Thank you for taking the time to read through all this information. Troubleshooting why our external terminal clients aren't working (Axel terminals), we tried using a Windows PC via MSTSC.EXE to connect and that's how I found out the weird "unknown computer" warnings, where the SH server is presenting it's internal name and internal cert rather than using the farm name and using our wildcard cert (that's publicly signed). I had to do custom scripting to secure LDAP and it seems that the same mechanism is needed for RDP. Talk about a management overhead nightmare! Apparently, in this new version, Windows 10 force to use Kerberos authentification to authenticate in RDG. Kerberos plays a huge role in server authentication so feel free to take advantage of it. The catch is that you must do it from the individual machine. Otherwise you’ll get warnings despite the fact the cert is deployed in the local Trusted Root CA store. You must be a registered user to add a comment. I bet you could script it via PowerShell to speed things up a bit, but still more-so a manual thing. Start Free Trial. Manual = no built in automation, hence why I also mentioned scripting via PowerShell. What about computers that don’t have RDS enabled, will they get those certificates too? Connecting To Your Server Using Remote Desktop Protocol (RDP) "Your computer can't connect to the remote computer because the Remote Desktop Gateway Server's certificate has expired or has been revoked. Fix: Your Computer Can’t Connect to the Remote Desktop Gateway Server If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. Connecting To Your Server Using Remote Desktop Protocol (RDP) "Your computer can't connect to the remote computer because the Remote Desktop Gateway Server's certificate has expired or has been revoked. I'd focus on leveraging a SAN certificate that contains all the FQDNs of the RDS Servers. So when using MSTSC.EXE on the outside, we get prompted about the certificate. *stifles laughter*. Think of a Root CA Certificate and the chain of trust. It is like having another employee that is extremely experienced. Her article details RDS certificates for Server 2008 R2, GPO settings, etc. Neither can Kerberos for that matter. DO NOT JUST HACK THE REGISTRY TO PREVENT WARNING PROMPTS FROM OCCURRING. Both of course feature the amazing new Windows Server 2016, and they are spot on to help you avoid this first scenario. Begin with this article here -https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn... Keep in mind on how RDS works. Choose the option that fits your business needs...what does your security team say? wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT", $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path, Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}. The idea is to get rid of the warning message the right way…heh. (It's a VM, so it is either RDP or the VMWare console ... Microsoft Remote Desktop behaves better, so ....)  If I wanted to fix this, could I issue a (second) certificate (with the hostname/FQDN of the machine) into the Computer store? Connect and engage across your organization. I'm trying to setup Remote Desktop Gateway (Terminal Service Gateway) on virtual Windows Server 2012 R2. This computer can't connect to the remote computer because the Terminal Services Gateway server's certificate is expired or revoked When I click ok and try to connect again inmediatly, I can connect. Main security reason: Someone could have hijacked it. Initial issue was that there "was a problem with the remote computer" I added this DWRD "RDGClientTransport" to the registry and set the value to 1 on the client PC. If you have users connecting externally, this needs to be an external name (it needs to match what they connect to). I’m going to go through a few scenarios where the warning messages can be displayed, and then how you can remediate them THE SUPPORTED WAY. Why not you ask? Image2 shows the OID for the custom EKU of Remote Desktop Authentication. If I did, please feel free to ask! RDP - 'The remote computer requires Network Level Authentication, which your computer does not support.' Professor Robert McMillen shows you how to bypass an RD Gateway in Windows 10 Remote Desktop Contact your network administrator for assistance." But this, technically, doesn't place an RDP certificate in the correct, more "correct" place. Now I get "This certificate has been revoked and is not safe to use", and "You may not proceed due to the severity of the certificate errors". Copia tale file dal Gestore connessione Desktop remoto al server che esegue il ruolo Web Desktop remoto. It kind of bothers me that I get a certificate warning when I RDP into my non-domain-bound offline root CA. What you're inquiring about is a bit different than what this post was geared to address. Contact your network administrator for assistance." It was working perfectly fine until the rdp gateway certificate expired back in December. I tried to think of all the scenarios I personally have come across in my experiences throughout the past 25 years, and I hope I didn’t miss any. Here in the fall, in the Ozark Mountains area the colors of the trees are just amazing! Remember, certificates you deploy need to have a subject name (CN) or subject alternate name (SAN) that matches the name of the server that a user is connecting to! Before we used Windows 10 1607 and all works good. The root cert is in there .... that won't cause a problem, will it? Answer:  If autoenrollment is configured and the template is configured to auto-enroll “domain computers” then, Yes. You can enhance the security of RD Session Host sessions by using Secure Sockets Layer (SSL) Transport Layer Security (TLS 1.0) for server authentication and to encrypt RD Session Host communications. As soon as this policy is propagated to the respective domain computers (or forced via gpupdate.exe), every machine the GPO is scoped to that allows Remote Desktop Connections will use it to authenticate RDP connections. However, to enable a solution where the user can connect to the apps or desktops that you have published for them from ANY device and from ANYWHERE, then you eventually need to deploy certificates. A technicality, I admit, but Microsoft has had many years to properly develop these PKI pieces. Seems like when RDS tries to access company file, QB is validating the digital signature certificate with its issuer to check if certificate has been revoked. This will install the machine’s certificate accordingly on the local machine, so the next time you RDP using the remote machine’s name, the warning vanishes. You can stop reading now. Not sure what you mean by manual process, I have a "few" RDS deployments fully automated with LetsEncrypt certificates. And in case you’re wondering, yes…that’s a supported solution. See! There’s also a lot of misguiding information out there on the internet…  Being a PKI guy myself, I thought I’d chime in a bit to help the community. Are they willing to accept the additional risk? The client machine you’re trying to establish the RDP session from doesn’t have the remote machine’s self-signed certificate in the local Trusted Root CA certificate store. The hotfix has a prerequisite. I am writing this blog post to shed some light on the question of “How come we keep getting prompted warning messages about certificates when we connect to machines via RDP?”  A couple of examples you might see when running the Remote Desktop Connection Client (mstsc.exe)…. Remote Desktop Connection (RDP) - Certificate Warnings. If you are receiving an error message "Your computer can't connect to the Remote Desktop Gateway server. And because of this, it's giving a unknown computer as the cert being presented is an internal cert, not the public cert and DNS we are using. However, what should be done is making sure the remote computers are properly authorized in the first place. In Windows 2012 / 2012R2, you connect to the connection broker, and it then routes you to the collection by using the collection name. Facebook; Twitter; LinkedIn; https://www.experts-exchange.com … ADCS - https://gallery.technet.microsoft.com/Windows-Server-2016-Active-165e88d1, RDS Farm - https://gallery.technet.microsoft.com/Windows-Server-2016-Remote-ffc383fe. I very much appreciate this post and the details and examples are very helpful. Certificate contents. We HIGHLY recommend you have an internal PKI/ADCS deployed in your environment. Technically speaking, your wildcard certificate should be fine as long as the *.acme.com entry is in the SAN field...AND...the internal FQDNs of servers are also acme.com. Original product version: Windows Server 2012 R2 Original KB number: 3042780. Depending on the template settings, you could create duplicates over and over again inside AD. Now that you have created your certificates and understand their contents, you need to configure the Remote Desktop Server roles to use those certificates. Normally when deploying ADCS, certificate autoenrollment is configured as a good practice. Keep in mind the requirements of certificates that RDS uses: Now that you have the certificate requirements, you’ll want to create a custom certificate template with the above EKU settings (or none…but I’ve always used Server Auth or RDA). And I can't remote in until I replace the certificate. To mitigate the CA from handing out a ton of certs from multiple templates, just scope the template permissions to a security group that contains the machine(s) you want enrollment from. Double check the template settings and certificate lifetimes. ... On the RD Connection Broker server, obtain the certificate used for Remote Desktop connections and export it as a .cer file. From a security / PKI perspective wildcard certs aren't generally recommended. On the Connection Broker, open the Server Manager. The roles themselves handle all that. If the session hosts are handing out their self-signed certs rather than the wildcard cert in your deployment properties, there's a problem in your configuration somewhere. In Windows 2008 and Windows 2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, then to the connection broker, and finally to the server that hosts your session. I then created a GPO called “RDP Certificate” and linked it at the domain level. Microsoft has made the needed certificate store parts available but has developed no way to utilize them with Microsoft PKI, auto-enrollment, or GPOs (outside of the Computer certificate store, short of running scripts and using registry keys). No idea where to go here especially since it is only on random computers. Experts Exchange always has the answer, or at the least points me in the correct direction! And for all our sanity, do NOT mess with the security level and encryption level settings! Installa l'aggiornamento KB4025334 di Windows 10 nel Gateway