Wrong certificate in RDS Deployment 2012 R2

Similar Messages

• RDS Gateway 2012, RemoteApp Displays "A Revocation check could not be performed for the Certificate" via RDWEB

  I have searched through the forums and there are a number of posts that are similar but all the checks they list seem to not apply to this one.
  My current setup is as follows
  All Servers are 2012 R2
  1 x DC server
  1 x RDS Gateway server with RDS Web installed
  1 x Session Host Server
  Certificate supplied by godaddy with 5 names. (included is the name of the RDS Gateway/Web server in the certificate, the internal name of the session host server is not included as the internal names are differnet to the external)
  My tests are as follows
  Navigating to the RDSWEB page from a machine inside the same network (windows 7 sp1) but not on the same domain is fine no errors and logging in and launching any published application is fine with no errors.
  However logging in on another machine that is external from the network (windows 7 sp1) is ok up to the point of launching any of the published apps I get the error about ""A Revocation check could not be performed for the Certificate". this
  prompts twice but does allow you to continue and login and use the app till the next time. If I view the certificate from the warning message all appears to be ok with all certs in the chain.
  I have imported the root and intermediate certs to each of the gateway/rdsweb server and session host server into the computer cert store just to be on the safe side. This has not helped, I have also run the following command from both windows 7 machines
  with no errors on either
  certutil -f –urlfetch -verify c:\export.cer
  I cant seem to see where this is failing and I am beginning to think there is something wrong with godaddy cert itself somehow.
  If I skip rdsweb and just use MSTSC with the gateway server settings then I can login to any machine on the network with no errors so this is only related to launching published apps on the 2012 R2 RDWEB or session host servers.
  Any help appreciated

  Hi,
  1. Please make sure the client PCs have mstsc.exe (6.3.9600) installed.
  2. If you are seeing a name mismatch error, you can set the published name via this cmdlet:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  To be clear, the above cmdlet changes the name that shows up next to Remote computer on the prompt you see when launching a RemoteApp.  You should have a DNS A record on your internal network pointing to the private ip address of your RDCB server. 
  Additionally, in RD Gateway Manager, Properties of your RD RAP, Network Resource tab, you should select Allow users to connect to any network resource or if you choose to use RD Gateway Managed group you will need to add all of the appropriate names to the
  group.
  For example, when launching a RemoteApp you would see something like Remote computer: rdcb.domain.com and Gateway server: gateway.domain.com .  Both of these names need to be on your GoDaddy certificate.
  Please verify the above and reply back so that we may assist you further if needed.  It is possible you have an issue with the revocation check but I would like you to make sure that the above is in place first.
  Thanks.
  -TP
  Thanks for the response.
  To be clear I am only seeing a name mismatch and revocation error if I assign a self signed cert to the session host as advised earlier in the thread by "Dharmesh Solanki", if I remove this and assign the 3rd party certificate I then
  just get the revocation error , I have already ran the powershell to change the FQDN's but this has not resolved the issue although the RDP connection details now match the external url for RDWEB when looking at one of the remoteapp files. The workspace
  ID still shows an internal name though inside this same file. 
  RD Gateway is already set to connect any resource, when connecting using remote app both names (RDCB/RDGateway) show as being correct and are contained within the same UCC certificate. I also already have a DNS entry for the Connection broker pointing to
  the internal ip.
  Do you know if the I need the internal name of the session host servers contained within the same UCC certificate seeing as they are different fqdn's than what I am using for external access ? I resigned the UCC certificate and included the internal name
  of the session host server to see if this would help but for some reason I am still seeing the revocation error. I will check on a windows 8 client pc this evening to see if this gets any further as the majority of the testing has been done on windows 7 sp1
  client pc's
  Thanks

