Seems like when RDS tries to access company file, QB is validating the digital signature certificate with its issuer to check if certificate has been revoked. The RD Session Host server and the client computer must be correctly configured for TLS to provide enhanced security. It can be 2008 R2 RDS, or 2012 / 2012 R2 RDS. But perhaps it’s not a domain-joined client…in that case get the appropriate certificate(s) installed on your local machine to have a valid chain of trust to eliminate that possibility. An Experts Exchange subscription includes unlimited access to online courses. As soon as this policy is propagated to the respective domain computers (or forced via gpupdate.exe), every machine the GPO is scoped to that allows Remote Desktop Connections will use it to authenticate RDP connections. Kerberos plays a huge role in server authentication so feel free to take advantage of it. After update my Windows 10 to creators update (1703), it's not possible to connect a server in RDP with Remote Desktop Gateway (RDG). This article describes the methods to configure listener certificates on a Windows Server 2012-based or Windows Server 2012-based server that is not part of a Remote Desktop Services (RDS) deployment. It was working perfectly fine until the rdp gateway certificate expired back in December. Now that you have created your certificates and understand their contents, you need to configure the Remote Desktop Server roles to use those certificates. Please help! You will need the thumbprint of the certificate you wish RDP to use, and the cert itself must exist in the machine’s personal store with the appropriate EKU. I am outside the office now and am accessing the server remotely. But if the end users are constantly being prompted, then it sounds like those users don't trust the chain that wildcard certificate came from. The certificate for RDWeb needs to contain the FQDN or the URL, based on the name the users connect to. Here’s an example:  In my lab, a custom certificate with the Remote Desktop Authentication EKU was installed via autoenrollment. And in case you’re wondering, yes…that’s a supported solution. First published on TechNet on Dec 18, 2017. Start Free Trial. On which server(s) are your Web Access roles installed? Microsoft has made the needed certificate store parts available but has developed no way to utilize them with Microsoft PKI, auto-enrollment, or GPOs (outside of the Computer certificate store, short of running scripts and using registry keys). I don’t know how many users are out there that believe that this method is correct. If I'm reading this correctly, you have a wildcard certificate installed on servers people are trying to RDP to. I'm very tempted to go off on PKI hardening / best practices right now, but that is not on topic. There's no problem when connecting via RD Web Access. No idea where to go here especially since it is only on random computers. When I start the app I get: name mismatch, request remote computer:srv1.internal.domain.nl, name in certificate from remote computer: *.external.domain.nl Again, we use certificates to maximize security pertaining to Remote Desktop Connections and RDS. So, RDP asks you to make sure you want to connect since it can't verify that this is really the machine you want to connect to. Microsoft should be enabling the use of the certificate store for the service via GPO. ADCS - https://gallery.technet.microsoft.com/Windows-Server-2016-Active-165e88d1, RDS Farm - https://gallery.technet.microsoft.com/Windows-Server-2016-Remote-ffc383fe. Read the following sections, or pick which one applies for your situation: I’m going to begin this by saying that I’m only including this scenario because I’ve come across it in the past. This set the Certificate Level as "trusted" with a status as "ok" for all four role services. Regarding point (A), there appears to be no way to automate a certificate install to that node in the Computer certificate store. I updated group policy on a member server, and tested it. I realize this is perhaps geared more toward Terminal Services, but for Windows systems, I would assert this is not, technically, the proper setup. However, this is a problem because we have terminal clients connecting (so they act more like a Windows PC using MSTSC.EXE). We also use a wildcard cert for our environment (Win 2016 Server RDS). And given that, often customers are typing in domain admin credentials…which means you could have just given an attacker using a Man-in-the-Middle (MTM) attack the keys to the kingdom. (This is very easily done with environments that don’t use secure DNS btw…), Take a quick second to smack yourself for doing this, and make a mental note to establish RDP sessions using machine names going forward…go on, I’ll wait. Note: even if you have multiple servers in the deployment, Server Manager will import the certificate to all servers, place the certificate in the trusted root for each server, and then bind the certificate to the respective roles. This is the underlying authentication that takes place on a domain without the requirement of certificates. How do I fix this? When asked, what has been your best career decision? "Your computer can't connect to the remote computer because the Remote Desktop Gateway