Remote Desktop Services (RDS) - Certificate not trusted

Posted on 2014-12-23
Medium Priority
Last Modified: 2014-12-29
I have a new group of 2012 R2 servers. I have installed remote desktop services on them and configured a collection. The collection name is "farm1", and I have configured the round robin style DNS enteries for "farm1" to point to each IP of the terminal servers. So for each server, there is a "farm1" host record with the name "farm1" that points to the IP address of the terminal server.

Everything is working, except when anyone tries to connect, they get the dreaded error message: " The remote computer could not be authenticated due to problems with it's security cert"
Cert errors: " The certificate is not from a trusted certifying authority"

I have installed Active Directory Certificate Services, and created my Enterprise root CA. This is where I need the help.

Can someone please provide me exact steps on duplicating a template in the Cert manager of my CA, publish the cert to be available to install on the servers. Then, the steps to install it to the servers. I have not ever had a need to deploy AD CS before, and I have very limited knowledge in the subject. Please provide very detailed steps and it would be much appreciated. I do not wish to just " Don't ask me again".

How do I get the proper certificate from my own internal CA, to prevent this popup?

I have 4 terminal servers. They are named TS1 TS2 TS3 and TS4. They are load-balanced, so when someone RDP to the collection name" Farm1 ", they will get load-balanced to one of the TS servers.

Thanks in advance.
Question by:85PC
  • 6
  • 5
  • 2
  • +2
LVL 58

Expert Comment

ID: 40515735

You don't necessarily need an AD CA for this.
You can use GPOs to put those Terminalserver certificates into the trusted root authority container at the clients and the message is gone. Shown here: http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx
LVL 29

Expert Comment

ID: 40515736
For this specific issue all you need to do is to publish the root certificate you need the clients to trust using GPO.

Will any of the clients accessing your farm be doing so from outside your domain environment ?

Steps on publishing your root certificate:
To add certificates to the Trusted Root Certification Authorities store for a domain

    Click Start, point to Administrative Tools, and then click Group Policy Management.

    In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

    Right-click the Default Domain Policy GPO, and then click Edit.

    In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

   Right-click the Trusted Root Certification Authorities store.

   Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

Reprinted from:

Author Comment

ID: 40515751
McKnife - Where do I pull the certificates from in order to deply via GPO into that store?

becraig -  Users may access the farm from an outside network, but they will use the RDP Gateway and that gateway will have an external domain name, and an external Certificate provided.

That being said, becraig , Can you tell me how to get the certificate I need on my local CA? What kind of template do I need to use, and what settings?

Are the steps you provided, steps on importing a 3rd party certificate? Since the 3rd party companies such as COMODO and VERISIGN, are no longer supporting .local certs, I need to be able to generate a cert with my local CA in my domain. I have a dedicated server for this.

Can you please explain how I would create that Cert on my CA for my Terminal servers to install, or that I could push out with a GPO?
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

LVL 58

Expert Comment

ID: 40515759
At the TS you can export it right through the rd management - just choose to view it and you will be able to export it. Also right at the warning message your screenshot is showing a button "view certificate", there also you can view and export it.

Author Comment

ID: 40515858
McKnife - I am sorry, but I am new to this entire process with AD CS. Can you please provide some exact detailed steps? Are you talking about issuing self signed certs? Also, under view certificate, there is only an option to install the certificate to the local machine or user. No export option.

I would like to do this via a my domain CA if possible, - becraig can you provide some detailed steps on doing that? It looks like you provided steps to import the certificate, but where/how do I get that certificate? I can't use a 3rd party trusted provider. Need to use my CA.

Thanks guys. Really appreciate the quick responses.
LVL 58

Expert Comment

ID: 40515887
Click "view certificate", then move to the "details" tab and there you see the button "copy to file" and name it servername.cer -  There you have your certificate which you can now deploy using my first link's instructions.

Author Comment

ID: 40516554
McKnife - I think you are on to something and I appreciate the help. The problem is. The users connect to


So now, I added those certs to the trusted root like you said, but I get a mismatch error:

I am attaching a screen shot.
LVL 19

Expert Comment

by:Mike T
ID: 40516819

I did this the other day for a new NAS which had the same problem. The solution is to import a certificate into the Trusted Root Certificates Authority store (container).