• Certificate setup RDS 2012 R2

  Hi,
  I have set up an RDS 2012 R2 deployment for internal use. I plan to add a gateway server cluster for external access later (RDGW). That cluster will be placed in DMZ and use a public wildcard cert. It will connect external users to the farm. Internal or
  Direct Access (DA) users will use the Web Access servers to connect internally in the corp. LAN.
  For now, i have the following setup. Web Access role on 2 servers with DNS RR (RDWA). 2 clustered Connection Broker servers (RDCB), two Session Hosts (RDSH) and one licesning server. So a total of 7 servers (+ 2 GRGW servers in DMZ that are not set up
  yet).
  So, the issue is; I need to set up certificates. We have a CA in an AD top domain (our site is a sub.domain.com). We do not have access to that CA and need to order certs. from our corp. HQ. Ok, but what do i ask for? I need 3
  DER encoded binary X.509
  certs. That's the info i have. How can create a cert. request? See pictures below.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for your posting in Windows Server Forum.
  Can you exactly let us know which certificate you want for your network (Self-signed or SSL)?
  As per my suggestion you can use wildcard or SAN certificate for your network which can be used for external network also. 
  If you want Self-signed certificate for internal use, you can create the certificate from Deployment properties of RDS page or IIS Manager as per below path.
  IIS Manager>Server Certificate>Create Self-Signed Certificate>Export the certificate on specified location then select the certificate in RDS installation process.
  But see that, the certificate is installed into computer’s “Personal” certificate store with its corresponding private key & it’s added under trusted root certificate authority.
  Please check below articles for detail.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Minimum Certificate Requirements for Typical RDS implementation
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• 2012 r2 rds deployment cannot connect to sql server after reboot

  We have a ha connection broker setup with 2 connection brokers and everything was working fine up untill the servers were rebooted for updates. Now users cannot connect to thier collections and I have an error in the event log that the deployment could not
  connect to the sql database.
  at this point I am assume that the issue is related to security. I am able to query the database as admin from the effected servers and other services that use other databases in the same sql instance are no5 having issues.
  I have checked the security group that both cb servers should be in and they are in the group and the group has sysadmin and dbo within sql
  any ideas?
  Please remember to mark my replies as answers if they help

  Hi,
  Thank you for posting in Windows Server Forum.
  Can you please create the database manually with below command and verify.
  PS C:\> Set-RDConnectionBrokerHighAvailability –DatabaseConnectionString
   "DRIVER=SQL Server Native Client 11.0;SERVER=<SQL Server
   Name>;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;
  DATABASE=<DB Name>" -DatabaseFilePath "C:\DbFiles\<DbName>.mdf"
   -ClientAccessName "<DNS RR Name>"
  Grant DBO permissions to the service account on the RDS server and try to run your wizard again.
  More information.
  RD Connection Broker High Availability in Windows Server 2012
  http://blogs.msdn.com/b/rds/archive/2012/06/27/rd-connection-broker-high-availability-in-windows-server-2012.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Deploy 2012 R2 RDS DMZ

  Hi,
  We are Looking to deploy 2012 R2 RDS  Environment in our compamy by deploying the Gateway and Web server in the DMZ and Host and in the Internal network   but would like to authenticate using the internal  DC  so  my question is
  can we just use a Secure LDAP  hole to make the RDS  login process work?
  Leroy Wisdom

  Hi Leroy,
  Thank you for posting in Windows Server Forum.
  Firewall rules between the perimeter network (RD Gateway) and the internal network (domain controller) to authorize the user: 
  Server Protocol = LDAP 
  For LDAP: Port = TCP: 389, UDP: 389 
  You can go through following article for step guides to setup RD Gateway deployment in perimeter network.
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Resizing User Profile Disks in Existing Server 2012 R2 RDS Deployment Question

  Once the initial maximum size is set and the VHDXs have been created in a Server 2012 R2 RDS deployment, will attempting to increase Collection's maximum UPD size by say.. issuing a Powershell command of:
  Set-RDSessionCollectionConfiguration -CollectionName MySpiffyNewCollection -MaxUserProfileDiskSizeGB 10
  over-write the existing VHDXs instead of simply increasing their size? (max size is currently 5GB)
  I'm not at a point where I can test this in a lab condition to find out, and I have not found this question asked (or at least not definitively answered) in this forum yet.
  -G

  Hi,
  Thank you for posting in Windows Server Forum.
  We can resize the UPD file with below command:
  Resize-VHD –Path c:\BaseVHDX.vhdx –SizeBytes 1TB
  After running this mount the .vhdx file and open disk manager and there will be unallocated disk, and then you can click extend disk/volume and its done.
  You can refer following article for more information.
  Resize User Profile Disks
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• How to Deploy 2012 RDS Licenses

  http://blogs.msdn.com/b/rds/archive/2014/01/29/remote-desktop-services-upgrade-and-migration-guideli...
  Check the link i posted

  We are upgrading our Terminal Server from 2008 R2 to 2012 R2. We have an EA agreement that provides the necessary licenses.
  Our license server is running on 2008 R2. 
  Do we have to upgrade our license server from 2008 to 2012 if we intend to deploy 2012 license on a Per User bases to the TS?
  This topic first appeared in the Spiceworks Community

