Remote Desktop Services (RDS) - Certificate not trusted
I have a new group of 2012 R2 servers. I have installed remote desktop services on them and configured a collection. The collection name is "farm1", and I have configured the round robin style DNS enteries for "farm1" to point to each IP of the terminal servers. So for each server, there is a "farm1" host record with the name "farm1" that points to the IP address of the terminal server.
Everything is working, except when anyone tries to connect, they get the dreaded error message: " The remote computer could not be authenticated due to problems with it's security cert"
Cert errors: " The certificate is not from a trusted certifying authority"
I have installed Active Directory Certificate Services, and created my Enterprise root CA. This is where I need the help.
Can someone please provide me exact steps on duplicating a template in the Cert manager of my CA, publish the cert to be available to install on the servers. Then, the steps to install it to the servers. I have not ever had a need to deploy AD CS before, and I have very limited knowledge in the subject. Please provide very detailed steps and it would be much appreciated. I do not wish to just " Don't ask me again".
How do I get the proper certificate from my own internal CA, to prevent this popup?
I have 4 terminal servers. They are named TS1 TS2 TS3 and TS4. They are load-balanced, so when someone RDP to the collection name" Farm1 ", they will get load-balanced to one of the TS servers.
Thanks in advance.
Cert-issue.JPG
Everything is working, except when anyone tries to connect, they get the dreaded error message: " The remote computer could not be authenticated due to problems with it's security cert"
Cert errors: " The certificate is not from a trusted certifying authority"
I have installed Active Directory Certificate Services, and created my Enterprise root CA. This is where I need the help.
Can someone please provide me exact steps on duplicating a template in the Cert manager of my CA, publish the cert to be available to install on the servers. Then, the steps to install it to the servers. I have not ever had a need to deploy AD CS before, and I have very limited knowledge in the subject. Please provide very detailed steps and it would be much appreciated. I do not wish to just " Don't ask me again".
How do I get the proper certificate from my own internal CA, to prevent this popup?
I have 4 terminal servers. They are named TS1 TS2 TS3 and TS4. They are load-balanced, so when someone RDP to the collection name" Farm1 ", they will get load-balanced to one of the TS servers.
Thanks in advance.
Cert-issue.JPG
For this specific issue all you need to do is to publish the root certificate you need the clients to trust using GPO.
Will any of the clients accessing your farm be doing so from outside your domain environment ?
Steps on publishing your root certificate:
To add certificates to the Trusted Root Certification Authorities store for a domain
Click Start, point to Administrative Tools, and then click Group Policy Management.
In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
Right-click the Default Domain Policy GPO, and then click Edit.
In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
Reprinted from:
http://technet.microsoft.com/en-us/library/cc772491.aspx
Will any of the clients accessing your farm be doing so from outside your domain environment ?
Steps on publishing your root certificate:
To add certificates to the Trusted Root Certification Authorities store for a domain
Click Start, point to Administrative Tools, and then click Group Policy Management.
In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
Right-click the Default Domain Policy GPO, and then click Edit.
In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
Right-click the Trusted Root Certification Authorities store.
Click Import and follow the steps in the Certificate Import Wizard to import the certificates.
Reprinted from:
http://technet.microsoft.com/en-us/library/cc772491.aspx
ASKER
McKnife - Where do I pull the certificates from in order to deply via GPO into that store?
becraig - Users may access the farm from an outside network, but they will use the RDP Gateway and that gateway will have an external domain name, and an external Certificate provided.
That being said, becraig , Can you tell me how to get the certificate I need on my local CA? What kind of template do I need to use, and what settings?
Are the steps you provided, steps on importing a 3rd party certificate? Since the 3rd party companies such as COMODO and VERISIGN, are no longer supporting .local certs, I need to be able to generate a cert with my local CA in my domain. I have a dedicated server for this.
Can you please explain how I would create that Cert on my CA for my Terminal servers to install, or that I could push out with a GPO?
becraig - Users may access the farm from an outside network, but they will use the RDP Gateway and that gateway will have an external domain name, and an external Certificate provided.
That being said, becraig , Can you tell me how to get the certificate I need on my local CA? What kind of template do I need to use, and what settings?
Are the steps you provided, steps on importing a 3rd party certificate? Since the 3rd party companies such as COMODO and VERISIGN, are no longer supporting .local certs, I need to be able to generate a cert with my local CA in my domain. I have a dedicated server for this.
Can you please explain how I would create that Cert on my CA for my Terminal servers to install, or that I could push out with a GPO?
At the TS you can export it right through the rd management - just choose to view it and you will be able to export it. Also right at the warning message your screenshot is showing a button "view certificate", there also you can view and export it.
ASKER
McKnife - I am sorry, but I am new to this entire process with AD CS. Can you please provide some exact detailed steps? Are you talking about issuing self signed certs? Also, under view certificate, there is only an option to install the certificate to the local machine or user. No export option.
I would like to do this via a my domain CA if possible, - becraig can you provide some detailed steps on doing that? It looks like you provided steps to import the certificate, but where/how do I get that certificate? I can't use a 3rd party trusted provider. Need to use my CA.
Thanks guys. Really appreciate the quick responses.
I would like to do this via a my domain CA if possible, - becraig can you provide some detailed steps on doing that? It looks like you provided steps to import the certificate, but where/how do I get that certificate? I can't use a 3rd party trusted provider. Need to use my CA.
Thanks guys. Really appreciate the quick responses.
Click "view certificate", then move to the "details" tab and there you see the button "copy to file" and name it servername.cer - There you have your certificate which you can now deploy using my first link's instructions.
