?
Solved

2008 RDS Security certificate name mismatch

Posted on 2015-01-26
6
Medium Priority
?
176 Views
Last Modified: 2015-02-06
Hi guys,

I have a Windows 2008 RDS server farm with one session broker and two session hosts. When attempting to connect to the farm name (which is in DNS as a round robin setup), I get the attached certificate error. It doesn't matter if I install the certificate or trust it, I still am unable to connect without getting popups for both session hosts. Any help you can offer would be greatly appreciated. Thanks!

-Roy
0
Comment
Question by:roycbene
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40570826
There is no attachment.
0
 
LVL 3

Author Comment

by:roycbene
ID: 40570849
Not sure why that didn't attach. Here you are.
cert-error.JPG
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40571113
This error is displayed as by default RDS using self signed certificates and they are not part of a trusted root certificate server.  To get over this issue, you have two choices:  purchased SSL certificates from a vendor such as Verisign or if you have your own certificate server, generate a certificate on your root CA.  With AD, you can install your own Root CA.  Below is a link stating how you could do this:

http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Author Comment

by:roycbene
ID: 40571201
Ok. I have a GoDaddy certificate that I installed with the farm name as one of the Subject Alternative names. My farm is set up like this

-Session Broker (RDS02)
-Two session hosts (RDS03 and RDS04)
-Round Robin in DNS where A record for Farm name is set on each session host IP.

Questions:

1. Do I need to install the certificate on the Session broker AND The two session hosts? If so, what store?
2. Do I need RDS03 and RDS04 as Subject Alternative Names in the certificate? Or will the farm name be sufficient.

Thanks!

-Roy
0
 
LVL 25

Accepted Solution

by:
Mohammed Khawaja earned 1000 total points
ID: 40572715
You need one certificate which should be SAN and contain the FQDN for the gateway as well as the fqdn for each RDS server.
0
 
LVL 3

Author Comment

by:roycbene
ID: 40573241
Ok,

So I've rekeyed my public cert 'mail.mydomain.com'. The SANs in the cert have the farm name, as well as all individual servers. I assigned the cert and intermediates (all in the pfx file) to the server. I put the primary in the personal store and the intermediates, obviously, in the intermediate store (on each server). However, when users go to connect, they still get a name mismatch error. Why is this? Is having all the names in the SANs not enough?

-Roy
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question