Solved

2008 RDS Security certificate name mismatch

Posted on 2015-01-26
6
137 Views
Last Modified: 2015-02-06
Hi guys,

I have a Windows 2008 RDS server farm with one session broker and two session hosts. When attempting to connect to the farm name (which is in DNS as a round robin setup), I get the attached certificate error. It doesn't matter if I install the certificate or trust it, I still am unable to connect without getting popups for both session hosts. Any help you can offer would be greatly appreciated. Thanks!

-Roy
0
Comment
Question by:roycbene
  • 3
  • 3
6 Comments
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40570826
There is no attachment.
0
 
LVL 3

Author Comment

by:roycbene
ID: 40570849
Not sure why that didn't attach. Here you are.
cert-error.JPG
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40571113
This error is displayed as by default RDS using self signed certificates and they are not part of a trusted root certificate server.  To get over this issue, you have two choices:  purchased SSL certificates from a vendor such as Verisign or if you have your own certificate server, generate a certificate on your root CA.  With AD, you can install your own Root CA.  Below is a link stating how you could do this:

http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 3

Author Comment

by:roycbene
ID: 40571201
Ok. I have a GoDaddy certificate that I installed with the farm name as one of the Subject Alternative names. My farm is set up like this

-Session Broker (RDS02)
-Two session hosts (RDS03 and RDS04)
-Round Robin in DNS where A record for Farm name is set on each session host IP.

Questions:

1. Do I need to install the certificate on the Session broker AND The two session hosts? If so, what store?
2. Do I need RDS03 and RDS04 as Subject Alternative Names in the certificate? Or will the farm name be sufficient.

Thanks!

-Roy
0
 
LVL 25

Accepted Solution

by:
Mohammed Khawaja earned 500 total points
ID: 40572715
You need one certificate which should be SAN and contain the FQDN for the gateway as well as the fqdn for each RDS server.
0
 
LVL 3

Author Comment

by:roycbene
ID: 40573241
Ok,

So I've rekeyed my public cert 'mail.mydomain.com'. The SANs in the cert have the farm name, as well as all individual servers. I assigned the cert and intermediates (all in the pfx file) to the server. I put the primary in the personal store and the intermediates, obviously, in the intermediate store (on each server). However, when users go to connect, they still get a name mismatch error. Why is this? Is having all the names in the SANs not enough?

-Roy
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question