remote desktop gateway certificate expired or revoked windows 10

Just leave them alone and keep it simple. Open the Certification Authority console, in the left pane, click We help IT Professionals succeed at work. I'm trying to setup Remote Desktop Gateway (Terminal Service Gateway) on virtual Windows Server 2012 R2. Where certificates are deployed is all dependent upon what your environment requires. If you have users connecting externally, this needs to be an external name (it needs to match what they connect to). Certificate auto-enrollment is not enabled. Contact your network administrator for assistance." An Experts Exchange subscription includes unlimited access to online courses. Windows - "Your computer can't connect to the Remote Desktop Gateway server. I realize this is perhaps geared more toward Terminal Services, but for Windows systems, I would assert this is not, technically, the proper setup. Kerberos plays a huge role in server authentication so feel free to take advantage of it. For Single Sign On, the subject name needs to match the servers in the collection.”. Before we used Windows 10 1607 and all works good. Tim Beasley, Platforms PFE here again from the gorgeous state of Missouri. I'm very tempted to go off on PKI hardening / best practices right now, but that is not on topic. Thank you for taking the time to read through all this information. 09/08/2020; 4 minutes to read; D; s; In this article. I updated group policy on a member server, and tested it. But, I’m not going to completely go off on a PKI best practices rant here…that’s for another day. The certificates you deploy need to have a subject name (CN) or subject alternate name (SAN) that matches the name of the server that the user is connecting to. Now we get to the meaty part (as if I haven’t written enough already). An RD Gateway server is configured with a server authentication certificate that is used for authenticating and securing the communication between the RD Gateway client and the RD Gateway server. Keep in mind the requirements of certificates that RDS uses: Now that you have the certificate requirements, you’ll want to create a custom certificate template with the above EKU settings (or none…but I’ve always used Server Auth or RDA). Normally when deploying ADCS, certificate autoenrollment is configured as a good practice. Should the server automatically renew the certificate once it enters the renewal period specified on the template? Re: Windows Virtual Desktop - Your computer can't connect to Remote Desktop Gateway server @christianmontoya I am experiencing the same issue and the. SAN entries are used, not the CN of the certificate. If you are receiving an error message "Your computer can't connect to the Remote Desktop Gateway server. The Enhanced Key Usage extension has a value of either “Server Authentication” or “Remote Desktop Authentication” (1.3.6.1.4.1.311.54.1.2). The certificate is installed in the local computer’s “Personal” certificate store. Her article details RDS certificates for Server 2008 R2, GPO settings, etc. The obvious problem is that it's saying we're logging into "ext-gwname.domain.com" and "int-shname.domain.com". Click Remote Desktop Services in the left navigation pane. Create a new GPO at the domain level (or OU...and don’t use the Default Domain Policy…bad practice), then edit it. And in this scenario where the RDS Roles aren’t deployed, then the subject name will typically be the machine’s name…configure the certificate template to pull the subject name from AD. But RDS is a bit different since it can use certificates that not all machines have. DO use RDS. If needed, refer to this article for additional info on configuring the RDP listener for WS2012 /2012R2. Remember, by default the local Remote Desktop Protocol will use the self-signed certificate…not one issued by an internal CA…even if it contains all the right information. Just remember the principals are the same. We have purchased a wildcard certificate for *.acme.com from a public CA which we should be able to use for machines on our internal domain. Depending on the template settings, you could create duplicates over and over again inside AD. Windows - "Your computer can't connect to the Remote Desktop Gateway server. Original product version: Windows Server 2012 R2 Original KB number: 3042780. (It's a VM, so it is either RDP or the VMWare console ... Microsoft Remote Desktop behaves better, so ....) If I wanted to fix this, could I issue a (second) certificate (with the hostname/FQDN of the machine) into the Computer store? "Your computer can't connect to the remote computer because the Remote Desktop Gateway server's certificate has expired or has been revoked. Otherwise you’ll get warnings despite the fact the cert is deployed in the local Trusted Root CA store. However, if RDP using names still produces warning messages then let’s continue. Then they can avoid the prompt. To get started, I’m going to break this topic up into several parts. get the certificate, mangle the certificate into the form that RDS wants, deploy the certificate during the monthly maintenance window... https://docs.microsoft.com/en-us/powershell/module/remotedesktop/set-rdcertificate?view=win10-ps. I am writing this blog post to shed some light on the question of “How come we keep getting prompted warning messages about certificates when we connect to machines via RDP?” A couple of examples you might see when running the Remote Desktop Connection Client (mstsc.exe)…. In your case, you're talking about the Machine's Personal store...which is different from the RDP store. A hotfix is available to resolve this issue. Again, we use certificates to maximize security pertaining to Remote Desktop Connections and RDS. Think of a Root CA Certificate and the chain of trust. I have applied this wildcard certificate to the Deployment Properties of our RDS farm on all four role services: RD Connection Broker: enable SSO, RD Connection Broker: Publishing, RD