RDS VDI Certificate Mismatch

Similar Messages

• Certificate Mismatch RDS Session Host

  I've been banging my head against this for the last few days. I have a server 2012 remote desktop setup as follows:
  1 Gateway Server
  1 RD Web Access Serve
  1 Session Broker, which is also a session host
  1 Additional Session host
  I'm using remote app to publish applications rather than desktops. I've got a wildcard certificate for the external domain, which works fine for the gateway and web access server, the problem comes with the session hosts, which are giving me a certificate mismatch
  error because connections are made to the internal name (which is a .local address) which obviously does not match the external certificate.
  I have a DNS zone for the external name setup on this domain, so that machines can be resolved by internal or external names.
  I've made some progress by following the steps here - http://serverfault.com/questions/524092/rds-rdweb-and-remoteapp-how-to-use-public-certificate-for-launching-apps-on-s, and things now work fine if I only have the session host that is also the broker
  enabled. Once I add the second session host, any requests that go to that get the certificate error. Connections to the first session host still work fine.
  Does anyone know a way to have requests be made to the external name of the session host?

  Hi,
  1. After making the DNS change, did you flush the DNS cache on the RD Gateway server?  Or even better restart the whole server?
  2. Do you have DNS round robin for any of the other servers in your deployment?  You should
  not.  Additionally, do you have any NLB or other hardware/software load balancing solution in place?
  3. To make sure I have the facts correct, please let me know if the following items are correct:
  a. You are launching a RemoteApp from within RD Web Access using IE running on a Windows 8 PC
  b. When you launch a RemoteApp, the prompt has the following on it (for Calculator in this example):
  Publisher: *.domain.com
  Type: RemoteApp program
  Path: calc
  Name: Calculator
  Remote computer: rdbroker.domain.com
  Gateway server: gateway.domain.com
  c. After clicking Connect it goes through several status messages and then you get a Certificate error saying essentially:
  Name mismatch
       Requested remote computer:
       rd02.domain.local
       Name in the certificate from the remote computer:
       *.domain.com
  Certificate errors
    The following errors were encountered while validating the remote
    computer's certificate:
       The server name on the certificate is incorrect.
  d. In Deployment Properties, RD Gateway tab, Bypass RD Gateway server for local addresses is
  unchecked.
  4. Do you have multiple configured network cards in each server, or just a single NIC that has an ip address?
  5. Have you modified the default firewall configuration of your servers?  In other words, can I assume they are on the same subnet and are able to communicate with each other in the default domain configuration, or have changes been made and/or is
  there a third-party firewall software or device in place that could be affecting things?  I ask because normally the broker will authenticate the destination server using Kerberos and if something interferes with this you can get unexpected errors.
  I believe you are close to solving this now.
  Thanks.
  -TP

• RDS 2012 - Certificate Mistmatch

  I am getting the most annoying error with my RDS 2012 Setup.
  certificate mismatch and double password prompts when trying to connect to my RDS setup.
  I have tried all that's out there and have got no positive results.
  All roles are on identical on 2 servers. the RDCB is in HA Mode.
  I keep getting the Certificate mismatch error.
  Already have a public or external SAN certificate assigned to all roles.
  Ran the powershell and wmi query to ensure the correct url is used when connected to gateway but I still get the double prompt when launching the remoteapps.
  I even tried the approach by cleaning IE's history, data to get the RDPSHplugin and its not helped in my case.
  All servers run 2012.
  I need some urgent assistance, please and thank you
  I have also checked and rebooted the RDS environment multiple times.
  All certs show valid. the mismatch also goes to another cert in my environment which is utilized by OWA.
  Please help me.

