Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Remote Desktop Gateway connection intermittent with certificate error

Posted on 2014-12-16
9
2,291 Views
Last Modified: 2014-12-27
When attempting to remote desktop into an RDS gateway server, we are receiving the following error:

"Your computer can't connect to the remote computer because the Remote Desktop Gateway server's certificate has expired or has been revoked. Contact your network administrator for assistance."

The server is Windows Server 2008 R2, and we are positive the SSL certificate is valid. RDWeb is working fine and can be used to remote desktop other computers on the network without issue.

We have already tried reinstalling the RDS role and had the certificate reissued. We have been seeing this issue connecting from Windows 7, Server 2008, and from the Microsoft Remote Desktop app from iTunes. Oddly enough, if you keep trying, the connection will eventually succeed after a random number of times. On some systems, the connection succeeds nearly 100% of the time.
0
Comment
Question by:brainsurf1
  • 5
  • 3
9 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40502743
On the RD Gateway server, open Administrative ToolsRemote Desktop Services > launch the Remote Desktop Gateway Manager > right click on your server name in the left pane > Properties > click on the SSL Certificate tab > verify that the correct certificate is showing underneath The following certificate is installed on <SERVER NAME>

If it's showing the old certificate that has expired, click Select an existing certificate from the RD Gateway SERVER Certificates (Local Computer)/Personal store > then click on the Import Certificate button > select your recently renewed certificate > OK > RD Gateway Manager show now show the correct certificate. Test the RD Gateway again.
RD-Gateway-SSL-Certificate.png
If you still don't see the new SSL certificate, restart the Remote Desktop Gateway service (NB: this may kick out everyone currently logged in via RD Gateway).

Let me know how you go.
0
 

Author Comment

by:brainsurf1
ID: 40502782
We have already imported a valid SSL certificate into the RDS gateway MMC. This certificate was recently purchased and doesn't expire for several years.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40502792
What happens when you open the Certificates MMC for the Local Computer/Personal store and double click on the new SSL certificate? Does it show up as valid?
0
ScreenConnect 6.0 Free Trial

Check out the updates in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI that improves session organization and overall user experience. See the enhancements for yourself!

 

Author Comment

by:brainsurf1
ID: 40502818
The certificate does show up as valid.

Certificate MMC
Certificate MMC 2
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40502833
I'm assuming you deleted the old expired certificate from the store as well once it was replaced? Sorry, have to cross off the standard stuff first.

Do you see any warnings/errors in the logs when you attempt to connect remotely via RD Gateway?
0
 
LVL 3

Assisted Solution

by:v_2abhis2
v_2abhis2 earned 500 total points
ID: 40503768
Hi,

Could you please check the certificate revocation list for Rapid SSL, you will find the URL on the details tab under the field CRL Distribution points.

Browse the url, download the CRL file and open the certificate revocation list tab, now check the Serial Number of the certificate issued to you and make sure its not there on the CRL list published by Rapid SSL

As Rapid SSL might have revoked your certificate because the certificate issued to you may be SHA-1 and they might have upgraded to  SHA-2 (SHA-256)  or higher security algorithm.

As Google (Chrome) started displaying errors on the padlock icon for any website using SHA-1 SSL certificates from November, so everyone is upgrading their infrastructure to SHA-2

Review the attachment for example

Thanks
Abhishek
CRL.PNG
0
 

Author Comment

by:brainsurf1
ID: 40504808
Thanks everyone for your responses. Abhishek, I downloaded the certificate revocation list from the URL provided in the details for the certificate. However, I was unable to find the serial number for our certificate in the revocation list.

One complication to this is that we have actually just reissued our RDS gateway certificates to use SHA-256 after they were previously all SHA-1. The certs were working fine until recently, but we have deleted the old certs from the server (issue persists).
0
 

Accepted Solution

by:
brainsurf1 earned 0 total points
ID: 40513729
I believe I have resolved the issue: Previously, we were using an SSL certificate with 4096 bit length and SHA 256. I reissued the certificates using 2048 bit length and SHA 256. We are no longer seeing this issue. I am guessing some clients had issues reading the larger bit length, although I am no expert in this field.
0
 

Author Closing Comment

by:brainsurf1
ID: 40519503
The server was not improperly configured. Our clients likely had issues with a larger bit length in the SSL certificate.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question