For 2012 / 2012R2: You can use a single certificate for all the roles if your clients are internal to the domain only, by generating a wildcard certificate (for example: *.CONTOSO.com) and binding it to all roles. An RD Gateway server is configured with a server authentication certificate that is used for authenticating and securing the communication between the RD Gateway client and the RD Gateway server. Are they willing to accept the additional risk? It is like having another employee that is extremely experienced. Basically, the right certificate with appropriate corresponding GPO settings for RDS to utilize…and that should solve the warning messages. Connect with Certified Experts to gain insight and support on specific technology challenges including: We've partnered with two important charities to provide clean water and computer science education to those who need it most. Image2 shows the OID for the custom EKU of Remote Desktop Authentication. Then they can avoid the prompt. Import remote machine’s certificate into a new GPO at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities. So how do we remedy that? Certificate contents. Manual enrollment is a bit time consuming, so I prefer autoenrollment functionality here. DO use RDS. We have a GW, CB, and 3 SH servers. Re: Windows Virtual Desktop - Your computer can't connect to Remote Desktop Gateway server @christianmontoya I am experiencing the same issue and the. ... On the RD Connection Broker server, obtain the certificate used for Remote Desktop connections and export it as a .cer file. Remote Desktop Services has not been deployed but we do have an internal PKI. Original product version: Windows Server 2012 R2 Original KB number: 3042780. "Publish to AD" option in a template does just that, it makes a copy of the cert and stores in the object attributes. If so, make sure the wildcard SAN is correct. An Experts Exchange subscription includes unlimited access to online courses. Or you will use multiple certs if you have both internal and external requirements. Sure, it works…but guess what? This will install the machine’s certificate accordingly on the local machine, so the next time you RDP using the remote machine’s name, the warning vanishes. Simply double-click the . Now that you have created your certificates and understand their contents, you need to configure the Remote Desktop Server roles to use those certificates. Kristin Griffin wrote an excellent TechNet Article detailing how to use certificates and more importantly, why for every RDS role service. In the Configure the deployment window, click Certificates. Microsoft should be enabling the use of the certificate store for the service via GPO. Both of course feature the amazing new Windows Server 2016, and they are spot on to help you avoid this first scenario. 09/08/2020; 4 minutes to read; D; s; In this article. Windows - "Your computer can't connect to the Remote Desktop Gateway server. Although technically achievable, using self-signed certificates is normally NOT a good thing as it can lead to a never-ending scenario of having to deploy self-signed certs throughout a domain. The server and the CA are running Server 2012 R2. (It's a VM, so it is either RDP or the VMWare console ... Microsoft Remote Desktop behaves better, so ....)  If I wanted to fix this, could I issue a (second) certificate (with the hostname/FQDN of the machine) into the Computer store? Community to share and get the latest about Microsoft Learn. But when connect over internet (from Win7 RDP client) getting an error: Your computer can't connect to the remote computer because the Remote Desktop Gateway server address requested and the certificate subject do no match. Fully managed intelligent database services. Go and read that article thoroughly. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Session Host -> Security. This is to ensure that ONLY certificates created by using your custom template will be considered when a certificate to authenticate the RD Session Host Server (or machine) is automatically selected. What I mean is that there is (A) a node in the Windows Computer Certificate store for the self-signed certificate which is specific to the "Remote Desktop Services" service on Windows-based OS's which is automatically used for RDP, and (B) there is a certificate store specific to services running on the OS platform, and specifically for the "Remote Desktop Services" service. The Let's Encrypt cert get's automatically renewed about all 2 months on the server, is there a way to automatically update it on the connecting client too or do I always have to make a export and send it to customer again ? It talks about proper SAN names to include for external and internal naming for the 2012 / 2012 R2 RDS server roles. And for all our sanity, do NOT mess with the security level and encryption level settings! I bet you could script it via PowerShell to speed things up a bit, but still more-so a manual thing. Fix: Your Computer Can’t Connect to the Remote Desktop Gateway Server If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. And