On a client machine:
start the mmc.
Control M to get the add-remove snap-ins window
click certificates and click Add
select computer account
select local computer and click OK

Now the MMC will show the certs store for the machine.
Expand the certificates root and select the Trusted root and then right-click on it.
Local machine cert storeOn the pop-up menu you will see All Tasks with one task - Import.

Where did I get the cert? From the personal store of the server. Follow the same steps as above but look in the Personal store and you can Export the cert. I chose DER X.509, (.CER) which was a guess on my part. Note this was my home lab machine.

As the others say above you just need to export the cert.

Also for management it would be better to use a GPO to manage this but I think it's handy to know how to fix it manually first to understand what needs to go where before you start automating it all.


Author Comment

ID: 40516840

Please see my post above yours. I have exported the certs from the servers, the issue now, is that it doesn't say it's an untrusted certificate, it says its a mismatch name. It says that I am connecting to Farm1, but the actual server is TS1.

You have to remember that I am using the for a Remote Desktop Services deployment, 2012 R2, so I have a collection named Farm1.

So when users connect to Farm1, they are load balanced between 4 servers.

Can you please look at the screenshot and let me know what you think?
LVL 19

Assisted Solution

by:Mike T
Mike T earned 1000 total points
ID: 40516958

I think you have to use the FQDN name. You have set up your DNS to recognise farm1 (which goes to any of the four physical machines). I am guessing RDP resolves everything to the actual server names, which suggests you have to export 4 certificates and add them all to "Trusted". The key bit is getting the correct cert with the server name.

If you click "view cert" in the screenshot, what do you get?


Author Comment

ID: 40516970
I have 4 entries in DNS for Farm1.  Each entry is an Ip address of the 4 terminal servers in the farm. So an IP address for TS1, that points to farm1 host name, then TS2 , TS3 etc.

When I export the certificate for all 4 terminal servers, and then add it to the trusted root cert authority, That is when I get the mismatch name error. It says I am connecting to Farm1.domain.local, but the cert shows TS1.domain.local, If you click view certificate there, it just shows the cert of the TS server.

Does this make sense? Someone has had to have fixed this before..
LVL 58

Accepted Solution

McKnife earned 1000 total points
ID: 40516971
85PC, I am sorry, I never Setup a farm to date, so I have nothing for you right now, but I am sure that manuals exist, even by Microsoft (howtos for TS farm Setup), that cover this very problem. http://technet.microsoft.com/en-us/magazine/hh987041.aspx ->search for the Phrase farm.domain.local , that will lead you to the paragrah that describes it. Maybe also read http://thewolfblog.com/2014/02/08/deploying-a-2012-2012r2-remote-desktop-services-farm/
LVL 20

Expert Comment

ID: 40517907
From the links that McKnife posted it souns like you need to import the farm cert in to all of your RDS host if i am reading things correctly...

"If you set up an RD Session Host server farm, make sure to install the exact same certificate on all RD Session Host servers in the farm, and in any other farms you deploy. That way Web single sign-on (SSO) will work across all farm members and across all farms."

Author Comment

ID: 40517924
@compdigit44 -

It appears that in that article, they are using a public domain. such as remote.domain.com, we cannot do this, we are using  a .local domain.

So how do I generate the certificate for my farm1.domain.local?  I have tried to generate a certificate from one of the RDSH, by going to MMC > Certs > Local computer.

Then I use the computer template, change the subject name to common name, input farm1.domain.local, but it still shows as the name of the server on the cert and all throughout the details of the certificate. I tried putting that cert in all the personal stores of the RDSH servers, but nothing,

I have googled this for days, so I am sure Google does have the answer...but I can't find it...

Does anyone else have thoughts?
LVL 58

Expert Comment

ID: 40518336
I advised to take the first article and search for the Domain ending in .local and there you have it - they are talking a bout a local Domain. You only Need to find out how to issue a certificate for your farm (that then all TS' would implement).

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affec…
In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question