  I downloaded the script to C:\ and tried running it - no luck
  PS C:\> .\Set-RDPublishedName.ps1 "remote.domain.com"
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
  computer. Do you want to run C:\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  iwmi : Privilege not held.
  At C:\Set-RDPublishedName.ps1:9 char:11
  + $return = iwmi -class "Win32_RDMSDeploymentSettings" -namespace "root\CIMV2\rdms ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
      + FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod
  I also tried it from the other HA RDCB server.
  PS C:\> .\Set-RDPublishedName.ps1 "remote.domain.com"
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm
  computer. Do you want to run C:\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  Set-RDClientAccessName : A valid fully qualified domain name (FQDN) for the server was not specified.
  At C:\Set-RDPublishedName.ps1:22 char:1
  + Set-RDClientAccessName -ConnectionBroker $ConnectionBroker -ClientAccessName $Cl ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-RDClientAccessName
  I also tried is this way- 
  PS C:\Users\administrator.TBCL\Downloads> .\Set-RDPublishedName.ps1
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
  computer. Do you want to run C:\Users\administrator.TBCL\Downloads\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  cmdlet Set-RDPublishedName.ps1 at command pipeline position 1
  Supply values for the following parameters:
  (Type !? for Help.)
  ClientAccessName: remote.domain.com
  iwmi : Invalid namespace
  At C:\Users\administrator.TBCL\Downloads\Set-RDPublishedName.ps1:9 char:11
  + $return = iwmi -class "Win32_RDMSDeploymentSettings" -namespace "root\CIMV2\rdms ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
      + FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod

• Server 2012R2- RDS Farm Certificate Miss-Match on Session Hosts

  Hi Guys,
  I've another RDS2012R2 issue. Internal and external domains do not match. External: domain.com.au; Internal: domain.com.net.
  I'm getting certificate miss-match errors when connecting to the Farm/RemoteApps.
  I have performed the follow fixes:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment (http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80). This resolved the original issue where I was getting a certificate miss-match error externally
  for the FQDN of the server.
  Updated the RDP-Tcp certificate used on the Session Host Servers. This was to resolve an issue where using mstsc to RDP to the farm externally(via gateway) would give a Certificate is not trusted error on the RDSH side.
  Now whenever RDWeb is used to launch a RemoteApp or the farm, I get a certificate miss match error as the RDSH server is called RDS1-TCC.domain.com.net and the certificate is for remote.domain.com.au.
  I rolled back the last change so that RemoteApps and the Farm would work successfully internally without certificate issues. How do I go about resolving the certificate errors?
  For extra background details see my orignal thread, It was marked as answered when only 1 out of 2 issues was resolved. http://social.technet.microsoft.com/Forums/windowsserver/en-US/b664ddaf-6c11-49e2-8a69-0df3b8ef13a1/server-2012r2-rds-farm-with-xp-and-windows-vista-clients?forum=winserverTS
  Cheers,
  Ben

  Hi Ben,
  Thank you for posting in Windows Server Forum.
  In your case, I can suggest you to check that the certificate must match the FQDN of the server. If you are creating SSL certificate then it must be signed by trusted authority and also the certificate must be stored under “local computer/personal store“.
  Also you can buy the certificate from 3rd party which is wild card certificate and only 1 certificate can be used for your network. Please check below links for more information regarding certificate issue.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Windows 2012 RDS Certificate mismatch
  Hope it helps!
  Thanks,
  Dharmesh

• Certificate mismatch for internal RDSH

  Im sure this question has been asked/addressed over a dozen times. I do apologize in advanced for the repeat.
  I have RDS setup on a 2008R2 box with a single certificate for the RDG. When users connect, they obviously get a mismatch certificate warning upon connecting to the internal RDSH server (RDSH.domain.local).
  Besides using an internal CA, what other options do i have? I guess i can technically use a wildcard certificate and use a split DNS, but that's currently not an option.
  Thanks