ASKER
McKnife - I think you are on to something and I appreciate the help. The problem is. The users connect to
farm1.domain.local
So now, I added those certs to the trusted root like you said, but I get a mismatch error:
I am attaching a screen shot.
Mismatch-server.JPG
farm1.domain.local
So now, I added those certs to the trusted root like you said, but I get a mismatch error:
I am attaching a screen shot.
Mismatch-server.JPG
Hi,
I did this the other day for a new NAS which had the same problem. The solution is to import a certificate into the Trusted Root Certificates Authority store (container).
On a client machine:
start the mmc.
Control M to get the add-remove snap-ins window
click certificates and click Add
select computer account
select local computer and click OK
Now the MMC will show the certs store for the machine.
Expand the certificates root and select the Trusted root and then right-click on it.
On the pop-up menu you will see All Tasks with one task - Import.
Where did I get the cert? From the personal store of the server. Follow the same steps as above but look in the Personal store and you can Export the cert. I chose DER X.509, (.CER) which was a guess on my part. Note this was my home lab machine.
As the others say above you just need to export the cert.
Also for management it would be better to use a GPO to manage this but I think it's handy to know how to fix it manually first to understand what needs to go where before you start automating it all.
Mike
I did this the other day for a new NAS which had the same problem. The solution is to import a certificate into the Trusted Root Certificates Authority store (container).
On a client machine:
start the mmc.
Control M to get the add-remove snap-ins window
click certificates and click Add
select computer account
select local computer and click OK
Now the MMC will show the certs store for the machine.
Expand the certificates root and select the Trusted root and then right-click on it.
On the pop-up menu you will see All Tasks with one task - Import.Where did I get the cert? From the personal store of the server. Follow the same steps as above but look in the Personal store and you can Export the cert. I chose DER X.509, (.CER) which was a guess on my part. Note this was my home lab machine.
As the others say above you just need to export the cert.
Also for management it would be better to use a GPO to manage this but I think it's handy to know how to fix it manually first to understand what needs to go where before you start automating it all.
Mike
ASKER
Mike,
Please see my post above yours. I have exported the certs from the servers, the issue now, is that it doesn't say it's an untrusted certificate, it says its a mismatch name. It says that I am connecting to Farm1, but the actual server is TS1.
You have to remember that I am using the for a Remote Desktop Services deployment, 2012 R2, so I have a collection named Farm1.
So when users connect to Farm1, they are load balanced between 4 servers.
Can you please look at the screenshot and let me know what you think?
Please see my post above yours. I have exported the certs from the servers, the issue now, is that it doesn't say it's an untrusted certificate, it says its a mismatch name. It says that I am connecting to Farm1, but the actual server is TS1.
You have to remember that I am using the for a Remote Desktop Services deployment, 2012 R2, so I have a collection named Farm1.
So when users connect to Farm1, they are load balanced between 4 servers.
Can you please look at the screenshot and let me know what you think?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have 4 entries in DNS for Farm1. Each entry is an Ip address of the 4 terminal servers in the farm. So an IP address for TS1, that points to farm1 host name, then TS2 , TS3 etc.
When I export the certificate for all 4 terminal servers, and then add it to the trusted root cert authority, That is when I get the mismatch name error. It says I am connecting to Farm1.domain.local, but the cert shows TS1.domain.local, If you click view certificate there, it just shows the cert of the TS server.
Does this make sense? Someone has had to have fixed this before..
When I export the certificate for all 4 terminal servers, and then add it to the trusted root cert authority, That is when I get the mismatch name error. It says I am connecting to Farm1.domain.local, but the cert shows TS1.domain.local, If you click view certificate there, it just shows the cert of the TS server.
Does this make sense? Someone has had to have fixed this before..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From the links that McKnife posted it souns like you need to import the farm cert in to all of your RDS host if i am reading things correctly...
"If you set up an RD Session Host server farm, make sure to install the exact same certificate on all RD Session Host servers in the farm, and in any other farms you deploy. That way Web single sign-on (SSO) will work across all farm members and across all farms."
"If you set up an RD Session Host server farm, make sure to install the exact same certificate on all RD Session Host servers in the farm, and in any other farms you deploy. That way Web single sign-on (SSO) will work across all farm members and across all farms."
ASKER
@compdigit44 -
It appears that in that article, they are using a public domain. such as remote.domain.com, we cannot do this, we are using a .local domain.
So how do I generate the certificate for my farm1.domain.local? I have tried to generate a certificate from one of the RDSH, by going to MMC > Certs > Local computer.
Then I use the computer template, change the subject name to common name, input farm1.domain.local, but it still shows as the name of the server on the cert and all throughout the details of the certificate. I tried putting that cert in all the personal stores of the RDSH servers, but nothing,
I have googled this for days, so I am sure Google does have the answer...but I can't find it...
Does anyone else have thoughts?
It appears that in that article, they are using a public domain. such as remote.domain.com, we cannot do this, we are using a .local domain.
So how do I generate the certificate for my farm1.domain.local? I have tried to generate a certificate from one of the RDSH, by going to MMC > Certs > Local computer.
Then I use the computer template, change the subject name to common name, input farm1.domain.local, but it still shows as the name of the server on the cert and all throughout the details of the certificate. I tried putting that cert in all the personal stores of the RDSH servers, but nothing,
I have googled this for days, so I am sure Google does have the answer...but I can't find it...
Does anyone else have thoughts?
I advised to take the first article and search for the Domain ending in .local and there you have it - they are talking a bout a local Domain. You only Need to find out how to issue a certificate for your farm (that then all TS' would implement).
You don't necessarily need an AD CA for this.
You can use GPOs to put those Terminalserver certificates into the trusted root authority container at the clients and the message is gone. Shown here: http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx