Standard or UUC/SAN certificate for RDS

Similar Messages

• How to create a SHA256 SAN Certificate for Exchange

  Dear.
  When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
  It seems that it's not possible to do this through the New-exchangecertificate.
  Do you know the alternative command when using certreq for the following Exchange command:
  New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
  -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
  Thanks for the feedback.
  Regards.
  Peter
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Peter,
  There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
  as follows:
  1. Open MMC.exe. Click File >
  Add/Remove snap in…
  2. In the Available snap-ins tab, select Certificates >
  Add > Computer account > Local computer >
  Finish.
  3. Expand Certificates (Local Computer) > Personal > Certificates.
  4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
  5. click Next > Proceed without enrollment policy > Next > Next.
  6. In Certificate Information page, click Details > Properties.
  7. Then you can fill in the needed information for your request.
  8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
  sha256.
  9. Click OK > Next. Fill in File Name and select the request location.
  10. Finish it and send this request to the certificate authority.
  Regards,
  Winnie Liang
  TechNet Community Support

• Help needed with certificates for RDS Host servers

  Hi,
  We currently have 4 RD Session-Host servers in our network. All four servers are member of a TS farm. We also have a TS Gatway server.
  I managed to give the TSGW server a certificate but I need your support on this on the RDS servers.
  What happens?
  When a user connects to the farm, a warning pops up telling me that the certificate is not issued by a trusted CA. This is because all RDS servers are using self signed certificates. Because the servers are farm members a user can be presented with this
  warning several times when the session is being redirected.
  How do I get rid of these warnings as well in our LAN as on the internet? What certificate type do I need?
  Thanks in advance.
  Jasper Kimmel

  Hi Jasper,
  What is your Server OS for your environment?
  Yeah, your all certificate related all warnings can disappear by purchasing the certificate from public CA. To access the farm outside the environment you can buy wildcard certificate. And yes, your all related queries be solved from the article provide in
  my previous comment.
  The easiest way to get a certificate, if you control the client machines that will be connecting, is to use Active Directory Certificate Services.  You can request and deploy your own certificates and they will be trusted by every machine in the domain.
  If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA.  Examples including, but not limited to: GoDaddy, Verisign, Entrust, Thawte, DigiCert
  In Windows 2008/2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, next to the connection broker and finally to the server that will host your session.
  In Windows 2012, you connect to the Connection Broker and it routes you to the collection by using the collection name.  
  The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers
  in the collection.  The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to.  If you have users connecting externally, this needs to be an external name (needs to match what they connect to).  If
  you have users connecting internally to RDweb, the name needs to match the internal name.  For Single Sign On, again the subject name needs to match the servers in the collection. (Quoted from previous article).
  Apart there is one more article by Kristin, you can go through for reference.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Adobe 6.0 Standard  - reissue of signing certificate for signing

  I have a problem where an employee re-applied for their PKI (Private Key Identifier) used for signing. They were having problems with their card and needed a new one.
  Now all of the old documents that were once certified and signed, Adobe says under Signature Properties: Document certification is INVALID
  - The document has not been modified since it was certified
  - The signer's identity is invalid because the signers Certificate has been revoked
  How do I handle lost or stolen PKI cards, or employees who have left the company. We handle all certificate authentication internally. What becomes of all the old documents that no longer have valid signatures? Is there a way to recognize the old certificates as valid?

  Possibly when applying for the PKI again you have the choice of
  whether the old one is revoked. If, for instance, it is based on a
  password that has been exposed, or a hardware card that is lost, it is
  very important that ALL documents be revoked, because there is no way
  to tell the difference between those validly signed, and those later
  fraudulently signed.
  Hopefully someone else will have more specific advice for this case.
  Aandi Inston

• Certificate setup RDS 2012 R2

  Hi,
  I have set up an RDS 2012 R2 deployment for internal use. I plan to add a gateway server cluster for external access later (RDGW). That cluster will be placed in DMZ and use a public wildcard cert. It will connect external users to the farm. Internal or
  Direct Access (DA) users will use the Web Access servers to connect internally in the corp. LAN.
  For now, i have the following setup. Web Access role on 2 servers with DNS RR (RDWA). 2 clustered Connection Broker servers (RDCB), two Session Hosts (RDSH) and one licesning server. So a total of 7 servers (+ 2 GRGW servers in DMZ that are not set up
  yet).
  So, the issue is; I need to set up certificates. We have a CA in an AD top domain (our site is a sub.domain.com). We do not have access to that CA and need to order certs. from our corp. HQ. Ok, but what do i ask for? I need 3
  DER encoded binary X.509
  certs. That's the info i have. How can create a cert. request? See pictures below.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for your posting in Windows Server Forum.
  Can you exactly let us know which certificate you want for your network (Self-signed or SSL)?
  As per my suggestion you can use wildcard or SAN certificate for your network which can be used for external network also. 
  If you want Self-signed certificate for internal use, you can create the certificate from Deployment properties of RDS page or IIS Manager as per below path.
  IIS Manager>Server Certificate>Create Self-Signed Certificate>Export the certificate on specified location then select the certificate in RDS installation process.
  But see that, the certificate is installed into computer’s “Personal” certificate store with its corresponding private key & it’s added under trusted root certificate authority.
  Please check below articles for detail.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Minimum Certificate Requirements for Typical RDS implementation
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• GoDaddy SAN certificate untrusted on clients