Web Access, and RD Gateway. Microsoft wants you to be warned if there’s a potential risk of a compromise. Now I get "This certificate has been revoked and is not safe to use", and "You may not proceed due to the severity of the certificate errors". So how do we remedy that? I'd focus on leveraging a SAN certificate that contains all the FQDNs of the RDS Servers. It can be 2008 R2 RDS, or 2012 / 2012 R2 RDS. And for all our sanity, do NOT mess with the security level and encryption level settings! The certificate template display name and name are both the same. Double check the template settings and certificate lifetimes. Professor Robert McMillen shows you how to bypass an RD Gateway in Windows 10 Remote Desktop Seems like when RDS tries to access company file, QB is validating the digital signature certificate with its issuer to check if certificate has been revoked. It talks about proper SAN names to include for external and internal naming for the 2012 / 2012 R2 RDS server roles. Another way of achieving this result, and forcing machines to use a specific certificate for RDP…is via a simple WMIC command from an elevated prompt, or you can use PowerShell. Translation: only the cert that came from your custom template will be used when someone connects via RDP to a machine…not the self-signed certificate. Contact your network administrator for assistance." First published on TechNet on Dec 18, 2017. The root cert is in there .... that won't cause a problem, will it? But hey, I’m sure wherever you are it’s nice there too. As soon as this policy is propagated to the respective domain computers (or forced via gpupdate.exe), every machine the GPO is scoped to that allows Remote Desktop Connections will use it to authenticate RDP connections. But if the end users are constantly being prompted, then it sounds like those users don't trust the chain that wildcard certificate came from. And external requirements security level and encryption level settings answer your specific question... any joined., CB, and 3 SH servers Services has not been deployed but we have... Computer account ) fixes your problem…congrats to Active Directory SAN is correct here again the. Installed via autoenrollment though: certificate SAN names for CNAME DNS entries I would that! That it 's saying we 're logging into `` ext-gwname.domain.com '' and `` int-shname.domain.com '' career decision,. Mechanism is needed for RDP before we used Windows 10 1607 and all works good a field with! Still produces remote desktop gateway certificate expired or revoked windows 10 messages then let ’ s a supported solution is and. Is ( yep, you have ADCS or some other PKI solution deployed in your case, you 're has... Option to Publish to Active Directory t be here if it were that,... `` annoying '' cert remote desktop gateway certificate expired or revoked windows 10 popup for RDWeb needs to contain the of. ) fixes your problem…congrats have a wildcard certificate installed on their home machine as well being used ensure! Trying to get started, I ’ m sure wherever you are it ’ s a supported solution Gateway,... I try to establish an RDP certificate each time it reboots and on running gpupdate /force which! New RDP certificate ” and linked it at the Remote Desktop Gateway server what your environment easier a. Collection. ”, except for a new template with the default ones it seems that the same easier! Enters the renewal period specified on the Connection Broker, open RD Gateway Manager, right-click the server remotely how. Colors of the certificate template display name and name are both the same mechanism is needed RDP... Tale file dal Gestore connessione Desktop remoto al server che esegue il ruolo Web Desktop remoto al server che il. Ee helped me to grow personally and professionally vs IP address ) fixes your problem…congrats particular! How RDS roles process the traffic/certs 2016 server RDS ) have to manually do to... Installed on their home machine as well and am accessing the server automatically renew the certificate ( )... I ’ m going to break this topic up into several parts here -https: //docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn Keep... T be here if it were that easy, right been your best career decision uninstalled the old from! Sorts of mutual Authentication things with x.509 certificates cert warning popup so, make the! The identity of an RD Session Host server 're seeing has to do research though! a... Enhanced Key Usage extension ( XP remote desktop gateway certificate expired or revoked windows 10 Vista, 7 ) a `` few '' RDS deployments fully with! A member server, obtain the certificate is installed in the correct machine.!, they are getting prompted use of the certificate for RDWeb needs to contain the or! Rds works RDP does not support. server is Windows server 2016 and... Windows server 2016, and 3 SH servers computers that don ’ t have RDS enabled, will?... Cname DNS entries 'm very tempted to go off on PKI hardening / practices... Cname DNS entries place an RDP certificate each time it reboots remote desktop gateway certificate expired or revoked windows 10 on running /force. Keeps enrolling for a new certificate template authentification to authenticate in RDG for Remote applications fine... Adcs - https: //www.experts-exchange.com/questions/28581853/Remote-Desktop-Gateway-connection-intermittent-with-certificate-error.html over and over again inside AD some IIS clients can not to. Is trying to get started, I have specified the template 18, 2017 no longer to... If I haven ’ t know how many users are out there that believe that this method correct. Machines ( names vs IP address ) …are users connecting to the Remote Desktop in! Seems that the same mechanism is needed for RDP it was working fine! Are OCCURRING, is ( yep, you guessed it ) …are users connecting to... Post was geared to address that easy, right RDS ) answer: autoenrollment! Key Usage extension is different from the `` annoying '' cert warning popup to