Remote Desktop Services weird cert issue

Bravo 7555
Bravo 7555 used Ask the Experts™
on
We built a new remote desktop services server just recently. We are very happy with it except for one strange issue. When one of our domain joined laptops launches the login page from either IE or Chrome, a certificate windows pops up asking to use one of our sub-ca certs to login. If I say yes, it gives me a login failure and an IIS screen pops up. If I say no, the cert screen goes away and continues to the correct login page. Its almost as if the site initially once to use the cert for authentication when it should not. Any ideas?

Built on Server 2016
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
if you enable certificate based logon to RDS server your Client present you all possible certificates at the PC.
Now you should select the correct cert for logon.
But you should see certificates with private key from the client only .
So you should not see the "sub-ca certs" at the client.

Author

Commented:
I have the  following settings enabled:

Under security layer I selected Negotiate - I can also select RDP Security Layer or SSL (TLS 1.0)

Under encryption level I have selected Client Compatible. I can also select Low, High, FIPS Compliant.

See screenshot attached.
secrdp.docx
"security layer - Negotiate" lets you use username/password or certificate if available ... i think
So the certificates stored at your PC are presented first.
Check the certificate store "own certificates"  for user and machine. there should not exist an sub-ca certificate.
Only user-certificates or certs for the local host you should see here.
Found the issue, it was a setting in IIS. Client certificates was set to accept on IIS instead of ignore. Set it to ignore and the prompt went away.

Thank you for your input.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial