Remote Desktop Services (RDS) - Certificate not trusted

I have a new group of 2012 R2 servers. I have installed remote desktop services on them and configured a collection. The collection name is "farm1", and I have configured the round robin style DNS enteries for "farm1" to point to each IP of the terminal servers. So for each server, there is a "farm1" host record with the name "farm1" that points to the IP address of the terminal server.

Everything is working, except when anyone tries to connect, they get the dreaded error message: " The remote computer could not be authenticated due to problems with it's security cert"
Cert errors: " The certificate is not from a trusted certifying authority"

I have installed Active Directory Certificate Services, and created my Enterprise root CA. This is where I need the help.

Can someone please provide me exact steps on duplicating a template in the Cert manager of my CA, publish the cert to be available to install on the servers. Then, the steps to install it to the servers. I have not ever had a need to deploy AD CS before, and I have very limited knowledge in the subject. Please provide very detailed steps and it would be much appreciated. I do not wish to just " Don't ask me again".

How do I get the proper certificate from my own internal CA, to prevent this popup?

I have 4 terminal servers. They are named TS1 TS2 TS3 and TS4. They are load-balanced, so when someone RDP to the collection name" Farm1 ", they will get load-balanced to one of the TS servers.

Thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You don't necessarily need an AD CA for this.
You can use GPOs to put those Terminalserver certificates into the trusted root authority container at the clients and the message is gone. Shown here:
For this specific issue all you need to do is to publish the root certificate you need the clients to trust using GPO.

Will any of the clients accessing your farm be doing so from outside your domain environment ?

Steps on publishing your root certificate:
To add certificates to the Trusted Root Certification Authorities store for a domain

    Click Start, point to Administrative Tools, and then click Group Policy Management.

    In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

    Right-click the Default Domain Policy GPO, and then click Edit.

    In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

   Right-click the Trusted Root Certification Authorities store.

   Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

Reprinted from:
85PCAuthor Commented:
McKnife - Where do I pull the certificates from in order to deply via GPO into that store?

becraig -  Users may access the farm from an outside network, but they will use the RDP Gateway and that gateway will have an external domain name, and an external Certificate provided.

That being said, becraig , Can you tell me how to get the certificate I need on my local CA? What kind of template do I need to use, and what settings?

Are the steps you provided, steps on importing a 3rd party certificate? Since the 3rd party companies such as COMODO and VERISIGN, are no longer supporting .local certs, I need to be able to generate a cert with my local CA in my domain. I have a dedicated server for this.

Can you please explain how I would create that Cert on my CA for my Terminal servers to install, or that I could push out with a GPO?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

At the TS you can export it right through the rd management - just choose to view it and you will be able to export it. Also right at the warning message your screenshot is showing a button "view certificate", there also you can view and export it.
85PCAuthor Commented:
McKnife - I am sorry, but I am new to this entire process with AD CS. Can you please provide some exact detailed steps? Are you talking about issuing self signed certs? Also, under view certificate, there is only an option to install the certificate to the local machine or user. No export option.

I would like to do this via a my domain CA if possible, - becraig can you provide some detailed steps on doing that? It looks like you provided steps to import the certificate, but where/how do I get that certificate? I can't use a 3rd party trusted provider. Need to use my CA.

Thanks guys. Really appreciate the quick responses.
Click "view certificate", then move to the "details" tab and there you see the button "copy to file" and name it servername.cer -  There you have your certificate which you can now deploy using my first link's instructions.
85PCAuthor Commented:
McKnife - I think you are on to something and I appreciate the help. The problem is. The users connect to


So now, I added those certs to the trusted root like you said, but I get a mismatch error:

I am attaching a screen shot.
Mike TLeading EngineerCommented:

I did this the other day for a new NAS which had the same problem. The solution is to import a certificate into the Trusted Root Certificates Authority store (container).

On a client machine:
start the mmc.
Control M to get the add-remove snap-ins window
click certificates and click Add
select computer account
select local computer and click OK

Now the MMC will show the certs store for the machine.
Expand the certificates root and select the Trusted root and then right-click on it.
Local machine cert storeOn the pop-up menu you will see All Tasks with one task - Import.

Where did I get the cert? From the personal store of the server. Follow the same steps as above but look in the Personal store and you can Export the cert. I chose DER X.509, (.CER) which was a guess on my part. Note this was my home lab machine.

As the others say above you just need to export the cert.

Also for management it would be better to use a GPO to manage this but I think it's handy to know how to fix it manually first to understand what needs to go where before you start automating it all.

85PCAuthor Commented:

Please see my post above yours. I have exported the certs from the servers, the issue now, is that it doesn't say it's an untrusted certificate, it says its a mismatch name. It says that I am connecting to Farm1, but the actual server is TS1.

You have to remember that I am using the for a Remote Desktop Services deployment, 2012 R2, so I have a collection named Farm1.

So when users connect to Farm1, they are load balanced between 4 servers.

Can you please look at the screenshot and let me know what you think?
Mike TLeading EngineerCommented:

I think you have to use the FQDN name. You have set up your DNS to recognise farm1 (which goes to any of the four physical machines). I am guessing RDP resolves everything to the actual server names, which suggests you have to export 4 certificates and add them all to "Trusted". The key bit is getting the correct cert with the server name.

If you click "view cert" in the screenshot, what do you get?

85PCAuthor Commented:
I have 4 entries in DNS for Farm1.  Each entry is an Ip address of the 4 terminal servers in the farm. So an IP address for TS1, that points to farm1 host name, then TS2 , TS3 etc.

When I export the certificate for all 4 terminal servers, and then add it to the trusted root cert authority, That is when I get the mismatch name error. It says I am connecting to Farm1.domain.local, but the cert shows TS1.domain.local, If you click view certificate there, it just shows the cert of the TS server.

Does this make sense? Someone has had to have fixed this before..
85PC, I am sorry, I never Setup a farm to date, so I have nothing for you right now, but I am sure that manuals exist, even by Microsoft (howtos for TS farm Setup), that cover this very problem. ->search for the Phrase farm.domain.local , that will lead you to the paragrah that describes it. Maybe also read

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
From the links that McKnife posted it souns like you need to import the farm cert in to all of your RDS host if i am reading things correctly...

"If you set up an RD Session Host server farm, make sure to install the exact same certificate on all RD Session Host servers in the farm, and in any other farms you deploy. That way Web single sign-on (SSO) will work across all farm members and across all farms."
85PCAuthor Commented:
@compdigit44 -

It appears that in that article, they are using a public domain. such as, we cannot do this, we are using  a .local domain.

So how do I generate the certificate for my farm1.domain.local?  I have tried to generate a certificate from one of the RDSH, by going to MMC > Certs > Local computer.

Then I use the computer template, change the subject name to common name, input farm1.domain.local, but it still shows as the name of the server on the cert and all throughout the details of the certificate. I tried putting that cert in all the personal stores of the RDSH servers, but nothing,

I have googled this for days, so I am sure Google does have the answer...but I can't find it...

Does anyone else have thoughts?
I advised to take the first article and search for the Domain ending in .local and there you have it - they are talking a bout a local Domain. You only Need to find out how to issue a certificate for your farm (that then all TS' would implement).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.