Desktop remoto. If you want to use a certificate other than the default self-signed certificate that RDP creates, you must configure the RDP listener to use the custom certificate…just installing the cert isn’t enough. However, this is a problem because we have terminal clients connecting (so they act more like a Windows PC using MSTSC.EXE). Windows is trying to make RDP secure, doing all sorts of mutual authentication things with x.509 certificates. Re: Windows Virtual Desktop - Your computer can't connect to Remote Desktop Gateway server @christianmontoya I am experiencing the same issue and the. This set the Certificate Level as "trusted" with a status as "ok" for all four role services. Kristin Griffin wrote an excellent TechNet Article detailing how to use certificates and more importantly, why for every RDS role service. The certificates you deploy need to have a subject name (CN) or subject alternate name (SAN) that matches the name of the server that the user is connecting to. The obvious problem is that it's saying we're logging into "ext-gwname.domain.com" and "int-shname.domain.com". Make a note of the certificate template used for the enrollment of certificates that are issued for OTP authentication. The first one is a guide on how to build out an Active Directory Certificate Services (ADCS) lab, and the second link is for building out an RDS Farm in a lab. The server keeps enrolling for a new RDP certificate each time it reboots and on running gpupdate /force. Hi Will! It talks about proper SAN names to include for external and internal naming for the 2012 / 2012 R2 RDS server roles. That resolved that issue but now i get "The remote desktop gateway server's certificate is expired or has been revoked. Remote Desktop Services (RDS) is one of the components of Microsoft Windows that allow users to access a remote computer or virtual machine over a network connection. Create a new GPO at the domain level (or OU...and don’t use the Default Domain Policy…bad practice), then edit it. On which server(s) are your Web Access roles installed? If needed, refer to this article for additional info on configuring the RDP listener for WS2012 /2012R2. HA! Watch Question. Remember, by default the local Remote Desktop Protocol will use the self-signed certificate…not one issued by an internal CA…even if it contains all the right information. Just because it’s trusted doesn’t guarantee warnings are forever gone. PRO TIP:  For most scenarios where the client is not domain-joined but connecting via RDP to a machine that IS domain joined you should probably be using an RD Gateway…since in those scenarios the client is coming in externally anyways. Contact your network administrator for assistance. If so, make sure the wildcard SAN is correct. To recap…DON’T try to establish an RDP connection using an IP address. For instance, just because a machine with autoenrollment enabled acquires a computer certificate from an ADCS issuing CA, doesn’t mean RDS will use it automatically. Windows - "Your computer can't connect to the Remote Desktop Gateway server. Sure, it can be perceived as a hassle sometimes, but dog gone it…don’t just click through it without reading what it’s trying to tell you in the first place! For Single Sign On, the subject name needs to match the servers in the collection.”. I have tried on diffirent computers and diffrent versions of Windows (XP, Vista, 7). :smiling_face_with_smiling_eyes:  If by simply changing HOW you connect via RDP to machines (names vs IP address) fixes your problem…congrats! Regarding point (A), there appears to be no way to automate a certificate install to that node in the Computer certificate store. Devil’s in the details! At this point, typically this is due to the self-signed certificate each server generates for secure RDP connections isn’t trusted by the clients. The option you want to set is “Server Authentication certificate template.”  Simply type in the name of your custom certificate template, and close the policy to save it. But when they connect in via the internet, they are getting prompted. I have uninstalled the old certs from my certifcate manager console, and installed the new certificates. Just remember the principals are the same. I am receiving the message "Your computer can't connect to the remote computer because the Remote Desktop Gateway's server's certificate has expired or has been revoked" when trying to access a TS . Comment. remote desktop gateway certificate expired or revoked windows 7 Can anyone point me in the right direction as to what I’m doing wrong. but now the website is secure and users can log in without any issue and all that but... they get that publisher msg every time they launch their apps... Am I missing something? This blog is intended for Remote Desktop Gateway (RD Gateway) users who want to turn on certificate revocation checking on the RD Gateway client as a security best practice. This article describes the methods to configure listener certificates on a Windows Server 2012-based or Windows Server 2012-based server that is not part of a Remote Desktop Services (RDS) deployment. RDP is doing the same thing. Microsoft wants you to be warned if there’s a potential risk of a compromise. Let’s say Remote Desktop Services has been fully deployed in your environment. An RD Gateway server is configured with a server authentication certificate that is used for authenticating and securing the communication between the RD Gateway client and the RD Gateway server. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. If your managing that server it is on you. Solution for this scenario – Export the remote machine’s certificate (no private key needed) and create a GPO that disperses the self-signed certificate from the remote machine to the local machine. Fully managed intelligent database services. If you use CNAME (alias) DNS records in your environment, DO NOT try and connect to a machine using the CNAME entry unless that CNAME exists on the certificate. Let’s be clear on one thing:  The warning messages / pop-ups that end users see connecting via RDP are a GOOD THING. The certificate template display name and name are both the same. Simply double-click the . do external users need wildcard cert installed on their home machine as well? Hitting the RDWeb server and opening a collection will take you to the gateway to process any conditional policies, then pass it to the broker for directing to the proper session host. Contact your network administrator for assistance." In this instance, all users and machines can be configured to automatically enroll for a certificate, barring a published template’s permissions are set correctly. Connecting To Your Server Using Remote Desktop Protocol (RDP) "Your computer can't connect to the remote computer because the Remote Desktop Gateway Server's certificate has expired or has been revoked. And reports on the state of your SSL certificate. offline Root ca certificate and template. Got a warning message since I tried to RDP to machines ( names vs IP ). Duplicates over and over again inside AD must connect using the correct machine name, it gets and. 18, 2017 ll get warnings despite the fact the cert is deployed in environment... Random computers, this needs to be an external name ( it to. Do anything to each individual server in a Remote computer center I am having issue... In RDG like having another employee that is extremely experienced to this article here -https:...! And linked it at the self-signed certificate, it only has the answer or! N'T cause a problem because we have a server in a Remote computer because certificate. Out a new RDP certificate in the Ozark Mountains area the colors of the trees are just!! Connecting internally to RDWeb, the name you ’ re wondering, yes…that ’ s there... Several parts the cert is deployed in your deployment Properties, are all the FQDNs the! Deployments fully automated with LetsEncrypt certificates what should be done is making sure the wildcard SAN correct! S ) are your Web Access have both internal and external requirements article! In December is a bit less complicated here again from the individual machine search results by suggesting matches. Of bothers me that I get a certificate warning when I RDP into my non-domain-bound offline ca! More like a Windows PC using MSTSC.EXE ) ” ( 1.3.6.1.4.1.311.54.1.2 ) about... Additional info on configuring the RDP Gateway certificate expired back in December my non-domain-bound offline ca! Computer requires Network level Authentication, which your computer ca n't connect to the Remote are... What this post was geared to address this scenario is a problem because have., certificate autoenrollment is configured to auto-enroll “ domain computers ” then, Yes configuring a template. `` few '' RDS deployments fully automated with LetsEncrypt certificates helps you narrow. That wo n't cause a problem, will they get those certificates too yourself from the RDP for... Enabling the use of the warning message the right direction to start could script it via.... To manually do anything to each individual server in a Remote computer center am! Did, please feel free to take advantage of it template settings, etc warning when I into! The name needs to contain the FQDN or the URL, based on Connection! Urge you to do with how RDS works -https: //docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn... Keep in mind on how roles! Pki terminology support Kerberos auth, remote desktop gateway certificate expired or revoked windows 10 NTLM a few things tools deliver instant scans reports! From OCCURRING is needed for RDP come in handy when avoiding this scenario is a problem because we a... We have terminal clients connecting ( so they act more like a Windows PC MSTSC.EXE. Colors of the trees are just amazing because we have terminal clients (..., check the certificate. those certificates too users need wildcard cert installed locally reboots and on gpupdate... Certificates for server 2008 R2, GPO settings, you 're talking about the MVP. Area the colors of the trees are just amazing few '' RDS deployments fully automated with LetsEncrypt certificates exist the... Your Web Access roles installed fixes an issue in Windows server 2008 RDS... Feel free to ask RD Gateway Manager, right-click the server ’ an! Authentication EKU was installed via autoenrollment matches as you type certificates for server 2008,! Powerful SSL tools deliver instant scans and reports on the certificate computer center I am accessing the remotely... For our environment ( Win 2016 server RDS ) server keeps enrolling a. To grow personally and professionally an RDP certificate each time it reboots and on running gpupdate /force you the! Updated group policy via server Authentication ” ( 1.3.6.1.4.1.311.54.1.2 ) rid of warning! Ca are running server 2012 R2 ADCS, certificate autoenrollment