• Standard or UUC/SAN certificate for RDS

  I successfully deployed RemoteApp using self-assigned certificate.
  Now is the time to replace it with Trusted one.
  From what I found UUC/SAN certificate will allow to secure subdomains, unique domains and websites.
  My RDS deployment is limited to one domain only.
  Does wildcard certificate means that during certificate creation on Trusted site (ex GoDaddy) I will have an option to enter:
  *.my_domain.com for a subject and then use it for any RDS server?
  So it will be just a standard certificate with wildcard.
  &quot;When you hit a wrong note it's the next note that makes it good or bad&quot;. Miles Davis

  Hi,
  If you plan to have RD Connection Broker, RD Gateway, RD Web Access all on the
  same server you can purchase a single-name certificate, which is much cheaper than a wildcard. 
  If you need a wildcard then you would purchase a wildcard certificate from the public authority, create your certificate request with a Common Name of *.domain.com, submit this to the authority, and then complete the request with the response.
  For example, on your RD Web Access server you could open IIS Manager, select the server name in the left pane, double-click on Server Certificates in the middle, click Create Certificate Request.  Fill out the information, select 2048 bits, etc., save
  as a file.  Open the file in Notepad, copy the request, then paste it into the appropriate box in the trusted authorities web site.
  The public certificate providers have step by step instructions for creating a request for an IIS website and installing the resulting response.  You can usually follow those if you are unsure.
  Once you have your certificate installed on your RD Web server, open up certlm.msc, navigate to Personal store, right-click on the certificate and export it and its Private key as a .pfx file.  This is what you will use to apply the certificate in Server
  Manager -- RDS -- Overview -- Tasks -- Deployment Properties -- Certificates tab.  You apply the certificate to 1 purpose at a time until you have all four purposes set to your new wildcard certificate.
  -TP

• Import certificate in to Firefox certificate store using SCCM 2012 R2

  Hello,
  I'm trying to figure out how to import a certificate in to the Firefox certificate store using SCCM 2012 R2 to push out to 8,000 computers. The only answer I have found was to import the certificate manually on my computer and copy the "cert8.db" file out of my "appdata\Roaming\Mozilla\Firefox\Profiles\******.default\" folder and use this file to copy to all profiles on each computer. I have not tried this since I believe this is not a standard practice. Is there a Firefox certificate scripting tool that I can use to accomplish this or a recommended way?
  Thanks,
  Matt

  Hi,
  It is listed here:http://technet.microsoft.com/en-us/library/gg712298.aspx
  There are a number of limitations to supporting workgroup computers:
  Workgroup clients cannot locate management points from Active Directory Domain Services, and instead must use DNS, WINS, or another management point.
  Global roaming is not supported, because clients cannot query Active Directory Domain Services for site information.
  Active Directory discovery methods cannot discover computers in workgroups.
  You cannot deploy software to users of workgroup computers.
  You cannot use the client push installation method to install the client on workgroup computers.
  Workgroup clients cannot use Kerberos for authentication and so might require manual approval.
  A workgroup client cannot be configured as a distribution point. System Center 2012 Configuration Manager requires that distribution point computers be members of a domain.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• X2100 m2 - elom - wrong certificate uploaded, web ui no longer available

  Hi,
  I've uploaded wrong certificate to X2100-M2's ELOM (I've uploaded custom built certificate + private key in one PEM file -- w/o doing CSR, signing it by CA's and uploading that), it was stored without any complaints, but now the ELOM won't respond on HTTP/HTTPS.
  I've tried flashing new firmware via ssh, but that doesn't help either. (not to mention it results in cmos checksum error, which is not recoverable without physical access now)
  Is there any way I can restore the original certificate and/or doing the proper csr+upload process from ssh interface? (or via SNMP, which should be also available)
  If not, how can I restore ELOM to factory default without physical access to the server (and possibly even w/o rebooting the OS)?
  And if that's not possible, how can I restore ELOM to factory default in any way possible?
  Thanks,
  W.

  Wonder if your private key had a password. If so, then the mini web server won't start as it would be prompted for a password.
  You'll probably have to flash the firmware. Not sure if you can do so via the command line elom or from within the OS. I've been looking as to how to factory reset the elom on a x2220 m2 and have not found anything other than booting from the tools CD and flashing it from there.
  The CSR option simply generates a self signed cert.
  The Certificate option first prompts you to upload a signed certificate, and then it prompts you to upload the private key, which should have no embedded password.