I can't remote in until I replace the certificate. That resolved that issue but now i get "The remote desktop gateway server's certificate is expired or has been revoked. Create and optimise intelligence for industrial control systems. How do we do that? Premium Content You need a subscription to watch. Click Remote Desktop Services in the left navigation pane. Watch Question. Connecting To Your Server Using Remote Desktop Protocol (RDP) "Your computer can't connect to the remote computer because the Remote Desktop Gateway Server's certificate has expired or has been revoked. And in this scenario where the RDS Roles aren’t deployed, then the subject name will typically be the machine’s name…configure the certificate template to pull the subject name from AD. You must be a registered user to add a comment. Contact your network administrator for assistance. Now I get "This certificate has been revoked and is not safe to use", and "You may not proceed due to the severity of the certificate errors". If needed, refer to this article for additional info on configuring the RDP listener for WS2012 /2012R2. When attempting to remote desktop into an RDS gateway server, we are receiving the following error: https://www.experts-exchange.com/questions/28581853/Remote-Desktop-Gateway-connection-intermittent-with-certificate-error.html. Translation: only the cert that came from your custom template will be used when someone connects via RDP to a machine…not the self-signed certificate. But perhaps it’s not a domain-joined client…in that case get the appropriate certificate(s) installed on your local machine to have a valid chain of trust to eliminate that possibility. Windows is trying to make RDP secure, doing all sorts of mutual authentication things with x.509 certificates. Next, check the certificate(s) that are being used to ensure they contain the proper and accurate information. You can enhance the security of RD Session Host sessions by using Secure Sockets Layer (SSL) Transport Layer Security (TLS 1.0) for server authentication and to encrypt RD Session Host communications. I’m also going to assume that whoever is reading this knows a bit of PKI terminology. If I did, please feel free to ask! No idea where to go here especially since it is only on random computers. Initial issue was that there "was a problem with the remote computer" I added this DWRD "RDGClientTransport" to the registry and set the value to 1 on the client PC. :smiling_face_with_smiling_eyes:  If by simply changing HOW you connect via RDP to machines (names vs IP address) fixes your problem…congrats! If you use CNAME (alias) DNS records in your environment, DO NOT try and connect to a machine using the CNAME entry unless that CNAME exists on the certificate. I always recommend configure certificate templates use specific security groups. Choose the option that fits your business needs...what does your security team say? However, this is a problem because we have terminal clients connecting (so they act more like a Windows PC using MSTSC.EXE). I have uninstalled the old certs from my certifcate manager console, and installed the new certificates. (There’s several articles that walk you through this process if you haven’t done so already - here and here). If the session hosts are handing out their self-signed certs rather than the wildcard cert in your deployment properties, there's a problem in your configuration somewhere. Additionally, security risk to your environment is elevated…especially in public sector or government environments. I'm trying to setup Remote Desktop Gateway (Terminal Service Gateway) on virtual Windows Server 2012 R2. We have purchased a wildcard certificate for *.acme.com from a public CA which we should be able to use for machines on our internal domain. Being involved with EE helped me to grow personally and professionally. Just take the time to plan / lab things out before deploying to production…. The behavior you're seeing has to do with how RDS roles process the traffic/certs. Unless there are security requirements that they must meet, most organizations don’t deploy certificates for systems where they are simply enabling RDP to allow remote connections for administration, or to a client OS like Windows 10. If only it was that easy! Internal ca with certificate based on Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2) I can get to https://rdweb.external.domain.nl and see all rds rdweb apps without certificate warnings. DO use the correct naming. There's no problem when connecting via RD Web Access. The certificate for RDWeb needs to contain the FQDN or the URL, based on the name the users connect to. Wildcards for remote applications is fine to use within the configurations of the RDS environment. It’s always best to use a custom certificate template, and not the default ones. I have specified the template name in group policy via Server Authentication certificate template. Regarding point (B), there is no strictly GPO-based method of getting a special certificate into the certificate store for the "Remote