  I have requested, downloaded and installed a godaddy SAN certificate for my lync server(s).
  If I apply the certificate and try to log into lync 2010 on a new client I get "there was a problem verifying the certificate from the server"
  If I install the godaddy intermediates certificate into the trusted root certification authorities on the windows 7 client it works ok.
  I assumed windows 7 clients would automatically trust godaddy as a certificate authority....?
  ***Don't forget to mark helpful or answer***

  This issue occurs when the correct certificate is not installed on the computer.
  Because 1,024-bit certificates are rooted to 2,048-bit certificates, you may have to download and to install the required root certificate before you can successfully sign in to Office Communicator or to Lync.
  Also you can refer below link
  http://support.microsoft.com/kb/2014466
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Office Web Apps Server Certificate For External

  Hi guys,
  I am requesting a DigiCert certificate for my environment Exchange 2013.
  Can I include the SAN name for Office Web Apps server, such as externalowa.domain.com in to the Exchange generated certificate?
  From theory wise it seems logic, but kind of uncertain.
  Thanks and Regards,
  Low.

  Hi Nithyanandham,
  Thanks for the prompt reply
  I will just list down what I did to be more clear.
  I generated a CSR from Exchange 2013 with the following
  Webmail.domain.com - for Outlook Web Access, Outlook Anywhere, ActiveSync
  Autodiscover.domain.com - for AutoDiscover purposes
  Can I include the externalowa.domain.com, which is for Office Web Apps server
  Reason is because the Exchange server and Office Web Apps server is located differently. Am I doing the correct way?
  Thanks and Regards,
  Low

• New server and/or CA certificate for connection from custom authentication

  We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
  I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
  My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
  Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
  Relevant things I've tried so far:
  Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
  Import the IPS CA into the web server cert8 style db via the web admin server.
  The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
  Part of the stack:
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
  The relevent bit of code from the SecureURL.retrieve looks as follows:
  URL u = new URL(url);
  if (!u.getProtocol().equals("https"))
  throw new IOException("only 'https' URLs are valid for this method");
  URLConnection uc = u.openConnection();
  uc.setRequestProperty("Connection", "close");
  r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
  String line;
  StringBuffer buf = new StringBuffer();
  while ((line = r.readLine()) != null)
  buf.append(line + "\n");
  return buf.toString();
  } finally { ...
  The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
  Thank you very much for any insights and help,
  Ethan

  I thought since this has had a fair number of views I would give an update.
  I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
  certutil: certificate is valid
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  certutil: certificate is invalid: Certificate type not approved for application.
  root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
  root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  FSU Wildcard Certificate : Certificate type not approved for application.
  So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
  BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
  This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
  After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

• BSR code on TDS Certificate for Customer and vendor in india

  Hi
  We have a requirement to print BSR code on TDS Certificates for customer and Vendor in india.
  Currently the BSR code for Customer TDS certificates picked up from Bank branch ( BNKA-BRNCH ) field and
  for vendor TDS certificates picked up from Bank Key field.
  There is a 3rd party sowtware running monthly to update the BNKA table. so we are not following the standard process and we are implemented another options to picked up the BSR code for TDS certificate printing on Vendor/Customers.
  For Vendor TDS certificate, we implemented SAP notes 1299729 & 1338645
  to print the BSR code from Tax Number1 (T012-STCD1) field and it is working fine.
  For customer TDS certificate also we want program to pickup BSR code
  from Tax Number1 (T012-STCD1) field
  Please let me know is there any other SAP correction Notes avalible to print the BSR code on Customer TDS certificates from  Tax Number1 (T012-STCD1) field.
  Thanks
  Risha

  answews

• Is it possible to use single ssl certificate for multiple server farm with different FQDN?

  Hi
  We generated the CSR request for versign secure site pro certificate
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
  And the same message when trying to access https://www.abc.com from Google Chrome.
  "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
  so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
  Now my question is
  1. Is is possible to  remove above errors doing some ssl configuration on ACE?
  2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
  Thanks
  Waliullah

  If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
  Hope this helps,
  Sean

• Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?

  I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
  https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
  For example, if I build following servers, what SAN needs ?
  It is happy to also tell me why.
  [ServerNames]
   AD DS Server:DS01
   AD FS Server:FS01
   Web Application Proxy Server:PRX01
   SharePoint Server(WFE):WFE01
   SharePoint Server(APL):APL01
   SQL Server:DB01
  [AD DS Domain Name]
   contoso.local
   (Please be assumed that above all servers join this domain)
  [Site collection strategy]
   using a host-named site collection
  [Primary web application URL]
   https://sps.contoso.com
  Thanks.

