question

JamesWalls-0449 avatar image
0 Votes"
JamesWalls-0449 asked JamesWalls-0449 answered

Remote desktop 2016 certificate warning

Certificate warning when connecting to remote desktop server via mstsc.exe

all servers are 2016 and client windows 10

I have been reading a lot of possible solutions, but they all seem like hacks i.e. reg entries etc, but the correct way to go seems to be use internal CA.

here what I've tried so far, I'm sure I'm missing a few things

We have in our RDS set up the following

RDSH 1 -app1
RDSH 2 -app2

RDConnection Broker -GB
RD Gateway-GB
RDWeb-GB

Domain controller -DC


Using port forward 443 dns ip to Connection Broker through gateway and using mstsc.exe (remote desktop connection) (not using rdweb) also this uses a wildcard cert for the external FQDN name

On the domain controller we have DNS RDSCollectionName pointing to -GB (connection Broker)

when connecting internally and externally we get certificate warning (as we are using .local domain i think this is the reason)

132786-certerror-copy.jpg

i have installed a CA on the GB server and configured an RDPAuthentication template and applied it to the remote desktop group policy on DC server

This part below is the group police settings to Replace RDP Default Self Sign Certificate, with the CA

1.Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Server Authentication Certificate Template and entered the Template Name that I created called RDPAuthentication

2.Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections and change the Security Layer to SSL

Test Laptop has received group policy checked, using RSOP on the test laptop

in certificates on the laptop I don't see the certificate anywhere???

I'm still getting the same error.


In GB Server the CA, i can see in the CA Console, that App2 one of the session hosts had been issued the certificate 'RDPAuthentication'. but no other servers or laptops.

I'm assuming here that i should see the laptop in here also


Have I missed a step somewhere, Could someone can assist, not much hair left as it is.

james



remote-desktop-services
certerror-copy.jpg (39.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesWalls-0449 avatar image
0 Votes"
JamesWalls-0449 answered JamesWalls-0449 edited

one other thing ive noticed, is that that on the test laptop while in certlm.msc right click certificates -local computer / All Tasks /Automatically Enroll and Retrieve Certificates

in certificate enrolment, it says that certificate autoenrolment has not been enabled.

no certificates are displayed here



there's a tick box - show all templates

when i click this certificates appear, but they all say Status Unavailable with a red cross.

feels like maybe group policy permissions, but i have check this from another server on the same domain, and this is the same as the test laptop.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesWalls-0449 avatar image
0 Votes"
JamesWalls-0449 answered

further progress,

made a few changes,

change 1 was to add the everyone group to the OU RDS Test Group.
change 2 was to delete reg key to force the download of the cert
133849-image.png


run Certlm

The RDPAuthentication certificate is now in the Test Laptop Personal/Certificates Store under local Computer (wasn't there before)

Also in the Trusted Root Certification Authority , i have a CA certificate in here also just the CA one (wasn't there before)

so looks like the certs working right ..... emmm no

so when connecting to the RDP using mstsc.exe im still getting the certificate warning

133943-error22222222222.jpg




looks like the test laptop even though it has the certificate, and in the correct place, doesn't seem to work.

i must ponder this more


image.png (11.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.