• Gift Certificate for NI Week 2012 worth $500

  Hi I Have a Gift Certificate for NI Week 2012 worth $500, unfortunately i'm not able to attend NIWeek and any body can offer to have the GiftCode.
  Thanks!
  Ashok

  Matt got the certificate. Thanks for a great community. Tom
  Tom Lohre artist/scientist
  Has a operating painting robot using RoboLab/RCX
  Developing a LabView/ NXT robot that analyzes an image for aesthetic quality.

• Server essentials 2012 uses wrong certificate for Exchange OWA

  I have two servers  (Essentials 2012 and Exchange 2013) behind a firewall. port 443 is routed to essentials.
  I have set up arrconfig following TechNet  jj200172  (in fact I followed this link closely for the entire setup).
  Our client has a single external static ip & two certificates (godaddy) . I’ll call them arr.help.ca   and mail.help.ca
  On the lan, I has split dns so that Outlook trying to reach  "http  mail.help.ca" gets the local ip.  In fact all is working fine on the Lan.
  From the WAN  "https  arr.help.ca"   present the essentials web page, with desktop and shared folders working fine, but...
  From the Wan   "https  mail.help.ca/owa"   presents the owa logon page, but also the browser warning that the cert is incorrect.
    The problem is the cert presented is arr.help.ca, not mail.help.ca
         The cert chain is fine (i.e. the godadddy intermediate cert is trusted),
         both certs are not expired,
         the cert subjects are correct.
  Any idea's on how to troubleshoot this?

  Hi Rick,
  Did you use the
  Microsoft Remote Connectivity Analyzer Tool to check if there has any connectivity issue firstly? Meanwhile, please refer to following Robert’s article and check if can help you.
  On
  Premises Exchange Integration Windows Server 2012 Essentials
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Certificate Mismatch RDS Session Host

  I've been banging my head against this for the last few days. I have a server 2012 remote desktop setup as follows:
  1 Gateway Server
  1 RD Web Access Serve
  1 Session Broker, which is also a session host
  1 Additional Session host
  I'm using remote app to publish applications rather than desktops. I've got a wildcard certificate for the external domain, which works fine for the gateway and web access server, the problem comes with the session hosts, which are giving me a certificate mismatch
  error because connections are made to the internal name (which is a .local address) which obviously does not match the external certificate.
  I have a DNS zone for the external name setup on this domain, so that machines can be resolved by internal or external names.
  I've made some progress by following the steps here - http://serverfault.com/questions/524092/rds-rdweb-and-remoteapp-how-to-use-public-certificate-for-launching-apps-on-s, and things now work fine if I only have the session host that is also the broker
  enabled. Once I add the second session host, any requests that go to that get the certificate error. Connections to the first session host still work fine.
  Does anyone know a way to have requests be made to the external name of the session host?

  Hi,
  1. After making the DNS change, did you flush the DNS cache on the RD Gateway server?  Or even better restart the whole server?
  2. Do you have DNS round robin for any of the other servers in your deployment?  You should
  not.  Additionally, do you have any NLB or other hardware/software load balancing solution in place?
  3. To make sure I have the facts correct, please let me know if the following items are correct:
  a. You are launching a RemoteApp from within RD Web Access using IE running on a Windows 8 PC
  b. When you launch a RemoteApp, the prompt has the following on it (for Calculator in this example):
  Publisher: *.domain.com
  Type: RemoteApp program
  Path: calc
  Name: Calculator
  Remote computer: rdbroker.domain.com
  Gateway server: gateway.domain.com
  c. After clicking Connect it goes through several status messages and then you get a Certificate error saying essentially:
  Name mismatch
       Requested remote computer:
       rd02.domain.local
       Name in the certificate from the remote computer:
       *.domain.com
  Certificate errors
    The following errors were encountered while validating the remote
    computer's certificate:
       The server name on the certificate is incorrect.
  d. In Deployment Properties, RD Gateway tab, Bypass RD Gateway server for local addresses is
  unchecked.
  4. Do you have multiple configured network cards in each server, or just a single NIC that has an ip address?
  5. Have you modified the default firewall configuration of your servers?  In other words, can I assume they are on the same subnet and are able to communicate with each other in the default domain configuration, or have changes been made and/or is
  there a third-party firewall software or device in place that could be affecting things?  I ask because normally the broker will authenticate the destination server using Kerberos and if something interferes with this you can get unexpected errors.
  I believe you are close to solving this now.
  Thanks.
  -TP