  Hi,
  From your description, my understanding is that you have some doubts about SAN.
  If you have a SAN, you can leverage it to make SharePoint
  a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
  http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
  SAN Basics” in this blog.
  These articles may help you understand SAN:
  https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
  http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
  http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
  Best Regard
  Vincent Han
  TechNet Community Support

• The certificate for this server is invalid

  Hi can anyone help?  I get a message "cannot connect to iTunes Store" when selecting App Store on my iPod.  Also if I try iTunes icon, I get "the certificate for this server is invalid.  You might be connecting to a server that is pretending to be "itunes.apple.com" which could put your confidential information at risk"
  The steps I have taken so far, - connected to PC and updated software to iOS 6.1.3 (worked fine on PC)
  Checked WiFi connection (fine)
  Checked other apple products are working fine (yes)
  Checked i am logged into apple id (yes)
  Is there anything else I'm missing ??
  Thanks aliian

  Thanks to those contributing this fix -- had this issue on my son's iPad mini and was going crazy trying to figure it out!!
  To answer the question of why this causes an issue: this is part of the standard security features of the internet - when you connect securely to a server (as the i-devices do when accessing itunes), it has an SSL Certificate which has an expiry date on it -- the device checks the certificate to try and make sure you aren't getting duped by an out of date certificate, and if your date is set too far in the future (my son's was in 2019!) then it looks like the expiry date is in the past and it won't let you connect..
  Cheers!

• Accepted domains in Exchange SAN certificate

  Hi All,
  I am having few queries please clarify me .
  In my environment ,i having the accepted domains list like below 
  xyz.com
  abc.com
  All the users in my organisation is having the primary smtp address as [email protected] and secondary smtp address as [email protected]
  In my san certificate i am not having any of the above mentioned accepted domains.
  Do i need to have all the accepted domains on the SAN certificate or else only primary smtp address domain suffix is enough ?
  In case if don't have any of my accepted domains suffixes in SAN certificate what will happen ? Because why i am asking is i am not getting any certificate related errors ?
  As an additional info , we are using the single namespace for exchange services like owa ,activesync ,pop/imap  and outlook anywhere (both internal & external ) and that name is available in my SAN certificate.
  Autodiscover namespace is also included in my SAN certificate .
  Thanks S.Nithyanandham

  Hi Imkottees,
  Thanks a lot for your immediate response.
  But still i am having some queries please explain me what you are trying to explain on this below line ?
  "But you need this for all Primary domains used in your environment"
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• Certificate Mismatch RDS Session Host

  I've been banging my head against this for the last few days. I have a server 2012 remote desktop setup as follows:
  1 Gateway Server
  1 RD Web Access Serve
  1 Session Broker, which is also a session host
  1 Additional Session host
  I'm using remote app to publish applications rather than desktops. I've got a wildcard certificate for the external domain, which works fine for the gateway and web access server, the problem comes with the session hosts, which are giving me a certificate mismatch
  error because connections are made to the internal name (which is a .local address) which obviously does not match the external certificate.
  I have a DNS zone for the external name setup on this domain, so that machines can be resolved by internal or external names.
  I've made some progress by following the steps here - http://serverfault.com/questions/524092/rds-rdweb-and-remoteapp-how-to-use-public-certificate-for-launching-apps-on-s, and things now work fine if I only have the session host that is also the broker
  enabled. Once I add the second session host, any requests that go to that get the certificate error. Connections to the first session host still work fine.
  Does anyone know a way to have requests be made to the external name of the session host?

  Hi,
  1. After making the DNS change, did you flush the DNS cache on the RD Gateway server?  Or even better restart the whole server?
  2. Do you have DNS round robin for any of the other servers in your deployment?  You should
  not.  Additionally, do you have any NLB or other hardware/software load balancing solution in place?
  3. To make sure I have the facts correct, please let me know if the following items are correct:
  a. You are launching a RemoteApp from within RD Web Access using IE running on a Windows 8 PC
  b. When you launch a RemoteApp, the prompt has the following on it (for Calculator in this example):
  Publisher: *.domain.com
  Type: RemoteApp program
  Path: calc
  Name: Calculator
  Remote computer: rdbroker.domain.com
  Gateway server: gateway.domain.com
  c. After clicking Connect it goes through several status messages and then you get a Certificate error saying essentially:
  Name mismatch
       Requested remote computer:
       rd02.domain.local
       Name in the certificate from the remote computer:
       *.domain.com
  Certificate errors
    The following errors were encountered while validating the remote
    computer's certificate:
       The server name on the certificate is incorrect.
  d. In Deployment Properties, RD Gateway tab, Bypass RD Gateway server for local addresses is
  unchecked.
  4. Do you have multiple configured network cards in each server, or just a single NIC that has an ip address?
  5. Have you modified the default firewall configuration of your servers?  In other words, can I assume they are on the same subnet and are able to communicate with each other in the default domain configuration, or have changes been made and/or is
  there a third-party firewall software or device in place that could be affecting things?  I ask because normally the broker will authenticate the destination server using Kerberos and if something interferes with this you can get unexpected errors.
  I believe you are close to solving this now.
  Thanks.
  -TP