Solved

Auto-created self-signed SSL for Remote Desktop Gateway?

Posted on 2014-10-07
13
783 Views
Last Modified: 2014-10-24
I have a RD Gateway that has been secured using a GoDaddy SSL Cert.  The cert expired recently so I thought I'd try a self-signed cert instead of renewing the GoDaddy Cert through the reseller we're no longer doing business with.  When the self-signed cert kept giving errors on the client side, I opted to revoke the GoDaddy and purchase a new one to secure the RD Gateway.  I have the cert installed, I see it in the RD Gateway Manager as the active cert and in the Certificates under Remote Desktop (also imported as Trusted Root Cert Auth).  When I attempt to connect via Remote Desktop Connection, I receive an error that the name doesn't match the subject of the cert.  When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.  If I delete that cert, it is automatically created when I attempt to connect via RDC.

Has anyone seen this?  My Google-fu is failing me...
0
Comment
Question by:rpmahony
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40366287
Did you restart the Remote Desktop Gateway service after applying the new SSL certificate? Do you perhaps have a firewall (TMG, ISA, etc) where you need to publish the new certificate to?
0
 

Author Comment

by:rpmahony
ID: 40366339
I've restarted the RD Gateway Service a couple times, once via the wizard and once manually.  I've also restarted the server since applying the cert.  Only firewall is our Cisco ASA so my internal test should negate that issue if it were an issue.  FWIW, I don't remember having to install the original cert anywhere but the RD Gateway server (which is the sole RD target btw).  It's just strange that the self-issued cert appears even after I delete it, leaving only the GoDaddy in the Certificates - Remote Desktop container.  After the server restart, I see the new GoDaddy cert info when I look at the RD Gateway server properties.  Crazy stuff...
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40366360
I've seen strange things happen with SSL certs and RD Gateway. It's generally best to delete certificates from the Computer store that have conflicting friendly names - did you try this? Export the certificate (including the private key) to the Desktop or wherever you want as a backup, then delete them from the store. Let me know how this goes.

EDIT: probably best you export and delete all the certs that you don't need, leaving just the new cert in the certificate store.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:rpmahony
ID: 40366381
Yep.  I've deleted the 'computername.domain.local' cert from every place I could find in the Certificates mmc plug-in and it still pops up in the RD container.  As soon as I attempt to connect via RDC, it reappears in the RD container.  I'll try once more during lunch - remove the cert, restart the gateway service and try again.  I think I tried this on Friday but can't be certain.
0
 

Author Comment

by:rpmahony
ID: 40367347
No dice.  Removed self-signed cert, restarted gateway services, attempted to login and it reappeared.  Removed self-signed cert, restarted SERVER, attempted to login and it reappeared again.  I'm stumped.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40369589
Did you re-assign the trusted third-party SSL certificate when you removed the self-signed certificate? Just had a re-read of your original question, can you clarify what you mean when you say 'Certificates under Remote Desktop'?
When I look at Certificates under Remote Desktop, I see two certs: the GoDaddy and a self-signed with the servername as the subject.
Is this in the RDS Host Configuration console, RD Gateway Manager, or somewhere else?
0
 

Author Comment

by:rpmahony
ID: 40370908
After I deleted the self-signed cert, I verified that the attached is still showing up in the RD Gateway Manager.  "Certificates under Remote Desktop" = Opened MMC, added the Certificates add-in and viewed my local computer certificates.  Under the Remote Desktop - Certificates 'folder' there are two certs listed: one issued by and issued to server.internal.local and one issued by GoDaddy and issued to host.external.com.

I delete the server.internal.local cert from that container, re-import the GoDaddy cert using the RD Gateway Manager and restart the services (either from the confirmation message or manually) and attempt to login again.  RDC gives me a "can't verify computer" message because the name doesn't match the cert.  When I look at RD Gateway Manager, it still shows the correct cert from GoDaddy but the Certificates add-in shows the newly-created self-signed cert once again.

Grr…
Screen-Shot-2014-10-09-at-10.08.32-AM.pn
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40372203
Can you please post a screenshot of the certificate error you're getting? I just need to verify whether the certificate name mismatch error you are seeing is for the RD Gateway or for the actual machine you're trying to RDP into.
0
 

Author Comment

by:rpmahony
ID: 40372224
Here you go.  In the Windows error, I masked the computer name, but it's showing the internal dns name.  I'm using the public dns name, which is on the GoDaddy SSL.  When I click to view the cert, it's showing the self signed cert.
Screen-Shot-2014-10-09-at-10.40.56-PM.pn
Screen-Shot-2014-10-09-at-10.42.16-PM.pn
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40372265
OK I think I understand what the issue now. It sounds like your RD Gateway Certificate is actually working perfectly fine with the new certificate.

These certificate mismatch errors are coming from the machine that you are trying to connect to. Before we do anything else, can you please confirm if you're using the RD Gateway to connect to just one machine inside your network or do you intend to use it to allow multiple users to log into multiple machines?
0
 

Author Comment

by:rpmahony
ID: 40372968
Currently, and for the foreseeable future, we have one dedicated terminal server.  That same server is performing the RD Gateway role as well.  I originally secured the machine using a GoDaddy cert when I built the server, so the setup was working until I attempted to replace the expired GoDaddy cert with a self-signed.  It just seems like the self-signed cert is "stuck".
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40400829
Sorry rpmahony, forgot to follow up on this one. The certificate mismatch warnings you are seeing is actually unrelated to the RD Gateway service.

The warning that you're seeing is to do with the certificate used to sign remote desktop connections. The auto-generated certificate is actually set in the following area:
Go to Administrative Tools > Remote Desktop Services > Remote Desktop Services Host Configuration > right click on RDP-TcpProperties
RDP-Tcp-Properties.PNG
You can try and import the third party certificate you used for your RD Gateway to the local Computer store on the Terminal Server, then assign it using the Select button from my screenshot. I'm just not sure how well this will work when you are logging in via the RD Gateway.

You can actually safely ignore the message as well, you'll still be able to connect to the Terminal Server.
0
 

Author Closing Comment

by:rpmahony
ID: 40402087
Bingo!  I wonder why I couldn't find this in any of my googling and searching of MS TIDs and Articles…

Thanks for the assist.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question