RDS 2012 - Certificate Mistmatch

Similar Messages

• RDS 2012 - Certificates

  Hi all,
  This is my setup :
  RDS 2012 R2
  Two connection brokers setup in HA:  FQDN = RDCB.Internaldomain.com
  Two Web Access servers for internal user setup with DSN Round Robin so I can have a basic HA: FQDN = InternalWA.internaldomain.com
  Two Gateway servers in HA:  FQDN:
   RemoteGW.InternalDomain.com
  Both Gateway server have RD Web Access installed and using DNS Round Robin to have a basic HA): FQDN 
  RemoteWA.ExternalDomain.com
  My company will not approve having a trusted wildcard certificate. So, in the “Edit Deployment Wizard”, I was thinking of deploying
  one public (and trusted) SAN certificate containing all the above FQDNs to all the Role Services (RD Connection Broker –Single Signon, RD Connection Broker -
   Publishing, RD Web Access and RD Gateway).
  Will this be ok or do I need to add other FQDNs to the certificate (for example the FQDN of all the Session Host servers)?
  Best regards,
  Jesmat.

  Hello,
  In your FQDN  did you forget to add a "." as : RDCB.Internaldomain.com
  and RemoteWA.ExternalDomain.com
  are 2 different domain names
  The SAN option i thiink will not be liable here . Except if you use self signed for your internal connection  ans
  the san for the external one.
  refer to :http://en.wikipedia.org/wiki/Wildcard_certificate
  But i cannot confirm that the san certificate will be allowed on the gateways.
  Hope it helps 
  Fred

• RDS 2012 Certificates help

  Hi all,
  I am currently implementing a RDS 2012 infrastructure.
  1-2 RDS Host servers
  1 server which contains the gateway and web access role (sits in the DMZ network)
  1 licensing server
  So I have 4 RDS servers in total.
  I have a internal and a external domain so for example:
  test.com (external domain - public facing)
  internal.com (internal domain - lan users)
  1-2 RDS Host servers - INTERNAL
  1 Licensing server - INTERNAL
  1 Gateway and Web Acess server - PUBLIC
  Would purchasing a public san certificate work for my enviroment and applying to all four servers?
  If not, what would work?
  Thanks

  Hi,
  Thank you for posting in Windows Server Forum.
  You can use single SAN certificate to achieve your goal as it can serve for all server. Apart there is some basic requirement to have RDS certificate.
  Basic requirements for Remote Desktop certificates:
  1. The certificate is installed into computer’s “Personal” certificate store. 
  2. The certificate has a corresponding private key. 
  3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well. 
  More information.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• RDS 2012 - Certificate error when using RemoteApp

  Have setup the RD Gateway to use port 40001 for the https transport. Internally everything works good. Can login to RD Web externally fine, but when trying to launch a RemoteApp it starts then returns a certificate error. The certificate it is showing
  is for the exchange server which of course is on port 443.  This is a single IP environment. From what I see happening, it is defaulting back to 443 even though it has been told to use 40001. Obviously the site connects and secures using the 40001
  port, but the RemoteApps still want to fall back to 443. It this a flaw or am I missing something? I thought the whole reason of selecting another port was to use that other port.
  Thanks

  This power script worked like a charm for me.
  Luckily this is just a lab setup, but I was racking my brains for a couple of days until I found this.
  Same situation, port 443 is used for email server and needed to use an alternate SSL port.
  Changing the port on the server side for the RD Web Access URL was a breeze, but changing the port for the RemoteApp collection was not as easy to figure out until I found this post.
  In my situation, like I read before, when you try to run one of the apps in the collection, it will invoke the certificate that our mail server uses since it tries to use port 443 which is assigned to the mail server.
  Running the script immediately fixed the problem by using the alternate port specified in the script.
  Hopefully this will help tons of folks in this same situation.
  PS: If I had a bunch of public IPs to work with, I would not have to use alternate ports.

