Solved

Remote Desktop Services (RDS) - Certificate not trusted

Posted on 2014-12-23
15
1,208 Views
Last Modified: 2014-12-29
I have a new group of 2012 R2 servers. I have installed remote desktop services on them and configured a collection. The collection name is "farm1", and I have configured the round robin style DNS enteries for "farm1" to point to each IP of the terminal servers. So for each server, there is a "farm1" host record with the name "farm1" that points to the IP address of the terminal server.

Everything is working, except when anyone tries to connect, they get the dreaded error message: " The remote computer could not be authenticated due to problems with it's security cert"
Cert errors: " The certificate is not from a trusted certifying authority"

I have installed Active Directory Certificate Services, and created my Enterprise root CA. This is where I need the help.

Can someone please provide me exact steps on duplicating a template in the Cert manager of my CA, publish the cert to be available to install on the servers. Then, the steps to install it to the servers. I have not ever had a need to deploy AD CS before, and I have very limited knowledge in the subject. Please provide very detailed steps and it would be much appreciated. I do not wish to just " Don't ask me again".

How do I get the proper certificate from my own internal CA, to prevent this popup?

I have 4 terminal servers. They are named TS1 TS2 TS3 and TS4. They are load-balanced, so when someone RDP to the collection name" Farm1 ", they will get load-balanced to one of the TS servers.

Thanks in advance.
Cert-issue.JPG
0
Comment
Question by:85PC
  • 6
  • 5
  • 2
  • +2
15 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40515735
Hi.

You don't necessarily need an AD CA for this.
You can use GPOs to put those Terminalserver certificates into the trusted root authority container at the clients and the message is gone. Shown here: http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx
0
 
LVL 28

Expert Comment

by:becraig
ID: 40515736
For this specific issue all you need to do is to publish the root certificate you need the clients to trust using GPO.

Will any of the clients accessing your farm be doing so from outside your domain environment ?

Steps on publishing your root certificate:
To add certificates to the Trusted Root Certification Authorities store for a domain

    Click Start, point to Administrative Tools, and then click Group Policy Management.

    In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

    Right-click the Default Domain Policy GPO, and then click Edit.

    In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

   Right-click the Trusted Root Certification Authorities store.

   Click Import and follow the steps in the Certificate Import Wizard to import the certificates.


Reprinted from:
http://technet.microsoft.com/en-us/library/cc772491.aspx
0
 

Author Comment

by:85PC
ID: 40515751
McKnife - Where do I pull the certificates from in order to deply via GPO into that store?



becraig -  Users may access the farm from an outside network, but they will use the RDP Gateway and that gateway will have an external domain name, and an external Certificate provided.

That being said, becraig , Can you tell me how to get the certificate I need on my local CA? What kind of template do I need to use, and what settings?

Are the steps you provided, steps on importing a 3rd party certificate? Since the 3rd party companies such as COMODO and VERISIGN, are no longer supporting .local certs, I need to be able to generate a cert with my local CA in my domain. I have a dedicated server for this.

Can you please explain how I would create that Cert on my CA for my Terminal servers to install, or that I could push out with a GPO?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40515759
At the TS you can export it right through the rd management - just choose to view it and you will be able to export it. Also right at the warning message your screenshot is showing a button "view certificate", there also you can view and export it.
0
 

Author Comment

by:85PC
ID: 40515858
McKnife - I am sorry, but I am new to this entire process with AD CS. Can you please provide some exact detailed steps? Are you talking about issuing self signed certs? Also, under view certificate, there is only an option to install the certificate to the local machine or user. No export option.



I would like to do this via a my domain CA if possible, - becraig can you provide some detailed steps on doing that? It looks like you provided steps to import the certificate, but where/how do I get that certificate? I can't use a 3rd party trusted provider. Need to use my CA.

Thanks guys. Really appreciate the quick responses.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40515887
Click "view certificate", then move to the "details" tab and there you see the button "copy to file" and name it servername.cer -  There you have your certificate which you can now deploy using my first link's instructions.
0
 

Author Comment

by:85PC
ID: 40516554
McKnife - I think you are on to something and I appreciate the help. The problem is. The users connect to

farm1.domain.local

So now, I added those certs to the trusted root like you said, but I get a mismatch error:

I am attaching a screen shot.
Mismatch-server.JPG
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 16

Expert Comment

by:Mike T
ID: 40516819
Hi,

I did this the other day for a new NAS which had the same problem. The solution is to import a certificate into the Trusted Root Certificates Authority store (container).