Desktop Services" service. Remote Desktop Connection (RDP) - Certificate Warnings. I had to do custom scripting to secure LDAP and it seems that the same mechanism is needed for RDP. The server keeps enrolling for a new RDP certificate each time it reboots and on running gpupdate /force. Happy RDP’ing everyone! I manually verified if certificate is revoked, seems like certificate is not revoked but CA is giving a generic message of expired certificate… Now we get to the meaty part (as if I haven’t written enough already). Neither can Kerberos for that matter. (I strongly urge you to do research though!) I was hoping for some input on our deployment... we are not using internal PKI for the RDS farm. Once I’ve got the .pfx file, I copied it over to the Gateway server and imported it to the local computer’s certificate repository. Next, we configure Group Policy. Manual = no built in automation, hence why I also mentioned scripting via PowerShell. For example, for Publishing, the certificate needs to contain the names of all the RDSH servers in the collection. Where certificates are deployed is all dependent upon what your environment requires. The certificates you deploy need to have a subject name (CN) or subject alternate name (SAN) that matches the name of the server that the user is connecting to. Okay this scenario is a little like the previous one, except for a few things. The certificate template display name and name are both the same. Scenario 3: Remote Desktop Services Roles have been deployed, you have ADCS PKI, and you’re experien... https://technet.microsoft.com/en-us/library/ff458357.aspx. Microsoft wants you to be warned if there’s a potential risk of a compromise. Next step, open RD Gateway Manager, right-click the server’s name and choose Properties. However, what should be done is making sure the remote computers are properly authorized in the first place. Premium Content You need a subscription to comment. First published on TechNet on Dec 18, 2017. When asked, what has been your best career decision? In this instance, all users and machines can be configured to automatically enroll for a certificate, barring a published template’s permissions are set correctly. When it comes to WS2012 and WS2012R2 however, it gets easier and a bit less complicated. Technically speaking, your wildcard certificate should be fine as long as the *.acme.com entry is in the SAN field...AND...the internal FQDNs of servers are also acme.com. The idea is to get rid of the warning message the right way…heh. This computer can't connect to the remote computer because the Terminal Services Gateway server's certificate is expired or revoked When I click ok and try to connect again inmediatly, I can connect. I very much appreciate this post and the details and examples are very helpful. To answer your specific question...any non-domain joined windows device will always use a self-signed certificate unless explicitly configured. Import remote machine’s certificate into a new GPO at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities. Hello everyone! However, RDP does not provide authentication to verify the identity of an RD Session Host server. do external users need wildcard cert installed on their home machine as well? The roles themselves handle all that. Auto-enrollment certainly is not supported. If you have users connecting internally to RDWeb, the name needs to match the internal name. Needless to say, any security professional would have a field day with this practice an ANY environment. DO NOT JUST HACK THE REGISTRY TO PREVENT WARNING PROMPTS FROM OCCURRING. RDP - 'The remote computer requires Network Level Authentication, which your computer does not support.' HA! So, RDP asks you to make sure you want to connect since it can't verify that this is really the machine you want to connect to. "Your computer can't connect to the remote computer because the Remote Desktop Gateway server's certificate has expired or has been revoked. It was working perfectly fine until the rdp gateway certificate expired back in December. In Windows 2012 / 2012R2, you connect to the connection broker, and it then routes you to the collection by using the collection name. Warning went POOF! Remote Desktop Services rely on having a valid certificate being used by all the services on all servers, or to have a self-signed certificate that is pushed to all workstations that will be used so the connection is trusted. Her article details RDS certificates for Server 2008 R2, GPO settings, etc. But, I’m not going to completely go off on a PKI best practices rant here…that’s for another day. Contact your network administrator for assistance." I have tried on diffirent computers and diffrent versions of Windows (XP, Vista, 7). Remember, certificates you deploy need to have a subject name (CN) or subject alternate name (SAN) that matches the name of the server that a user is connecting to! Just remember they are guides for LAB environments. I realize this is perhaps geared more toward Terminal Services, but for Windows systems, I would assert this is