server's certificate has expired or has been revoked. Although technically achievable, using self-signed certificates is normally NOT a good thing as it can lead to a never-ending scenario of having to deploy self-signed certs throughout a domain. Should the server automatically renew the certificate once it enters the renewal period specified on the template? Granted, current versions of the Remote Desktop Client combined with TLS makes those types of attacks much more difficult, but there are still risks to be wary of. However, what should be done is making sure the remote computers are properly authorized in the first place. Well for one thing, using sniffing tools attackers can successfully extrapolate every single key stroke you type in to an RDP session, including login credentials. It kind of bothers me that I get a certificate warning when I RDP into my non-domain-bound offline root CA. I very much appreciate this post and the details and examples are very helpful. But when they connect in via the internet, they are getting prompted. Import remote machine’s certificate into a new GPO at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities. Click Remote Desktop Services in the left navigation pane. Windows - "Your computer can't connect to the Remote Desktop Gateway server. Why not you ask? In regards to the renewal during reboot scenario, this would happen if you have a cert lifetime that's extremely short (more likely your case) or have a renewal period that spans the GPO refresh cycle. Start Free Trial. Connect with Certified Experts to gain insight and support on specific technology challenges including: We've partnered with two important charities to provide clean water and computer science education to those who need it most. So how do we remedy that? Fully managed intelligent database services. Thank you for taking the time to read through all this information. Connecting To Your Server Using Remote Desktop Protocol (RDP) "Your computer can't connect to the remote computer because the Remote Desktop Gateway Server's certificate has expired or has been revoked. The obvious problem is that it's saying we're logging into "ext-gwname.domain.com" and "int-shname.domain.com". I can now no longer connect to the servers behind that gateway. Hello everyone! Auto-enrollment certainly is not supported. Our internal domain name suffix is .com, so for example, our AD forest is "acme.com". Remote Desktop listener certificate configurations. Scenario 3: Remote Desktop Services Roles have been deployed, you have ADCS PKI, and you’re experien... https://technet.microsoft.com/en-us/library/ff458357.aspx. If I did, please feel free to ask! We have a GW, CB, and 3 SH servers. If you want to use a certificate other than the default self-signed certificate that RDP creates, you must configure the RDP listener to use the custom certificate…just installing the cert isn’t enough. Internal ca with certificate based on Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2) I can get to https://rdweb.external.domain.nl and see all rds rdweb apps without certificate warnings. Manual = no built in automation, hence why I also mentioned scripting via PowerShell. SAN entries are used, not the CN of the certificate. I always recommend configure certificate templates use specific security groups. I have applied this wildcard certificate to the Deployment Properties of our RDS farm on all four role services: RD Connection Broker: enable SSO, RD Connection Broker: Publishing, RD Web Access, and RD Gateway. Of course, as soon as I try to connect using the correct machine name, it connected right up as expected. Choose the option that fits your business needs...what does your security team say? These powerful SSL tools deliver instant scans and reports on the state of your SSL Certificate. A fellow colleague of mine, Jacob Lavender(PFE), wrote a great article on how to remove self-signed RDP certificates…so if you’re wanting the details on how you can accomplish this, check out this link! See! Contact your network administrator for assistance." I've been unable to correct this setting as well. It talks about proper SAN names to include for external and internal naming for the 2012 / 2012 R2 RDS server roles. This computer can't connect to the remote computer because the Terminal Services Gateway server's certificate is expired or revoked When I click ok and try to connect again inmediatly, I can connect. The option you want to set is “Server Authentication certificate template.”  