-import the GoDaddy cert using the RD Gateway Manager and restart the services (either from the confirmation message or manually) and attempt to login again.  RDC gives me a "can't verify computer" message because the name doesn't match the cert.  When I look at RD Gateway Manager, it still shows the correct cert from GoDaddy but the Certificates add-in shows the newly-created self-signed cert once again.

Grr…
Screen-Shot-2014-10-09-at-10.08.32-AM.pn
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40372203
Can you please post a screenshot of the certificate error you're getting? I just need to verify whether the certificate name mismatch error you are seeing is for the RD Gateway or for the actual machine you're trying to RDP into.
0
 

Author Comment

by:rpmahony
ID: 40372224
Here you go.  In the Windows error, I masked the computer name, but it's showing the internal dns name.  I'm using the public dns name, which is on the GoDaddy SSL.  When I click to view the cert, it's showing the self signed cert.
Screen-Shot-2014-10-09-at-10.40.56-PM.pn
Screen-Shot-2014-10-09-at-10.42.16-PM.pn
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40372265
OK I think I understand what the issue now. It sounds like your RD Gateway Certificate is actually working perfectly fine with the new certificate.

These certificate mismatch errors are coming from the machine that you are trying to connect to. Before we do anything else, can you please confirm if you're using the RD Gateway to connect to just one machine inside your network or do you intend to use it to allow multiple users to log into multiple machines?
0
 

Author Comment

by:rpmahony
ID: 40372968
Currently, and for the foreseeable future, we have one dedicated terminal server.  That same server is performing the RD Gateway role as well.  I originally secured the machine using a GoDaddy cert when I built the server, so the setup was working until I attempted to replace the expired GoDaddy cert with a self-signed.  It just seems like the self-signed cert is "stuck".
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40400829
Sorry rpmahony, forgot to follow up on this one. The certificate mismatch warnings you are seeing is actually unrelated to the RD Gateway service.

The warning that you're seeing is to do with the certificate used to sign remote desktop connections. The auto-generated certificate is actually set in the following area:
Go to Administrative Tools > Remote Desktop Services > Remote Desktop Services Host Configuration > right click on RDP-TcpProperties
RDP-Tcp-Properties.PNG
You can try and import the third party certificate you used for your RD Gateway to the local Computer store on the Terminal Server, then assign it using the Select button from my screenshot. I'm just not sure how well this will work when you are logging in via the RD Gateway.

You can actually safely ignore the message as well, you'll still be able to connect to the Terminal Server.
0
 

Author Closing Comment

by:rpmahony
ID: 40402087
Bingo!  I wonder why I couldn't find this in any of my googling and searching of MS TIDs and Articles…

Thanks for the assist.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question