not, technically, the proper setup. Just because it’s trusted doesn’t guarantee warnings are forever gone. I can’t tell you how many times we’ve seen customers manually change registry settings or other hacks to avoid the warning prompts. Now, when I visit our deployment from an external host (https://rdp.acme.com/rdweb) and RDP to one of my host collections, I still receive a certificate error from the broker--it shows that "broker.acme.com" is still using a self-signed certificate. This blog is intended for Remote Desktop Gateway (RD Gateway) users who want to turn on certificate revocation checking on the RD Gateway client as a security best practice. Furthermore, when you look at the self-signed certificate, it only has the "server authentication" enhancement, not the RDP OID. Certificate auto-enrollment is not enabled. Of course, as soon as I try to connect using the correct machine name, it connected right up as expected. Regarding point (A), there appears to be no way to automate a certificate install to that node in the Computer certificate store. If I'm reading this correctly, you have a wildcard certificate installed on servers people are trying to RDP to. I've seen this happen when remote devices are things like BYOD and they simply need to trust the CA chain in order for it to work properly. Fixes an issue in Windows Server 2008 R2 in which some IIS clients cannot connect to the Remote Desktop Gateway service. Find out more about the Microsoft MVP Award Program. but now the website is secure and users can log in without any issue and all that but... they get that publisher msg every time they launch their apps... Am I missing something? Keep in mind the requirements of certificates that RDS uses: Now that you have the certificate requirements, you’ll want to create a custom certificate template with the above EKU settings (or none…but I’ve always used Server Auth or RDA). We help IT Professionals succeed at work. Start Free Trial. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. PRO TIP:  For most scenarios where the client is not domain-joined but connecting via RDP to a machine that IS domain joined you should probably be using an RD Gateway…since in those scenarios the client is coming in externally anyways. If you continue to have issues in this particular situation, I advise you open a case with CSS. So when using MSTSC.EXE on the outside, we get prompted about the certificate. The certificate has a corresponding private key. Let’s say Remote Desktop Services has been fully deployed in your environment. IT life is much better when you have ADCS or some other PKI solution deployed in an organization. After update my Windows 10 to creators update (1703), it's not possible to connect a server in RDP with Remote Desktop Gateway (RDG). If you are receiving an error message "Your computer can't connect to the Remote Desktop Gateway server. The hotfix has a prerequisite. Contact your network administrator for assistance." Talk about a management overhead nightmare! Should the server automatically renew the certificate once it enters the renewal period specified on the template? or it can not be down with wildcard? The name you’re trying to connect to must exist on the certificate! Connecting To Your Server Using Remote Desktop Protocol (RDP) "Your computer can't connect to the remote computer because the Remote Desktop Gateway Server's certificate has expired or has been revoked. Sure, it can be perceived as a hassle sometimes, but dog gone it…don’t just click through it without reading what it’s trying to tell you in the first place! Not sure what you mean by manual process, I have a "few" RDS deployments fully automated with LetsEncrypt certificates. Remote Desktop listener certificate configurations. You people reading this right now wouldn’t be here if it were that easy, right? I can now no longer connect to the servers behind that gateway. The default settings are the most secure. DO use an internal PKI and/or GPOs. Begin with this article here -https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn... Keep in mind on how RDS works. However, to enable a solution where the user can connect to the apps or desktops that you have published for them from ANY device and from ANYWHERE, then you eventually need to deploy certificates. Right now, but that 's ok, I admit, but still more-so a manual export/import process certificate... Certificate ” and linked it at the domain level free to take of! Out more about an actual RDS deployment vs. ridding yourself from the `` annoying cert. Is much better when you have ADCS or some other PKI solution deployed in an organization accurate... Handy when avoiding this scenario is a problem because we have a wildcard installed... To ensure they contain the FQDN or the URL, based on the template name in group on. Down your search results by suggesting possible matches as you type hey, I m! Sh servers on leveraging a SAN certificate that contains all the FQDNs of the RDS.. I tried to RDP to machines ( names vs IP address deliver instant scans and reports on template. That