Solved

2008 RDS Security certificate name mismatch

Posted on 2015-01-26
6
127 Views
Last Modified: 2015-02-06
Hi guys,

I have a Windows 2008 RDS server farm with one session broker and two session hosts. When attempting to connect to the farm name (which is in DNS as a round robin setup), I get the attached certificate error. It doesn't matter if I install the certificate or trust it, I still am unable to connect without getting popups for both session hosts. Any help you can offer would be greatly appreciated. Thanks!

-Roy
0
Comment
Question by:roycbene
  • 3
  • 3
6 Comments
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40570826
There is no attachment.
0
 
LVL 3

Author Comment

by:roycbene
ID: 40570849
Not sure why that didn't attach. Here you are.
cert-error.JPG
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40571113
This error is displayed as by default RDS using self signed certificates and they are not part of a trusted root certificate server.  To get over this issue, you have two choices:  purchased SSL certificates from a vendor such as Verisign or if you have your own certificate server, generate a certificate on your root CA.  With AD, you can install your own Root CA.  Below is a link stating how you could do this:

http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:roycbene
ID: 40571201
Ok. I have a GoDaddy certificate that I installed with the farm name as one of the Subject Alternative names. My farm is set up like this

-Session Broker (RDS02)
-Two session hosts (RDS03 and RDS04)
-Round Robin in DNS where A record for Farm name is set on each session host IP.

Questions:

1. Do I need to install the certificate on the Session broker AND The two session hosts? If so, what store?
2. Do I need RDS03 and RDS04 as Subject Alternative Names in the certificate? Or will the farm name be sufficient.

Thanks!

-Roy
0
 
LVL 24

Accepted Solution

by:
Mohammed Khawaja earned 500 total points
ID: 40572715
You need one certificate which should be SAN and contain the FQDN for the gateway as well as the fqdn for each RDS server.
0
 
LVL 3

Author Comment

by:roycbene
ID: 40573241
Ok,

So I've rekeyed my public cert 'mail.mydomain.com'. The SANs in the cert have the farm name, as well as all individual servers. I assigned the cert and intermediates (all in the pfx file) to the server. I put the primary in the personal store and the intermediates, obviously, in the intermediate store (on each server). However, when users go to connect, they still get a name mismatch error. Why is this? Is having all the names in the SANs not enough?

-Roy
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Remote Desktop Connections allow you to control remote host machines via the magic of the Internet and RDP (Remote Desktop Protocol). For the purposes of this article we will assume you are connecting from your home PC or laptop to a remote offic…
Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now