  Hi,
  As you have installed RDS role on single server, you can use single certificate for RDS server roles. You also need to open TCP port 443 and UDP port 3391 which point to RD Gateway Server. You can change the published FQDN of the server for that also need to
  create DNS A record on network that points to server IP address. You can able to change the FQDN name by below command mention in link.
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  Also check that you have correctly set RD RAP & RD CAP policy under RD Gateway manager. Also you can select “Allow users to connect to any resource” under Network Resource tab in RD Gateway manager. (Quoted from below thread answered by TP).
  More information:
  Windows 2012 RDS Certificate mismatch
  Hope it helps!
  Thanks,
  Dharmesh

• 2012 RDS + VDI users unable to connect

  environment:  2 2012 Hosts, connection broker + rdweb (same vm), no gateway, all 2012 OS.  Standard deployment on the 2 hosts.
  I have a 2012 RDS installation of personal VDI.  Users connect to the RDweb server and launch their assigned VDI from there.  Users are experiencing random connection issues when connecting to their VDI via the RDWeb portal.  Here are some
  events in the logs:
  Event 8964 Remote Desktop Virtualization Host failed to process the orchestration request because virtual desktop [VM7REMSBUCJ] is busy processing cleanup from previous logoff event.
  Event 8467 Remote Desktop Virtualization Host failed to get redirection authentication information from the virtual machine [VM7REMSBUCJ] .
  The events above correspond with a remote users attempting to login in the morning to a VDI with a state of shutdown.

  This isn't the best forum for 2012 Server or RDS.  This is specific to Virtual Server 2005.
  Try reposting in Server 2012, or an RDS/VDI forum like one of these:
  https://social.technet.microsoft.com/Forums/windowsserver/en-us/home?category=windowsserver

• SSL Certificate Mismatch with AnyConnect client

  Hello,
  We are having a problem with the AnyConnect client when connecting to our VPN.  We are running the following:
  AnyConnect v2.4.0202
  (2 each) ASA v8.2(1) -- active/standby failover
  AnyConnect Essentials Licensing
  NOTE:  We are not using certificates for authentication.
  Primary clients:  Windows XP and Windows 7
  Problem
  We have purchased an Entrust certificate for our ASA failover cluster called "vpn.company.com" and the it is attached to the outside interface on the ASA.
  Steps to Reproduce
  Install the AnyConnect (AC) client via https://vpn.company.com/.  Connection occurs here without issue.
  Once the AC client is installed and we try to use it in stand-alone mode (i.e., w/o hitting the ASA w/ a browser), a certificate mismatch occurs, and AC brings up the Windows/IE Security Alert dialog (see attachment CertError.jpg).
  The user must press Yes to bypass mismatch.
  PROBLEM:  On Windows 7, the user must have administrative privileges and run the AC client as administrator -- otherwise, they get a dialog saying "Unable to establich VPN" (see attachment Unable.jpg).
  The issue is we have a valid certificate that should be used for the connection.  However, when looking at the connections made by the AC client with Fiddler, it would appear that the AC client is trying to connect directly to the ASA's IP address, and not the name.  This is a nuisance for XP users, and a show-stopper for Win7 users as they do not have admin privileges.
  I have not been able to find any documentation on Cisco.com relating to this issue.  In short, how do I get the AC client to use "vpn.company.com" so there is no Cert mismatch?
  Thanks,
  -Matt

  Tim,
  I will read through the article more thoroughly; I've already been through parts of it -- won't hurt to go through again.  I did initially have the IP address in my XML file, and immediately removed it when I noticed that it was using the IP address in the FIddler dump.  It hasn't had any effect unfortunately -- even with uninstalling and re-installing the AC client locally.
  The only other article/post I've come across on Cisco's site that comes close is here:
  Cisco Support Community: ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide
  which seems to suggest that I will need a UCC certificate (which seems ridiculous) to do some of what I need to do.  However the issue with that post is that it still wouldn't fix the issue where the AC client is using the IP address.
  I will let you know if I find any smoking guns in the doco link you sent.  Any other thoughts appreciated.  I can't believe Cisco made the setup of the AC client this convoluted.
  Thanks!
  -Matt