• Certificate setup RDS 2012 R2

  Hi,
  I have set up an RDS 2012 R2 deployment for internal use. I plan to add a gateway server cluster for external access later (RDGW). That cluster will be placed in DMZ and use a public wildcard cert. It will connect external users to the farm. Internal or
  Direct Access (DA) users will use the Web Access servers to connect internally in the corp. LAN.
  For now, i have the following setup. Web Access role on 2 servers with DNS RR (RDWA). 2 clustered Connection Broker servers (RDCB), two Session Hosts (RDSH) and one licesning server. So a total of 7 servers (+ 2 GRGW servers in DMZ that are not set up
  yet).
  So, the issue is; I need to set up certificates. We have a CA in an AD top domain (our site is a sub.domain.com). We do not have access to that CA and need to order certs. from our corp. HQ. Ok, but what do i ask for? I need 3
  DER encoded binary X.509
  certs. That's the info i have. How can create a cert. request? See pictures below.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for your posting in Windows Server Forum.
  Can you exactly let us know which certificate you want for your network (Self-signed or SSL)?
  As per my suggestion you can use wildcard or SAN certificate for your network which can be used for external network also. 
  If you want Self-signed certificate for internal use, you can create the certificate from Deployment properties of RDS page or IIS Manager as per below path.
  IIS Manager>Server Certificate>Create Self-Signed Certificate>Export the certificate on specified location then select the certificate in RDS installation process.
  But see that, the certificate is installed into computer’s “Personal” certificate store with its corresponding private key & it’s added under trusted root certificate authority.
  Please check below articles for detail.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Minimum Certificate Requirements for Typical RDS implementation
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• RDS VDI Certificate Mismatch

  Hi,
  I have a 2012 R2 RDS farm deployed and users are able to log onto the personal desktops successfully.  However, when the user launches the VDI from RDWEB, they receive a certificate mismatch.  The certificate being presented is self signed from
  the VDI.
  Is this normal behaviour for the VDI connection? Or am I missing something here?

  Hi,
  When running App\VDI from RD web we have to use the trusted certificate for proper connection. If you are receiving certificate mismatch error then there are certain reason to occur. When publishing RDS externally, you will see a certificate mismatch as the
  internal server FQDN’s/IP addresses will show externally during the connection process to RemoteApps or RemoteDesktops.
  There are certain solution to resolve this issue.
  • Can create a new DNS zone, .COM to allow split-brain DNS (so that internal clients can resolve external names internally)
  • Create a relevant DNS entry to point to the RDS environment’s internal IP address
  • Create a relevant DNS entry in external DNS to point to the firewall which is publishing RDS’s external IP address
  • Use the following script to change the FQDN of the RDP files provided by RD Web Access / RemoteApp and Desktop connection feed
     https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  You can also refer beneath article for information.
  Configuring RDS 2012 Certificates and SSO
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS 2012 R2 RemoteApp Server Name Mismatch

  Hi All,
  I wonder if someone can scratch my head on this.
  Brand new RDS 2012 R2 deployment.
  RDS01 with Connection Broker and Session Host Roles installed
  RDS02 with Web Access and Gateway roles installed
  one ssl certificate with one domain remote.mycompany.com 
  the certificate have been imported to all the servers via the Edit Deployment
  the local domain is mycompany.local
  the problem that i am having is that when i launch RemoteApp after login in the remote.mycompany.com externally, i get Certificate mismatch, because it is contact the local name of the Session host server RDS01.
  What i tried so far.
  Used the Set-PublishName (http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80) without success
  Try to configure RDS01 certificate via (http://ryanmangansitblog.wordpress.com/2013/03/10/configuring-rds-2012-certificates-and-sso/)
  Check Any resources ( http://social.technet.microsoft.com/Forums/en-US/d1b0ebe4-9e53-47ff-8c75-43fd91ff538a/windows-2012-rds-certificate-mismatch?forum=winserverTS)
  Has anybody out there could shade me some knowledge in how to rectify the mismatch name warning.
  Thanks
  Elton

  Hi -TP,
  Answering your queries.
  1_the Set-RDPublishedName was successful, restarted the servers, refreshed the RDWeb page externally, tried to connect unsuccessfully.
  2_I am using externally windows 8 and internally 7 fully updated
  3_it had the green successful message.
  After, set-rdpublishedname command, i get an erro when try to connecting saying, RemoteApp Disconnected.
  Error:
  Remote desktop cant connect to the computer "remote.mycompany.com"
  1)Your user account is not listed in the RD Gateway Permission ( not true, it was set for domain users and my test user is under that group)
  2)you might have specified the remote computer in netbios format or ip
  Do you reckon i am having this problem because the RDS01 with Connection Broker and Session Host Roles installed?
  Cheers
  Elton