• Help needed with certificates for RDS Host servers

  Hi,
  We currently have 4 RD Session-Host servers in our network. All four servers are member of a TS farm. We also have a TS Gatway server.
  I managed to give the TSGW server a certificate but I need your support on this on the RDS servers.
  What happens?
  When a user connects to the farm, a warning pops up telling me that the certificate is not issued by a trusted CA. This is because all RDS servers are using self signed certificates. Because the servers are farm members a user can be presented with this
  warning several times when the session is being redirected.
  How do I get rid of these warnings as well in our LAN as on the internet? What certificate type do I need?
  Thanks in advance.
  Jasper Kimmel

  Hi Jasper,
  What is your Server OS for your environment?
  Yeah, your all certificate related all warnings can disappear by purchasing the certificate from public CA. To access the farm outside the environment you can buy wildcard certificate. And yes, your all related queries be solved from the article provide in
  my previous comment.
  The easiest way to get a certificate, if you control the client machines that will be connecting, is to use Active Directory Certificate Services.  You can request and deploy your own certificates and they will be trusted by every machine in the domain.
  If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA.  Examples including, but not limited to: GoDaddy, Verisign, Entrust, Thawte, DigiCert
  In Windows 2008/2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, next to the connection broker and finally to the server that will host your session.
  In Windows 2012, you connect to the Connection Broker and it routes you to the collection by using the collection name.  
  The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers
  in the collection.  The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to.  If you have users connecting externally, this needs to be an external name (needs to match what they connect to).  If
  you have users connecting internally to RDweb, the name needs to match the internal name.  For Single Sign On, again the subject name needs to match the servers in the collection. (Quoted from previous article).
  Apart there is one more article by Kristin, you can go through for reference.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].

• Using a custom certificate store for SCCM 2012 clients and primary site server

  I have read what seems to be all the pki related documentation out there for SCCM 2012. I have a PKI infrastructure up and running issueing certificates with an offline root through group policy autoenrollment. The problem that i'm faced with is we are migrating
  from SCCM 2007 that was in native mode and we chose not to use the CA that we used for the old SCCM environment. When the clients attempt to communicate with the M.P. it runs through all of the different certificates and adds a tremendous amount of overhead
  to the M.P. We will have ten's of thousands of clients by migration end. Could someone please point me to a document that goes over how to leverage a custom certificate store that I could then tell the new 2012 environment to use? I know that it's in there,
  I've seen it in the console. The setup is one primary site server with SQL on box and the pki I just mentioned as well as the old 2007 environment that is still live.
  I read that you can try and use SAN as a method of identifying the new certs but I haven't found a good document covering exactly how that works. Any info you could provide I would be very grateful for. Thanks.

  Jason, thank you for your reply. I'm getting the impression that you have never been in the situation where you had to deal with 2 different PKI environments. Let me state that I understand what your saying about trust. We have to configure the trusted root
  CA via GPO. That simply isn't enough, and I have a valid example to backup this claim. When the new clients got the advertisement and began the ccmsetup process I used the /pki switch among others. What the client end up doing was selecting a certificate that
  had the longest validity period which was issued by our old CA. It checked the authentication chain, found it to be valid and selected it for communication. At that point the installation failed, period, no caveats as you say. The reason the install failed
  because the new PKI infrastructure is integrated into the new environment, and the old is not. So when you said " that
  are trusted and they can use *any* cert that is trusted because at the end of the day, there is no
  difference between two valid certs that have the same purpose as long as they are trusted. "
  that is not correct. Both certs are trusted, and use the same certificate template, but only one certificate would allow the install to complete successfully.
  Once I started using the CCMCERTISSUERS
  switch the client install went swimmingly. The only reason I'm still debating this point is because someone might read this thread see your comments and assume "well I've got my new PKI configured as a trusted root CA, I should be all set" and their
  deployment will fail, just as my pilot did.
  About Intune I'm looking forward to doing a POC in the lab i built with my Note 3. I'm hoping it goes well as I really want to have our MDM migrated into ConfigMgr... I think the
  biggest obstacle outside of selling it to management will be the actual device migration from the current MDM solution. From what I understand of the enrollment process manual install and config is the only path forward.
  Thanks Jason for your post and discussion.