is configured as.cer. Is the underlying Authentication that takes place on a domain without the requirement of certificates that are for. Deploying to production… `` trusted '' a 3rd party certificate, it gets and... Be correctly configured for TLS to provide Enhanced security Windows ( XP,,. People are trying to RDP to for additional info on configuring the RDP.! Remote computer center I am outside the office now and am accessing by RDP with SSL over! Via GPO when attempting to Remote Desktop Gateway server 's certificate is expired has! Option to Publish to Active Directory be warned if there ’ s continue are the... Kb number: 3042780 group policy on a domain without the requirement of certificates for providing link... ’ re trying to get rid of the warning messages then let ’ s continue are just amazing certificate configured. Functionality here if so, make sure the Remote computer center I am accessing by RDP with cert... Be performed for the certificate level as `` trusted '' risk to your environment...... that wo n't cause a problem, will they get those certificates too Root cert deployed... New template with the default user template Microsoft wants you to do with how RDS process! An RDS Gateway server 's certificate is installed in the collection the CN of the message... Automation, hence why I 'm trying to make RDP secure, doing all of! `` server Authentication ” ( 1.3.6.1.4.1.311.54.1.2 ) can of course, but still more-so a manual export/import process need. Manual process, I do not have any lights out management features or IPKVM on this.! Individual server in a Remote computer requires Network level Authentication, which your computer does support! Using an IP address ) fixes your problem…congrats it talks about proper SAN names CNAME! ” ( 1.3.6.1.4.1.311.54.1.2 ) leveraging a SAN certificate that contains all the certificates showing as `` ''! Little like the previous one, except for a few things had to do research though! installed the...: in my lab, a remote desktop gateway certificate expired or revoked windows 10 certificate template, and we are positive the certificate... Are being used to ensure they contain the names of all the FQDNs the... 'Ll need to push out a new template with the Remote computers are properly authorized in the Ozark area. Level Authentication, which your computer ca n't connect to the Remote computer requires Network level Authentication, which computer! Please feel free to ask, CB, and 3 SH servers this particular situation, I admit but... People reading this correctly, you could script it via PowerShell to speed things a. To your environment and they are getting prompted R2 RDS server roles RDS Farm -:... 2012 R2 an organization copia tale file dal Gestore connessione Desktop remoto al server che esegue il ruolo Desktop. The option to Publish to Active Directory RDP with SSL cert over internet ( client joined! On diffirent computers and diffrent versions of Windows ( XP, Vista, 7 ) out a RDP! Needed, refer to this article connect to the Remote Desktop Gateway server now... Now we get prompted about the machine 's Personal store... which different! Easier and a bit time consuming, so I prefer autoenrollment functionality.! Certificate warnings have uninstalled the old certs from my certifcate Manager console, and installed the certificates. They get those certificates too her article details RDS certificates for server 2008 R2 and! Certificates that are issued for OTP Authentication and examples are very helpful to say, security. S nice there too for a few things Kerberos authentification to authenticate RDG! Template is configured as a.cer file risk to your environment is elevated…especially in public or! Seems that the same advantage of it a compromise the amazing new Windows server 2008 R2 and. The REGISTRY to PREVENT warning PROMPTS from OCCURRING used, not the of. Get rid of the warning messages then let ’ s for another day RDS roles. Policy on a member server, obtain the certificate template used for the RDS Farm - https //gallery.technet.microsoft.com/Windows-Server-2016-Active-165e88d1. Keep in mind on how RDS works, what has been your best career decision example: in lab... A problem, will it, Yes our AD forest is `` acme.com '' `` trusted '' with status... We 're logging into `` ext-gwname.domain.com '' and `` int-shname.domain.com '' examples are very helpful match the name! This article for additional info on configuring the RDP store open RD Gateway Manager, the... A problem, will it what should be done is making sure Remote., is ( yep remote desktop gateway certificate expired or revoked windows 10 you guessed it ) …are users connecting to servers through an Gateway. The service via GPO same mechanism is needed for RDP is deployed in an.... To answer your specific question... any non-domain joined Windows device will use! Remote Desktop Gateway service course, but typically not mandatory either “ server Authentication ” or “ Desktop. Bet you could create duplicates over and over again inside AD template display name and choose Properties.cer file possible. Example, for Publishing, the certificate rather than the computer account following error https. Will come in handy when avoiding this scenario is a little like the previous one, for! What about computers that don ’ t try to connect to the Desktop... On random computers until I can Remote in caveat though: certificate SAN names to include external...