• Server 2012R2- RDS Farm Certificate Miss-Match on Session Hosts

  Hi Guys,
  I've another RDS2012R2 issue. Internal and external domains do not match. External: domain.com.au; Internal: domain.com.net.
  I'm getting certificate miss-match errors when connecting to the Farm/RemoteApps.
  I have performed the follow fixes:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment (http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80). This resolved the original issue where I was getting a certificate miss-match error externally
  for the FQDN of the server.
  Updated the RDP-Tcp certificate used on the Session Host Servers. This was to resolve an issue where using mstsc to RDP to the farm externally(via gateway) would give a Certificate is not trusted error on the RDSH side.
  Now whenever RDWeb is used to launch a RemoteApp or the farm, I get a certificate miss match error as the RDSH server is called RDS1-TCC.domain.com.net and the certificate is for remote.domain.com.au.
  I rolled back the last change so that RemoteApps and the Farm would work successfully internally without certificate issues. How do I go about resolving the certificate errors?
  For extra background details see my orignal thread, It was marked as answered when only 1 out of 2 issues was resolved. http://social.technet.microsoft.com/Forums/windowsserver/en-US/b664ddaf-6c11-49e2-8a69-0df3b8ef13a1/server-2012r2-rds-farm-with-xp-and-windows-vista-clients?forum=winserverTS
  Cheers,
  Ben

  Hi Ben,
  Thank you for posting in Windows Server Forum.
  In your case, I can suggest you to check that the certificate must match the FQDN of the server. If you are creating SSL certificate then it must be signed by trusted authority and also the certificate must be stored under “local computer/personal store“.
  Also you can buy the certificate from 3rd party which is wild card certificate and only 1 certificate can be used for your network. Please check below links for more information regarding certificate issue.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Windows 2012 RDS Certificate mismatch
  Hope it helps!
  Thanks,
  Dharmesh

• RDS 2012 - unable to connect to SH via webgateway

  Dear all,
  we have setup a RDS 2012 system following this article;
  rds8-standard-3-node-remoteapp-deployment-on-windows-server-2012
  It all went ok as far is I could see but Im running into the following problem.
  If I use MSTSC to connect through the gateway directly things work, I get the desired SH desktop without a problem. (eg connect to SH001.domain.local using the web url for the gateway/webserver).
  If I go to the external website and try to setup a connection it goes into somekind of loop. It first gives me a security warning stating it wants to connect to the connection broker, then I get a certificate error from the connection broker, which is correct
  in this case, I choose to ignore the certificate warning and continue anyway. RDP then continues; Securing external connection, checking bandwith, starting the external connection. And there it hangs, it doesnt go any further and tries to connect for ever.
  The external adres of the gateway is xxx.xxxx.nl and internally it xxx.xxxx.local not sure if this could be related. I noticed an article with a powershell script that would change the .local into .nl
  Strange thing it worked before. I even went as far as  trashing all 3 machines, removing the roles and removing them from the domain to run the install again on fresh machines with new DNS names. Still no luck.
  Not sure on how to troubleshoot this any further. Eventlogs on the GW and CB show nothing special, no errors. One thing that I do notice is a recurring WMI 5605 ID - The root\cimv2\RDMS namespace is marked with the requiresEncryption flag. Access to this
  namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.
  Thanks for any thoughts on this.
  Best regards,
  Louis

  HI,
  Can you confirm everything works internally and your problems occur when trying to access resources externally.
  Firstly check the certificates and ensure you have configured self signed or trusted.
  Try turning of certificate authentication for testing only - this will answer your authentication level question.
  Have a look at the following post:
  http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
  It does sound like you are experencing issues with the Internal and external nameing of the gateway. There are a few ways round this. TP has written a script which will assist with the change.
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80/file/103829/2/Set-RDPublishedName.ps1 If you have questions
  around the use of this, reply in this post.
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• RDS 2012 R2 best design possible with wildcard certificate