• Using USB Devices in RDS VDI with Windows 8.1 Scenario

  We are currently in a Upgrade Scenario from our old Windows XP/ Citrix XenDesktop Farm to a new VDI Installation. The new Installation is a Windows Server 2012 R2 Remote Desktop Services Collection using Remote Desktop Virtualizaion Hosts on 2012 R2 too.
  The VD- Clients are Windows 8.1 ENT and the User Endpoints are HP ThinClients with Windows Embedded 8.1 Industry Enterprise.
  The user connects to his Virtual Desktop via 8.1 Embedded (RDP8.1)
  We want all new USB- Drives to map natively in the RDP- Session (RemoteFX USB redirect) so USB- Sticks or CD/DVD Drives are controlled by the VD-Client OS.
  We understand, that there are so called "high level devices" which RDP is using per Default. We also know, that there is a GPO that redirects all "other supportet USB devices". That works well for e.g. Webcams, but we want to override the
  "high Level devices" policy an simply map a e.g. USB Stick natively to the RDP Destination.
  Currently the drive is mapped as a "high Level usb device" and the usb key has no drive letter, cant be formattet or used in other RemoteApp Sessions initiated on the VD- Client OS.
  The Systems we are using:
  Windows 8.1 Enterprise - VD Client on HyperV 2012 R2 FO Cluster
  Windows 8.1 Embedded Industry Enterprise as ThinClient OS
  Windows Server 2012 R2 as Middleware (RDS VDI Collection, Web Access)
  Thank you in Advance
  Chris

  Hi Chris,
  Thank you for posting in Windows Server Forum.
  The USB devices that you would like to use in the remote session must be plugged in before starting Remote Desktop Connection; devices plugged in during the session will not be redirected.
  Have you tried to reconfigure the USB device?
  Please try to remove that device and reconfigure with use of following command and check whether issue get resolved.
  Set-RDVirtualDesktopCollectionConfiguration –CollectionName YourCollectionName –CustomRdpProperty "usbdevicestoredirect:s:{6bdd1fc6-810f-11d0-bec7-08002be2092f }"
  where {6bdd1fc6-810f-11d0-bec7-08002be2092f} is the System-Defined Device Setup Class GUID.
  More information.
  1) RemoteFX USB Redirection in Windows Server 2012 and Windows 8
  2) Introducing Microsoft RemoteFX USB Redirection: Part 3
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Certificate mismatch Outlook Anywhere

  Hi,
  When connecting an Outlook 2013 client to Exchange 2013 I am getting a certificate mismatch error.
  SSL Certificate is for the external name (exch.domain.com) has no SAN's and Outlook is looking for servername.local.  
  I have configured all virtual directories for Exchange to use the above url (exch.domain.com) for internal and external access.
  Have a local DNS record resolving the external name (exch.domain.com) to the internal IP of the exchange server.
  Operating a single public IP using ARR and Windows Server 2012 Essentials
  Have set up a SRV record in DNS for autodiscovery.
  Outlook Anywhere in the ECP is configured to NTLM authentication
  In Outlook, the advanced connection properties I was getting authentication prompts until I added https://exchange.domain.com as a proxy server.
  Any help would be appreciated thanks.

  I am having the same issue with my Outlook 2013 clients.
  All virtual directories are set to the mail.company.com.  The Godaddy certificate is for mail.company.com and is used for the SMTP, IIS, POP3, IMAP services.
  The client gives a security alert about the certificate name for servername.company.com not matching the certificate mail.company.com.  The client account settings show the server as a
  [email protected] and the Exchange proxy settings as mail.company.com and connect using SSL only with msstd:mail.company.com for the principal name.
  Doing a Connection status check on the Outlook, it shows the Proxy server of mail.company.com and server name as the
  [email protected] for Exchange Directory and Exchange Mail.
  I have tried putting the server name in the virtual directory internal url's but it still isn't working correctly.
  I had used a cert form our internal CA for testing and am still using it for the UM and UMCallRouter functions, although the SMTP, IMAP, POP3 are still checked for it.
  Outlook functions fine after clearing the Security Alert.
  Not sure what I am missing.  Thanks for any help.