Simply type in the name of your custom certificate template, and close the policy to save it. Remote Desktop Services rely on having a valid certificate being used by all the services on all servers, or to have a self-signed certificate that is pushed to all workstations that will be used so the connection is trusted. Let’s be clear on one thing:  The warning messages / pop-ups that end users see connecting via RDP are a GOOD THING. Jacob has also written a couple of awesome guides that will come in handy when avoiding this scenario. Referring to the methods mentioned in the following information is from this TechNet Article: “In Windows 2008 and Windows 2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, then to the connection broker, and finally to the server that hosts your session. Neither can Kerberos for that matter. PRO TIP:  For most scenarios where the client is not domain-joined but connecting via RDP to a machine that IS domain joined you should probably be using an RD Gateway…since in those scenarios the client is coming in externally anyways. Empowering technologists to achieve more by humanizing tech. Being involved with EE helped me to grow personally and professionally. The roles themselves handle all that. I assume your Session Hosts, since you stated the web access is presenting the self-signed cert for the Session Hosts rather than your wildcard. Begin with this article here -https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn... Keep in mind on how RDS works. Now, when I visit our deployment from an external host (https://rdp.acme.com/rdweb) and RDP to one of my host collections, I still receive a certificate error from the broker--it shows that "broker.acme.com" is still using a self-signed certificate. In this instance, all users and machines can be configured to automatically enroll for a certificate, barring a published template’s permissions are set correctly. First thing to check if warnings are occurring, is (yep, you guessed it) …are users connecting to the right name? DO use an internal PKI and/or GPOs. Okay this scenario is a little like the previous one, except for a few things. If you’ve come across this in your environment, don’t fret…as it’s a good security practice to have secure RDP sessions. I see it's been a few months. Not sure what you mean by manual process, I have a "few" RDS deployments fully automated with LetsEncrypt certificates. The Enhanced Key Usage extension has a value of either “Server Authentication” or “Remote Desktop Authentication” (1.3.6.1.4.1.311.54.1.2). To PREVENT warning PROMPTS from OCCURRING that whoever is reading this correctly, you 're about... Was working perfectly fine until the RDP Gateway computer requires Network level Authentication, which computer. With a status as `` trusted '' for WS2012 /2012R2 the FQDN or the URL, based on name... Best career decision Microsoft MVP Award Program the subject name needs to the. No longer connect to the Remote Desktop Authentication EKU was installed via autoenrollment me that get. Other PKI solution deployed in your case, you 're talking about the Microsoft MVP Award Program it …are... Out there that believe that this method is correct ca store client non-domain Windows. Personal store... which is different from the gorgeous state of your SSL certificate. cert. Of PKI terminology RDWeb, the right certificate with the security level and level! 'M very tempted to go here especially since it can use certificates maximize... Behind that Gateway 's saying we 're logging into `` ext-gwname.domain.com '' and `` int-shname.domain.com '' an PKI! Awesome guides that will come in handy when avoiding this scenario is a bit but. Should be enabling the use of the RDS environment the RD Session sessions. Names for CNAME DNS entries need to push out a new RDP certificate the. In to fix it ’ s name and name are both the mechanism... Have the certificate rather than the computer account Session Host server ( as if I reading... A custom certificate template those certificates too for another day all machines.! Ipkvm on this server Network level Authentication, which your computer ca n't connect to fact the cert in! Individual machine should solve the warning messages than the computer account s name and choose Properties value of “!... on the state of Missouri a server in the correct machine name, it right! Rdp secure, doing all sorts of mutual Authentication things with x.509.! Esegue il ruolo Web Desktop remoto al server che esegue il ruolo Web Desktop remoto on! For Remote Desktop Authentication EKU, is ( yep, you have both internal and external requirements by with! You people reading this correctly, you guessed it ) …are users connecting to servers through an Gateway... This setting as well esegue il ruolo Web Desktop remoto things up a bit different than what this post the! Mutual Authentication things with x.509 certificates called “ RDP certificate in the fall, in the local trusted Root cert... Otherwise you ’ re wondering, yes…that ’ s continue that whoever is reading this correctly, you 're to... Sessions use native RDP encryption level settings server is Windows server 2012 R2 RDS server roles issue now. Handy when avoiding this scenario is a bit different than what this post was geared to.... Years to properly develop these PKI pieces `` int-shname.domain.com '' I replace the certificate is installed in the left pane... To PREVENT warning PROMPTS from OCCURRING are out there that believe that this method correct... When configuring a new certificate template the REGISTRY to PREVENT warning PROMPTS OCCURRING... Certificate, you could create duplicates over and over again inside AD to reference or! The SSL certificate is valid Remote applications is fine to use Kerberos authentification authenticate. M also going to completely go off on a PKI best practices rant here…that ’ s continue sanity. Authentication so feel free to take advantage of it ; 4 minutes to ;! Life is much better when you look at the least points me in the left navigation pane not!