On a client machine:
start the mmc.
Control M to get the add-remove snap-ins window
click certificates and click Add
select computer account
select local computer and click OK

Now the MMC will show the certs store for the machine.
Expand the certificates root and select the Trusted root and then right-click on it.
Local machine cert storeOn the pop-up menu you will see All Tasks with one task - Import.

Where did I get the cert? From the personal store of the server. Follow the same steps as above but look in the Personal store and you can Export the cert. I chose DER X.509, (.CER) which was a guess on my part. Note this was my home lab machine.

As the others say above you just need to export the cert.

Also for management it would be better to use a GPO to manage this but I think it's handy to know how to fix it manually first to understand what needs to go where before you start automating it all.

Mike
0
 

Author Comment

by:85PC
ID: 40516840
Mike,

Please see my post above yours. I have exported the certs from the servers, the issue now, is that it doesn't say it's an untrusted certificate, it says its a mismatch name. It says that I am connecting to Farm1, but the actual server is TS1.

You have to remember that I am using the for a Remote Desktop Services deployment, 2012 R2, so I have a collection named Farm1.

So when users connect to Farm1, they are load balanced between 4 servers.

Can you please look at the screenshot and let me know what you think?
0
 
LVL 16

Assisted Solution

by:Mike T
Mike T earned 250 total points
ID: 40516958
Hi,

I think you have to use the FQDN name. You have set up your DNS to recognise farm1 (which goes to any of the four physical machines). I am guessing RDP resolves everything to the actual server names, which suggests you have to export 4 certificates and add them all to "Trusted". The key bit is getting the correct cert with the server name.

If you click "view cert" in the screenshot, what do you get?

Mike
0
 

Author Comment

by:85PC
ID: 40516970
I have 4 entries in DNS for Farm1.  Each entry is an Ip address of the 4 terminal servers in the farm. So an IP address for TS1, that points to farm1 host name, then TS2 , TS3 etc.

When I export the certificate for all 4 terminal servers, and then add it to the trusted root cert authority, That is when I get the mismatch name error. It says I am connecting to Farm1.domain.local, but the cert shows TS1.domain.local, If you click view certificate there, it just shows the cert of the TS server.

Does this make sense? Someone has had to have fixed this before..
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 40516971
85PC, I am sorry, I never Setup a farm to date, so I have nothing for you right now, but I am sure that manuals exist, even by Microsoft (howtos for TS farm Setup), that cover this very problem. http://technet.microsoft.com/en-us/magazine/hh987041.aspx ->search for the Phrase farm.domain.local , that will lead you to the paragrah that describes it. Maybe also read http://thewolfblog.com/2014/02/08/deploying-a-2012-2012r2-remote-desktop-services-farm/
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40517907
From the links that McKnife posted it souns like you need to import the farm cert in to all of your RDS host if i am reading things correctly...


"If you set up an RD Session Host server farm, make sure to install the exact same certificate on all RD Session Host servers in the farm, and in any other farms you deploy. That way Web single sign-on (SSO) will work across all farm members and across all farms."
0
 

Author Comment

by:85PC
ID: 40517924
@compdigit44 -

It appears that in that article, they are using a public domain. such as remote.domain.com, we cannot do this, we are using  a .local domain.

So how do I generate the certificate for my farm1.domain.local?  I have tried to generate a certificate from one of the RDSH, by going to MMC > Certs > Local computer.

Then I use the computer template, change the subject name to common name, input farm1.domain.local, but it still shows as the name of the server on the cert and all throughout the details of the certificate. I tried putting that cert in all the personal stores of the RDSH servers, but nothing,

I have googled this for days, so I am sure Google does have the answer...but I can't find it...

Does anyone else have thoughts?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40518336
I advised to take the first article and search for the Domain ending in .local and there you have it - they are talking a bout a local Domain. You only Need to find out how to issue a certificate for your farm (that then all TS' would implement).
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now