• Certificate - Mismatched Address

  All, I am getting several of these messages preventing me going to certain pages in CallManager 5.1? The error is in the toolbare: Certificate, Mismatched Address: The security certificate presented by this website was issued for a different website's address.
  Anyone ever had this?

  If you are using IP address instead of hostname, the mismatched address message is because the certificate was created with the CM server hostname.
  Point the DNS with the correct hostname.

• Exchange 2007 Autodiscover certificate mismatch

  Hello, the company that I work for is trying to switch from Exchange 2007 SP1 to Office 365.  However, when we try the cutover migration, 365 doesn't recognize our Exchange server.  After a bit of research, I discovered that there is a certificate
  mismatch that is causing the problem.  
  I've been searching for a way to solve this problem for a couple of days now and have not yet found a solution.  We'd like to keep the autodiscover location, but change the certificate that is bound to it.  We
  have a matching certificate installed, but for some reason, Autodiscover keeps pointing toward the wrong certificate (that doesn't even exist).
  Any help would be greatly appreciated

  We purchased new certs from GoDaddy and inserted them into exchange (overwriting the old certs and CAs), and this seemed to correct the certificate mismatch.  However, when I run the Remote Connectivity Analyzer, I get this:
  Connectivity Test Failed
  Test Details
  <input class=" __ecpStyleButton" id="testSelectWizard___CustomNav3_buttonStartOver" name="testSelectWizard$__CustomNav3$buttonStartOver"
  style="padding:8px 8px 8px 29px;text-align:left;border-style:none;cursor:pointer;background-image:url(https;background-background-repeat:no-repeat;" type="submit" value="Start Over" /><input class=" __ecpStyleButton"
  id="testSelectWizard___CustomNav3_buttonRunAgain" name="testSelectWizard$__CustomNav3$buttonRunAgain" style="padding:8px 8px 8px 29px;text-align:left;border-style:none none none solid;cursor:pointer;border-left-color:#cccccc;border-left-width:1px;background-image:url(https;background-background-repeat:no-repeat;"
  type="submit" value="Run Test Again" />
  <input class=" __ecpStyleButton" id="testSelectWizard_ctl12_btnExpandAll" name="testSelectWizard$ctl12$btnExpandAll" style="padding:8px 8px 8px 29px;text-align:left;border-style:none
  solid none none;cursor:pointer;border-right-color:#cccccc;border-right-width:1px;background-image:url(https;background-background-repeat:no-repeat;" type="submit" value="Expand All" /><input class="ecpStyleButtonImageOnly
  __ecpStyleButton" id="testSelectWizard_ctl12_btnSaveXml" name="testSelectWizard$ctl12$btnSaveXml" style="padding-padding-bottom:6px;padding-text-align:left;border-style:none;cursor:pointer;background-image:url(https;background-background-repeat:no-repeat;"
  title="Save as XML" type="submit" value="" /><input class="ecpStyleButtonImageOnly __ecpStyleButton" id="testSelectWizard_ctl12_btnSaveHtml" name="testSelectWizard$ctl12$btnSaveHtml" style="padding-padding-bottom:6px;padding-text-align:left;border-style:none;cursor:pointer;background-image:url(https;background-background-repeat:no-repeat;"
  title="Save as HTML" type="submit" value="" />
  The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
  Testing Autodiscover failed.
  Additional Details
  Elapsed Time: 7624 ms.
  Test Steps
  Attempting each method of contacting the Autodiscover service.
  The Autodiscover service couldn't be contacted successfully by any method.
  Additional Details
  Elapsed Time: 7624 ms.
  Test Steps
  Attempting to test potential Autodiscover URL https://paidwarranty.com:443/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
  Additional Details
  Elapsed Time: 1237 ms.
  Test Steps
  Attempting to resolve the host name paidwarranty.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 12.192.135.43, 50.232.20.50
  Elapsed Time: 129 ms.
  Testing TCP port 443 on host paidwarranty.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 152 ms.
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 342 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server paidwarranty.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=www.paidwarranty.com, OU=Domain Control Validated, Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
  Elapsed Time: 247 ms.
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Host name paidwarranty.com was found in the Certificate Subject Alternative Name entry.
  Elapsed Time: 1 ms.
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=www.paidwarranty.com, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
  Elapsed Time: 39 ms.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 5 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 2/24/2014 3:11:57 PM, NotAfter = 2/24/2016 3:11:57 PM
  Elapsed Time: 0 ms.
  Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
  Additional Details
  Accept/Require Client Certificates isn't configured.
  Elapsed Time: 371 ms.
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
  Additional Details