  Hi!
  I am looking for some guidance for my RDS 2012 R2 design flaw. 
  What I would like to achieve?
  *I would like my users either internal or external to be able to connect to RDWeb via one single webaddress ( remote.mydomain.com)
  What I have in place?
  1x Broker
  1x WebAccess
  1x Gateway (also license server)
  1x SessionHost
  1x Wildcard Certificate
  my internal domain is mydomain.local and external is mydomain.com
  I have tried ( http://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/) without success.
  Any guidence here will be very helpfull.
  cheers
  Elton

  Hi Elton
  I have a similar configuration working with 2012 R2. However, my config is slightly different, namely:
  2 x RDSH servers
  1 x all other roles (web, gateway etc).
  However, I am using a valid single URL cert on the gateway/web server, which is accessible using remote.domain.com. I did NOT replace the cert on the RDSH servers (using WMI), because you end up with 0x607authentication errors if the certificate is not fully
  valid - corrrect name, trusted, and recovation information available. If you have purchased a  commercial wildcard cert, this should work.
  I did some testing and concluded the following, may be of interest:
  If you are just using the farm for internal connections, you can use an internal CA, and create self signed certs for the gateway, and the RDSH servers. You could use individual
  certificates for the servers, wildcard or SAN certificates. Then you will have no errors when connecting from internal clients. This will not work from external clients however, even if you trust your root or issuing CA  manually on the external client,
  because the revocation information will not be available to clients outside the domain or network, and you will get 0x607 authentication errors.
  If you are connecting from outside your network, you have 3 options:
  Use self signed certs created during the role installation, don't change any RDP certs on RDSH servers. Then manually place the gateway certificate in trusted root authorities on the external
  client.
  Purchase commercial certificates for the gateway, and optionally all of the RDSH servers. This will avoid any warnings. You could either use separate certs, wildcard or SAN. If you replace
  the certificates on the RDSH servers, they must be valid and match the names.
  Purchase just one certificate for the external URL for accessing the gateway, leaving the default self-signed certificates on the RDSH servers. This will mean that there is no warning
  when connecting to RDWeb, but there may be warnings when the connection establishes. I use this option with one free StartSSL certificate.
  To summarise, you can use either commercial or self signed for the RDWeb page. However, if you replace the certificate on the RDSH servers, this MUST be valid commercial for external clients to be able to connect. Otherwise
  just leave it as self signed.
  In my case, I can use remote.domain.com from either outside or inside the network. So, I configure the deployment to use the external URL, and that URL works from inside too. This is because it resolves to the external
  address, so requests go out to the firewall and then back in again. This way you do not have to worry about the internal connections not using a matching URL as on the certs. Or, create an internal DNS record, so that remote.domain.com points to your internal
  address of the RDweb server. This should work as well.

• 2012 RDS + Gateway Certificate and and .local domains

  Can someone verify this is the correct process to stop all certificate errors. 
  RDS 2012 R2 deployment that is the following. 
  1 server with broker web and gateway roles installed. 
  3 session hosts. 
  Domain is a .local
  I want to stop all certificate errors. I have a certificate for the gateway/broker/web server gateway.xxx.com 
  I have had a look at the Change published FQDN for Server 2012 or 2012 R2 RDS Deployment script
  https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  Do i just need to run this script on the gateway/broker/web server and will this stop the mismatch errors fro the session hosts?
  Thanks

  Does SSO not work on less than this as I have some XP clients and 8.1 is not available for them. 
  Hi,
  To support older clients you need to have the wildcard certificate set on the RDP-Tcp listener on all RDSH servers.  To do this you must import the certificate and its private key into the Local Computer\Personal store on each RDSH server, and then
  use WMI to set the certificate.  The below command should be run on each RDSH in an elevated command prompt after you have imported the certificate and its private key:
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"
  Substitute your certificate's thumbprint for the one shown above.
  Please note that you will not get the best experience with clients that are not at least RDP 8.0 capable, many features will not be available, and you may run into certain issues.  For XP you will want to install the RDP 7.0 client and make the registry
  changes on each client to enable CredSSP.
  Thanks.
  -TP

• RDS 2012 R2 - RemoteApp - Certificate Mismatch

  Hi!
  We have a newly built RDS 2012 R2 setup.
  It consists of the following:
  1 x Server with the Gateway and the Web Access role
  2 x Servers running a Connection Broker HA cluster
  3 x Servers running as Session Hosts
  The internal domain name is example.local
  We have purchased a wildcard certificate for the entire setup. (called *.example.com)
  An external DNS record - RDS.example.com - has been created and it NAT to the Gateway and Web Access server.
  We have used the script from
  https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 to publish the FQDN. The name we have publised is Broker.example.com. We have created a split-brain DNS internally so that the clients can resolve external names internally.
  Whenever we try to launch a RemoteApp externally we get the dreaded "Name mismatch" (and it takes about 30 seconds before we get the prompt):
  Any ideas how to solve this issue?

