Remote desktop 2016 certificate warning

James Walls 1 Reputation point
2021-09-16T16:19:04.823+00:00

Certificate warning when connecting to remote desktop server via mstsc.exe

all servers are 2016 and client windows 10

I have been reading a lot of possible solutions, but they all seem like hacks i.e. reg entries etc, but the correct way to go seems to be use internal CA.

here what I've tried so far, I'm sure I'm missing a few things

We have in our RDS set up the following

RDSH 1 -app1
RDSH 2 -app2

RDConnection Broker -GB
RD Gateway-GB
RDWeb-GB

Domain controller -DC

Using port forward 443 dns ip to Connection Broker through gateway and using mstsc.exe (remote desktop connection) (not using rdweb) also this uses a wildcard cert for the external FQDN name

On the domain controller we have DNS RDSCollectionName pointing to -GB (connection Broker)

when connecting internally and externally we get certificate warning (as we are using .local domain i think this is the reason)

132786-certerror-copy.jpg

i have installed a CA on the GB server and configured an RDPAuthentication template and applied it to the remote desktop group policy on DC server

This part below is the group police settings to Replace RDP Default Self Sign Certificate, with the CA

1.Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Server Authentication Certificate Template and entered the Template Name that I created called RDPAuthentication

2.Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections and change the Security Layer to SSL

Test Laptop has received group policy checked, using RSOP on the test laptop

in certificates on the laptop I don't see the certificate anywhere???

I'm still getting the same error.

In GB Server the CA, i can see in the CA Console, that App2 one of the session hosts had been issued the certificate 'RDPAuthentication'. but no other servers or laptops.

I'm assuming here that i should see the laptop in here also

Have I missed a step somewhere, Could someone can assist, not much hair left as it is.

james

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,247 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Walls 1 Reputation point
    2021-09-17T11:37:18.327+00:00

    one other thing ive noticed, is that that on the test laptop while in certlm.msc right click certificates -local computer / All Tasks /Automatically Enroll and Retrieve Certificates

    in certificate enrolment, it says that certificate autoenrolment has not been enabled.

    no certificates are displayed here

    there's a tick box - show all templates

    when i click this certificates appear, but they all say Status Unavailable with a red cross.

    feels like maybe group policy permissions, but i have check this from another server on the same domain, and this is the same as the test laptop.

    0 comments
  2. James Walls 1 Reputation point
    2021-09-21T10:45:39.023+00:00

    further progress,

    made a few changes,

    change 1 was to add the everyone group to the OU RDS Test Group.
    change 2 was to delete reg key to force the download of the cert
    133849-image.png

    run Certlm

    The RDPAuthentication certificate is now in the Test Laptop Personal/Certificates Store under local Computer (wasn't there before)

    Also in the Trusted Root Certification Authority , i have a CA certificate in here also just the CA one (wasn't there before)

    so looks like the certs working right ..... emmm no

    so when connecting to the RDP using mstsc.exe im still getting the certificate warning

    133943-error22222222222.jpg

    looks like the test laptop even though it has the certificate, and in the correct place, doesn't seem to work.

    i must ponder this more

    0 comments