  Elapsed Time: 241 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://paidwarranty.com:443/Autodiscover/Autodiscover.xml for user [email protected].
  The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
  Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from IIS7.
  HTTP Response Headers:
  Content-Length: 5401
  Cache-Control: private
  Content-Type: text/html; charset=utf-8
  Date: Mon, 02 Mar 2015 14:58:45 GMT
  Server: Microsoft-IIS/7.5
  X-Powered-By: ASP.NET
  Elapsed Time: 241 ms.
  Attempting to test potential Autodiscover URL https://autodiscover.paidwarranty.com:443/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
  Additional Details
  Elapsed Time: 5175 ms.
  Test Steps
  Attempting to resolve the host name autodiscover.paidwarranty.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 157.56.234.137, 157.56.244.217, 157.56.236.89, 157.56.232.9
  Elapsed Time: 327 ms.
  Testing TCP port 443 on host autodiscover.paidwarranty.com to ensure it's listening and open.
  The specified port is either blocked, not listening, or not producing the expected response.
   <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl01_ctl01_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  A network error occurred while communicating with the remote host.
  Elapsed Time: 4847 ms.
  Attempting to contact the Autodiscover service using the HTTP redirect method.
  The attempt to contact Autodiscover using the HTTP Redirect method failed.
  Additional Details
  Elapsed Time: 995 ms.
  Test Steps
  Attempting to resolve the host name autodiscover.paidwarranty.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 157.56.234.137, 157.56.244.217, 157.56.236.89, 157.56.232.9
  Elapsed Time: 16 ms.
  Testing TCP port 80 on host autodiscover.paidwarranty.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 111 ms.
  The Microsoft Connectivity Analyzer is checking the host autodiscover.paidwarranty.com for an HTTP redirect to the Autodiscover service.
  The redirect (HTTP 301/302) response was received successfully.
  Additional Details
  Redirect URL: https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml
  HTTP Response Headers:
  Connection: close
  Pragma: no-cache
  Cache-Control: no-cache
  Location: https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml
  Elapsed Time: 137 ms.
  Attempting to test potential Autodiscover URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
  Additional Details
  Elapsed Time: 729 ms.
  Test Steps
  Attempting to resolve the host name autodiscover-s.outlook.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 132.245.64.242, 132.245.3.130, 132.245.92.226, 132.245.82.50, 132.245.81.194, 132.245.81.130, 132.245.88.194
  Elapsed Time: 17 ms.
  Testing TCP port 443 on host autodiscover-s.outlook.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 53 ms.
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 221 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover-s.outlook.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US, Issuer: CN=Microsoft IT SSL SHA1, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.
  Elapsed Time: 127 ms.
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Host name autodiscover-s.outlook.com was found in the Certificate Subject Alternative Name entry.
  Elapsed Time: 1 ms.
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US.
  One or more certificate chains were constructed successfully.
  Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE.
  Elapsed Time: 38 ms.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 5 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 1/21/2015 10:45:26 PM, NotAfter = 1/21/2016 10:45:26 PM
  Elapsed Time: 0 ms.
  Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
  Additional Details
  Accept/Require Client Certificates isn't configured.
  Elapsed Time: 158 ms.
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
  Additional Details
  Elapsed Time: 277 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user [email protected].
  The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
  Additional Details
  An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name
  (UPN).
  HTTP Response Headers:
  request-id: d823479c-c259-4474-8b3f-df60b4898533
  X-CasErrorCode: UnauthenticatedRequest
  X-FEServer: BY2PR12CA0033
  Content-Length: 0
  Cache-Control: private
  Date: Mon, 02 Mar 2015 14:58:53 GMT
  Set-Cookie: ClientId=GILRU7BQ40ROHZE90FEIA; expires=Tue, 01-Mar-2016 14:58:54 GMT; path=/; secure; HttpOnly
  Server: Microsoft-IIS/8.0
  WWW-Authenticate: Basic Realm=""
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET
  Elapsed Time: 276 ms.
  end
  I've enabled basic authentication on the RPC virtual directory on the Exchange CAS in IIS and then restarted IIS, as suggested in another forum (https://social.technet.microsoft.com/Forums/exchange/en-US/69d83444-0528-4e39-a5e9-eb9040501be1/remote-connectivity-analyzer-problem?forum=exchangesvr3rdpartyappslegacy)
  and am still getting the same results from the Remote Connectivity analyzer.
  On a side note, we have reviewed multiple Exchange Deployment Assistance, including the one that you referred to, and are attempting a cutover migration.