  Hi TP.
  Thank you for your advice.
  I've updated the Windows 7 client to RDP 8.1 and it did the trick! Thank you.
  But we have several external users - and we don't have any chance of controlling if they are running RDP 8.1. I tried to import the wildcard certificate to all RDSH servers
  - using the script in this link: https://social.technet.microsoft.com/Forums/windowsserver/en-US/475fb55f-e394-45d9-a6bd-a37e2a5fe86c/rds-2012-session-host-certificate-assignment?forum=winserverTS
  However - that is when I see the "Name mismatch" warning when launching a RemoteApp (as mentioned in my original post). I suppose this is because the certificate is valid
  only for *.example.com - and not for *.example.local?
  Is there any solution to this?

• How do you configure a farm name in RDS 2012?

  I understand Remote Desktop Services has undergo some drastric changes.
  How do you configure a farm name in RDS 2012? Or is the concept around farm name changed in another concept?
  Although I have imported a certificate on the RDCH withe the farm name I want to use. When I click on a RemoteApp on the RD Web Access portal, it does not connect to the right farm name.
  Boudewijn Plomp, BPMi Infrastructure & Security

  You don't.  You create a collection.  A client connects to the Connection Broker and then is redirected to the collection it is connecting to.  The collection name is embedded in the connection file that the client downloads from RDWeb or
  the RDWeb feed. 
  A collection is basically at least one RDSH server (for session based desktops) or one virtual machine (virtual machine based desktops). 
  Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

• RDS 2012 (An Authentication error has occurred 0x607) - WINDOWS 8 ONLY

  Hi - please help. I've read many posts relating to this error, but none have fixed my issue.
  We have an RDS 2012 setup.  2 Servers.  Both session hosts.  only 1 is the broker.  Cert from official CA.
  My authentication is set to ONLY allow devices with Network Level Authority.  I don't want to remove this.
  Windows XP and Windows 7 can connect both internally, and externally via the RDWeb address perfectly fine, but all Win8 machines get the error "An authentication error has occurred. Code 0x607.
  Can anyone please advise why?
  Many thanks

  Hi,
  I have seen other similar cases got resolved by setting the encryption level to low and security layer to Negotiate.
  Here is a thread below:
  An authentication error has occured (Code: 0x607)
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/94780a11-23ba-4a3c-b11a-734007c2d2fd/an-authentication-error-has-occured-code-0x607?forum=winserverTS
  If it is not an option for you, I suggest you check whether the SSL certificate used by RDWeb access is trusted by the Windows 8 clients. There should be a corresponding root CA certificate installed in the Trusted Certification Authorities store.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• 2 Separate RDS 2012 R2 Deployments in Same Domain ?

  We have a current RDS 2012 R2 deployment. We are changing hosting vendors and want to completely redo the entire deployment (rather than try to migrated the VMs). What is the best way to go about this?
  We do want to continue to use the GPO and user files will be migrated. How can we have the prod and dev RDS environments coexisting on the same domain? 
  Just to clarify, we do not want to use any of the existing infrastructure because it is all going to go away. Thank you!

  Hi,
  Thank you for posting in Windows Server Forum.
  I thinks that good way to start for new environment without any mixing up. Yes, everything can be setup under same domain. For common domain environment,
  You can buy one single wildcard certificate with domain name which can be used for all roles. As in domain joined environment, we can use to have them both RDS server use the same RD Gateway. For this we need to enter the same FQDN of working RDG into the Deployment
  properties of the second deployment.
  There are several other points which need to check, you can refer following article for depth understanding and configuration.
  1.Step by Step Windows 2012 R2 Remote Desktop Services – Part 2
  2. How To Work with RD Gateway in Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support