Unexpected RDS certificated presented to end users

Alexandre Takacs
Alexandre Takacs used Ask the Experts™
on
I am having an issues with our Win2012R2 RDS setup where the RD Gateway seems to present an outdated (and since renewed) cert to the end users:
cert oldthe surprising thing is that the deployment itself seems ok
deployNot sure what I am missing (have also checked that all my IIS certs are up to date on those machines, even if ti really seems to be the RDS Gateway cert that is not current.

Any idea ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
CoralonSenior Citrix Engineer

Commented:
Did you select the renewed cert in the RDS console? IIS is not sufficient, the deployment needs to know about it..
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v%3Dws.11)

From the docs..

  1. On the Connection Broker, open the Server Manager. Click Remote Desktop Services in the left navigation pane.
  2. Click Tasks > Edit Deployment Properties.
  3. In the Configure the deployment window, click Certificates.
  4. Click Select existing certificates, and then browse to the location where you saved the certificate you created previously. Look for the file with the .pfx extension.
  5. Import the certificate.
  6. You can use a single certificate for all the roles if your clients are internal to the domain only, by generating a wildcard certificate (*.CONTOSO.local) and binding it to all roles.
  7. Note that, even if you have multiple servers in the deployment, Server Manager will import the certificate to all servers, place the certificate in the trusted root for each server, and then bind the certificate to the respective roles.

Coralon
In addition to Coralons comment...

It looks like that the client, where you get the error message, cannot resolve the intermediate certificate.
The client usually tries to resolve the certification path for the certificate, which is connected to your web service.
If the client has not stored the certificate chain in the local store, it usually tries to resolve the certificate over the internet.
If the client do not have access to the internet, the (valid) certificate chain has to be stored on the local machine.

The message shows, that the second certificate (intermediate) is outdated, therefore the installed certificate fails.
So check if you can find the intermediate certificate on the client(s) and replace it with the version, which is valid for the certificate you use for the web service.

Author

Commented:
>  from the docs

Isn't that what I have in my screenshot ?

> So check if you can find the intermediate certificate on the client(s)

Will check but do you say that the locally installed cert will "take over" the one presented from the sever ?
No, each certificate has a certificate chain. You see all of them in your picture...
Your certificate is created by Comodo RSA Domain (Intermediate), and this certificate is created by the Comodo RSA Certificate Authority (Root). You can see that the Intermediate certificate is invalid what has to be fixed.
The certificate itself look like expired on 8th of June. This is what Coralon said.
The source of all certificates is usually the Microsoft certificate store, but they have to be bound to the service, so replacing the cert is mostly not enough , there are usually additional configuration steps to tell the application which certificate to use.
I guess Coralon described the steps for RS Services.

Possibly, as far as the correct certificate is delivered to the client, the intermediate issue may be fixed too.


Also keep in mind, that there maybe a firewall in front of the gateway, means the client may connect first to a firewall, which has its own certificate. This is especially the case, if the firewall terminates the SSL tunnel und creates a new one to the gateway service. So it may be important to find out, who is really presenting this certificate.

Also keep in mind, that the gateway service is just something like a proxy, you may check all bound certificates for all the RD Services.

A tracert may help to find out, if there are devices involved between the client and the gateway service.

Author

Commented:
thanks for your input.

Actually there was locally installed cert that was "taking over" from the one presented from the server. THAT was my issue...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial