Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.
Remote Desktop Gateway connection intermittent with certificate error
When attempting to remote desktop into an RDS gateway server, we are receiving the following error:
"Your computer can't connect to the remote computer because the Remote Desktop Gateway server's certificate has expired or has been revoked. Contact your network administrator for assistance."
The server is Windows Server 2008 R2, and we are positive the SSL certificate is valid. RDWeb is working fine and can be used to remote desktop other computers on the network without issue.
We have already tried reinstalling the RDS role and had the certificate reissued. We have been seeing this issue connecting from Windows 7, Server 2008, and from the Microsoft Remote Desktop app from iTunes. Oddly enough, if you keep trying, the connection will eventually succeed after a random number of times. On some systems, the connection succeeds nearly 100% of the time.
"Your computer can't connect to the remote computer because the Remote Desktop Gateway server's certificate has expired or has been revoked. Contact your network administrator for assistance."
The server is Windows Server 2008 R2, and we are positive the SSL certificate is valid. RDWeb is working fine and can be used to remote desktop other computers on the network without issue.
We have already tried reinstalling the RDS role and had the certificate reissued. We have been seeing this issue connecting from Windows 7, Server 2008, and from the Microsoft Remote Desktop app from iTunes. Oddly enough, if you keep trying, the connection will eventually succeed after a random number of times. On some systems, the connection succeeds nearly 100% of the time.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
We have already imported a valid SSL certificate into the RDS gateway MMC. This certificate was recently purchased and doesn't expire for several years.
What happens when you open the Certificates MMC for the Local Computer/Personal store and double click on the new SSL certificate? Does it show up as valid?
I'm assuming you deleted the old expired certificate from the store as well once it was replaced? Sorry, have to cross off the standard stuff first.
Do you see any warnings/errors in the logs when you attempt to connect remotely via RD Gateway?
Do you see any warnings/errors in the logs when you attempt to connect remotely via RD Gateway?
Hi,
Could you please check the certificate revocation list for Rapid SSL, you will find the URL on the details tab under the field CRL Distribution points.
Browse the url, download the CRL file and open the certificate revocation list tab, now check the Serial Number of the certificate issued to you and make sure its not there on the CRL list published by Rapid SSL
As Rapid SSL might have revoked your certificate because the certificate issued to you may be SHA-1 and they might have upgraded to SHA-2 (SHA-256) or higher security algorithm.
As Google (Chrome) started displaying errors on the padlock icon for any website using SHA-1 SSL certificates from November, so everyone is upgrading their infrastructure to SHA-2
Review the attachment for example
Thanks
Abhishek
CRL.PNG
Could you please check the certificate revocation list for Rapid SSL, you will find the URL on the details tab under the field CRL Distribution points.
Browse the url, download the CRL file and open the certificate revocation list tab, now check the Serial Number of the certificate issued to you and make sure its not there on the CRL list published by Rapid SSL
As Rapid SSL might have revoked your certificate because the certificate issued to you may be SHA-1 and they might have upgraded to SHA-2 (SHA-256) or higher security algorithm.
As Google (Chrome) started displaying errors on the padlock icon for any website using SHA-1 SSL certificates from November, so everyone is upgrading their infrastructure to SHA-2
Review the attachment for example
Thanks
Abhishek
CRL.PNG
Thanks everyone for your responses. Abhishek, I downloaded the certificate revocation list from the URL provided in the details for the certificate. However, I was unable to find the serial number for our certificate in the revocation list.
One complication to this is that we have actually just reissued our RDS gateway certificates to use SHA-256 after they were previously all SHA-1. The certs were working fine until recently, but we have deleted the old certs from the server (issue persists).
One complication to this is that we have actually just reissued our RDS gateway certificates to use SHA-256 after they were previously all SHA-1. The certs were working fine until recently, but we have deleted the old certs from the server (issue persists).
I believe I have resolved the issue: Previously, we were using an SSL certificate with 4096 bit length and SHA 256. I reissued the certificates using 2048 bit length and SHA 256. We are no longer seeing this issue. I am guessing some clients had issues reading the larger bit length, although I am no expert in this field.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
The server was not improperly configured. Our clients likely had issues with a larger bit length in the SSL certificate.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MCSE Microsoft Certified Systems Engineer - Identity … 440 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
If it's showing the old certificate that has expired, click Select an existing certificate from the RD Gateway SERVER Certificates (Local Computer)/Personal store > then click on the Import Certificate button > select your recently renewed certificate > OK > RD Gateway Manager show now show the correct certificate. Test the RD Gateway again.
If you still don't see the new SSL certificate, restart the Remote Desktop Gateway service (NB: this may kick out everyone currently logged in via RD Gateway).
Let me know how you go.