• RDS 2012 R2 - RemoteApp - Certificate Mismatch

  Hi!
  We have a newly built RDS 2012 R2 setup.
  It consists of the following:
  1 x Server with the Gateway and the Web Access role
  2 x Servers running a Connection Broker HA cluster
  3 x Servers running as Session Hosts
  The internal domain name is example.local
  We have purchased a wildcard certificate for the entire setup. (called *.example.com)
  An external DNS record - RDS.example.com - has been created and it NAT to the Gateway and Web Access server.
  We have used the script from
  https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 to publish the FQDN. The name we have publised is Broker.example.com. We have created a split-brain DNS internally so that the clients can resolve external names internally.
  Whenever we try to launch a RemoteApp externally we get the dreaded "Name mismatch" (and it takes about 30 seconds before we get the prompt):
  Any ideas how to solve this issue?

  Hi TP.
  Thank you for your advice.
  I've updated the Windows 7 client to RDP 8.1 and it did the trick! Thank you.
  But we have several external users - and we don't have any chance of controlling if they are running RDP 8.1. I tried to import the wildcard certificate to all RDSH servers
  - using the script in this link: https://social.technet.microsoft.com/Forums/windowsserver/en-US/475fb55f-e394-45d9-a6bd-a37e2a5fe86c/rds-2012-session-host-certificate-assignment?forum=winserverTS
  However - that is when I see the "Name mismatch" warning when launching a RemoteApp (as mentioned in my original post). I suppose this is because the certificate is valid
  only for *.example.com - and not for *.example.local?
  Is there any solution to this?

• 2012 RDS + Gateway Certificate and and .local domains

  Can someone verify this is the correct process to stop all certificate errors. 
  RDS 2012 R2 deployment that is the following. 
  1 server with broker web and gateway roles installed. 
  3 session hosts. 
  Domain is a .local
  I want to stop all certificate errors. I have a certificate for the gateway/broker/web server gateway.xxx.com 
  I have had a look at the Change published FQDN for Server 2012 or 2012 R2 RDS Deployment script
  https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  Do i just need to run this script on the gateway/broker/web server and will this stop the mismatch errors fro the session hosts?
  Thanks

