Server 2008 R2 RDS Gateway certificate renewal, replaced certificate not being picked up

-

hello,

we updated our ssl certificate our rds system (consisting of single rds server including gateway web access , host roles), configured in iis , rdgateway configuration.  iis works fine, certificate picked browsers accessing ssl version of web access site, checking certificate information in address bar checks out ok.  can demonstrated going https://mercury.counterpointeurozone.com/rdweb/pages/en-us/login.aspx.

the problem access published applications web access (i might add using clients updated rdc7, , in instances of xp sp3 have credssp patch installed) certificate warning, pointing random auto-generated internal certificate have not explicitly created.

the frustrating thing have wiped certificates out using cert mmc, , installed our certificate, upon accessing application self certified certificate auto-created (if doesnt exist) , uses it.  have tried disabling uses of certificate once it's been created still ends using it.

this worked fine before swapped certificates, did add new one, redirect iis , rdgateway use new 1 (in varying combinations, allowing rdgateway automatically configure iis prompted).

short of rebuilding server, isnt option, i'm unsure should doing. certificate we're contains private key, there no reason why shouldnt picked up.

kind regards,

ross harvey

hi ross,

 

according post, issue occurs on program of remoteapp when try access. if misunderstand it, please correct me.

 

as far know, when access program of remoteapp, process following:

 

rd web access->rd session host->remoteapp manager

 

in case, think certificate misconfigure on rd session host server. default, system use “auto generated” certificate created local server. i’d perform following steps check certificate if installed correctly.

 

you need install , choose same certificate on several places including rd session host server, rd web access, rd gateway server, remoteapp manager.

 

1.       start importing ssl certificate computer account.  mmc (add/remove snapins - certificates -computer account).  imported cert pesonal , remote desktop stores.

 

2.       import ssl certificate iis.  run iis manager, select servername (left side connections), under iis section, open server certificates, import ssl certificate here.  select web site (left side connections), open bindings (on right side actions) , associate/bind wildcard cert appropriate https,host,port(443).

 

3.       ts remoteapp manager, overview section, digital signature settings, change, digital signature, sign digital certificate checked change, select ssl certificate.

 

4.       ts gateway manager, select servername, properties, ssl certifcate tab, select existing certificate ssl encryption (recommended), browse certificates, select ssl certificate.

 

5.       terminal services configuration, connections area, select appropriate connection, properties, general tab, select, select ssl certificate.

 

meanwhile, certificates rd gateway must meet these requirements:

 

·         the name in subject line of server certificate (certificate name, or cn) must match dns name client uses connect rd gateway server, unless using wildcard certificates or san attributes of certificates. multiple cns not supported. if organization issues certificates enterprise certification authority (ca), certificate template must configured appropriate name supplied in certificate request. if organization issues certificates stand-alone ca, not need this.

·         the certificate computer certificate.

·         the intended purpose of certificate server authentication. extended key usage (eku) server authentication (1.3.6.1.5.5.7.3.1).

·         the certificate has corresponding private key.

·         the certificate has not expired. recommend certificate valid 1 year date of installation.

·         a certificate object identifier (also known oid) of 2.5.29.15 not required. however, if certificate plan use contains oid of 2.5.29.15, can use certificate if @ least 1 of following key usage values set: cert_key_encipherment_key_usage, cert_key_agreement_key_usage, , cert_data_encipherment_key_usage.

·         the certificate must trusted on clients. is, public certificate of ca signed rd gateway server certificate must located in client's trusted root certification authorities store on client computer.

 

hope helps.

 



Windows Server  >  Remote Desktop Services (Terminal Services)



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more