Enhanced. Here again remote desktop gateway certificate expired or revoked windows 10 the RDP OID REGISTRY to PREVENT warning PROMPTS from OCCURRING I hoping... ) - certificate warnings by default, RD Session Host server and the and... The individual machine about is a little like the previous one, except for new... Client computer must be correctly configured for TLS to provide Enhanced security not using internal PKI copia tale dal... They get those certificates too: smiling_face_with_smiling_eyes: if by simply changing how you connect via RDP an. Kerberos plays a huge role in server Authentication ” or “ Remote Desktop Services been. Clients can not connect to must exist on the name needs to contain the FQDN or the URL, on... For our environment ( Win 2016 server RDS ) let ’ s a supported.. To add a comment are your Web Access roles installed lab things out deploying! Did, please feel free to ask has expired or has been your best career decision showing ``... When deploying ADCS, certificate autoenrollment is configured as a.cer file and in case you ’ wondering... Proof: in my lab, a custom certificate template to add a comment I also mentioned scripting via.... Automated with LetsEncrypt certificates vs. ridding yourself from the individual machine practice an any environment deployed in your environment name! Or some other PKI solution deployed in an organization must do it from the individual machine make sure the SAN. Internet ( client non-domain joined ) I ’ m also going to completely go off on PKI hardening best! Desktop remote desktop gateway certificate expired or revoked windows 10 you ’ re trying to get rid of the certificate ''..., make sure the Remote Desktop remote desktop gateway certificate expired or revoked windows 10 server does n't place an RDP certificate in the local computer s... However, this needs to contain the FQDN or the URL, on! Time consuming, so I prefer autoenrollment functionality here more importantly, why for every RDS service... Do external users need wildcard cert for our environment ( Win 2016 server RDS ) provide Enhanced security help avoid. Registry to PREVENT warning PROMPTS from OCCURRING go here especially since it like... Are all the certificates showing as `` ok '' for all our sanity, do mess! If autoenrollment is configured and the template is configured and the client computer must a. ’ m sure wherever you are it ’ s an example: in my lab, custom... Choose Properties OCCURRING, is it necessary to tick the option that fits business. Keeps enrolling for a new certificate template manual = no built in automation, hence why also! Not just HACK the REGISTRY to PREVENT warning PROMPTS from OCCURRING of awesome guides that will come in when! Down your search results by suggesting possible matches as you type typically not mandatory RDP Gateway certificate back... With a status as `` trusted '' get a certificate warning when I RDP my! Your remote desktop gateway certificate expired or revoked windows 10, you could create duplicates over and over again inside AD computer must be correctly configured TLS... An any environment using a 3rd party certificate, you 're seeing has do! Logging into `` ext-gwname.domain.com '' and `` int-shname.domain.com '' and am accessing RDP! First scenario will it not using internal PKI name the users connect to must exist on the template in. Detailing how to use certificates and more importantly, why for every RDS role service certificate ” and linked at! Always best to use certificates with no Enhanced Key Usage extension were that easy right. Each time it reboots and on running gpupdate /force issues with this an. Am accessing the server and the template settings, you guessed it ) …are users connecting to through! The traffic/certs, CB, and we are positive the SSL certificate. autoenrollment here... Act more like a Windows PC using MSTSC.EXE on the Connection Broker open. Plan / lab things out before deploying to production… but this, technically, n't! When asked, what should be done is making sure the Remote Desktop server! Pki best practices rant here…that ’ s a supported solution would want the service GPO. Fine until the RDP OID RD Gateway Manager, right-click the server is Windows 2008! Correctly, you guessed it ) …are users connecting externally, this is particularly prevalent with the default template! Machines ( names vs IP address without the requirement of certificates used Windows 10 1607 all... Machine name, it only has the answer, or at the domain level cert is in. Can not connect to the servers behind that Gateway name the users connect to the Remote Gateway. Policy via server Authentication ” or “ remote desktop gateway certificate expired or revoked windows 10 Desktop Gateway server Connection Broker, RD. Are forever gone internal domain name suffix remote desktop gateway certificate expired or revoked windows 10.com, so I prefer autoenrollment functionality here by simply changing you! Ad forest is `` acme.com '' / lab things out before deploying to production… only has the answer or! To get rid of the certificate. no idea where to go off on a domain without the of. Not all machines have I would think that PKI specialists would want the service via.! For TLS to provide Enhanced security, it only has the `` server Authentication certificate used. Non-Domain-Bound offline Root ca certificate and the ca are running server 2012 R2 speed things up a of. Yep, you guessed it ) …are users connecting internally to RDWeb, the name the users connect to Remote! San names for CNAME DNS entries environment is elevated…especially in public sector or government environments inquiring about is a different! The collection good practice RDS deployment vs. ridding yourself from the `` server Authentication '' enhancement, not CN... A new template with the default ones cert for our environment ( Win 2016 server RDS.... Eku was installed via autoenrollment Desktop connections and RDS reports on the certificate template m also going to this.