  Does SSO not work on less than this as I have some XP clients and 8.1 is not available for them. 
  Hi,
  To support older clients you need to have the wildcard certificate set on the RDP-Tcp listener on all RDSH servers.  To do this you must import the certificate and its private key into the Local Computer\Personal store on each RDSH server, and then
  use WMI to set the certificate.  The below command should be run on each RDSH in an elevated command prompt after you have imported the certificate and its private key:
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"
  Substitute your certificate's thumbprint for the one shown above.
  Please note that you will not get the best experience with clients that are not at least RDP 8.0 capable, many features will not be available, and you may run into certain issues.  For XP you will want to install the RDP 7.0 client and make the registry
  changes on each client to enable CredSSP.
  Thanks.
  -TP

• Best practice for licence server for RDS Farm & Certificate errors

  Hello,
  I am in the process of creating an RDS farm using Server 2008 R2.  I have three Session Hosts and a Connection Broker.
  I have a set of 10 user CALs available and also another 20 on our current RDS server which will need migrating once we go live with the farm.
  I understand the User CALs need to be installed on another Server 2008 R2 and I am wondering what is best practice.  We are running on an entirely virtual environment and it would be simple enough to create another server and install the CALs on there. 
  The only issue with that is that I would need to create a replica of this new machine for DR purposes, but this would take up valuable space which may not be necessary.
  We are planning on creating replicas of one of the Session hosts and the broker for DR, so I am guessing I would need to install some CALs on the Session Host which is going to be replicated.
  There are a few options and I am just wondering what is the best way to go about things.
  Also, as an aside, I am getting an annoying certificate error each time I log a test user onto the RDS farm - I think this is because I am using the DNS alias of the RDS Farm to log on. Is there an easy way to get around this, other than the 'Do not show
  this message again'. I have been doing some research and the world of Certificates is very confusing!!
  Thanks,
  Caroline
  C.Rafferty

  Hi Caroline,
  Firstly for your License related issue, you can perform the step on any VM or can create the new VM as replica for RDSH server also. But please be sure that you have installed RD License server on it, activate it and then install RDS CAL on it. But be safe
  if possible don’t install RD License server with RDCB, please make that out of it as little away. As you can also install RD License server with AD or make replica of that and install RDL on that.
  Best practices for setting up Remote Desktop Licensing (Terminal Server Licensing) across Active Directory Domains/Forests or Workgroup
  http://support.microsoft.com/kb/2473823
  What’s the specified certificate error which you are receiving?
  If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA. In meantime you can refer blog for getting insight for certificate case.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS 2012 - Certificates

  Hi all,
  This is my setup :
  RDS 2012 R2
  Two connection brokers setup in HA:  FQDN = RDCB.Internaldomain.com
  Two Web Access servers for internal user setup with DSN Round Robin so I can have a basic HA: FQDN = InternalWA.internaldomain.com
  Two Gateway servers in HA:  FQDN:
   RemoteGW.InternalDomain.com
  Both Gateway server have RD Web Access installed and using DNS Round Robin to have a basic HA): FQDN 
  RemoteWA.ExternalDomain.com
  My company will not approve having a trusted wildcard certificate. So, in the “Edit Deployment Wizard”, I was thinking of deploying
  one public (and trusted) SAN certificate containing all the above FQDNs to all the Role Services (RD Connection Broker –Single Signon, RD Connection Broker -
   Publishing, RD Web Access and RD Gateway).
  Will this be ok or do I need to add other FQDNs to the certificate (for example the FQDN of all the Session Host servers)?
  Best regards,
  Jesmat.

  Hello,
  In your FQDN  did you forget to add a "." as : RDCB.Internaldomain.com
  and RemoteWA.ExternalDomain.com
  are 2 different domain names
  The SAN option i thiink will not be liable here . Except if you use self signed for your internal connection  ans
  the san for the external one.
  refer to :http://en.wikipedia.org/wiki/Wildcard_certificate
  But i cannot confirm that the san certificate will be allowed on the gateways.
  Hope it helps 
  Fred