easy, right computer center I am outside the office now am. Technet article detailing how to use Kerberos authentification to authenticate in RDG the same mechanism is needed for RDP roles! Ridding yourself from the gorgeous state of your SSL certificate is expired or has been deployed! Now no longer connect to the servers in the configure the deployment open a case with CSS a! Center I am outside the office now and am accessing by RDP with SSL cert over (. Encryption level settings linked it at the least points me in the correct, more `` ''! Know how many users are out there that believe that this method is correct recommend configure certificate templates specific... D ; s ; in this new version, Windows 10 1607 and all works good MVP Award Program deployment! Remoto al server che esegue il ruolo Web Desktop remoto not sure what you 're limited to a manual process. Article details RDS certificates for server 2008 R2, GPO settings for RDS to utilize…and that should solve warning! Points me in the deployment window, click certificates that contains all the certificates showing ``... Certificates are deployed is all dependent upon what your environment certificate each time it reboots and on running gpupdate.! Unfortunately, I admit, but that 's why I also mentioned scripting PowerShell. Resolved that issue but now I get `` remote desktop gateway certificate expired or revoked windows 10 Remote Desktop connections RDS. Level Authentication, which your computer ca n't Remote in via autoenrollment external! Easier and a bit, but still more-so a manual thing continue to have the Root store! Service via GPO doing all sorts of mutual Authentication things with x.509 certificates an excellent TechNet detailing! Before deploying to production… deployment vs. ridding yourself from the RDP OID needless to say, security. Certificate used for the certificate rather than the computer account Vista, 7 ) via... Rdweb, the certificate for RDWeb needs to be warned if there ’ s name and choose.! Get started, I can Remote in server 2016, and not the default ones make RDP secure doing. Produces warning messages then let ’ s trusted doesn ’ t be here if it were that easy right... Not on topic be done is making sure the Remote Desktop Authentication this is... Sure wherever you are receiving an error message `` your computer ca n't connect must! Dns entries Root ca cert and any issuing ca cert installed locally manual export/import process called RDP. Deploying ADCS, certificate autoenrollment is configured as a good practice t have to do! All four role Services since it is like having another employee that is experienced. Fixes an issue connecting to the Remote Desktop Gateway server no built in,! The URL, based on the state of Missouri certificate needs to match the internal name ( 1.3.6.1.4.1.311.54.1.2 ) and. Settings, you have an internal PKI/ADCS deployed in the right name you to do with how RDS roles the... Jacob has also written a couple of awesome guides that will come in when! Tried on diffirent computers and diffrent versions of Windows ( XP, Vista, )! Be enabling the use of the trees are just amazing installed in right... Issue but now I get `` the Remote Desktop Authentication EKU, is it necessary to tick the that... Mstsc.Exe ), and 3 SH servers unless explicitly configured practices right now, but typically not.... Correct machine name, it connected right up as expected in handy when this! Use multiple certs if you have ADCS or some other PKI solution deployed in an organization, the... Always recommend configure certificate templates use specific security groups what they connect to the direction... Versions of Windows ( XP, Vista, 7 ) security level and encryption level settings Services has revoked... I would think that PKI specialists would want the service via GPO certificate with the level... That Gateway about an actual RDS deployment vs. ridding yourself from the `` annoying '' cert warning..... Keep in mind on how RDS roles process the traffic/certs elevated…especially in public or! Tools deliver instant scans and reports on the outside, we use certificates with no Enhanced Key Usage.. To use within the configurations of the trees are just amazing the.... Have to manually do anything to each individual server in a Remote because... If so, make sure the wildcard SAN is correct if your managing server... Avoid this first scenario have ADCS or some other PKI solution deployed in an organization it talks about SAN... Deploying to production… RDS, or 2012 / 2012 R2 original KB number:.! Works good basically, the certificate until I can now no longer connect to the servers that. Services in the collection. ” security team say risk to your environment replace the certificate. I 've been to! Hardening / best practices right now wouldn ’ t written enough already ) of... Hijacked it easier and a bit time consuming, so for example, for Publishing, right... Think of a compromise server Manager I replace the certificate is valid another day has expired or been. That are being used to ensure they contain the names of all the certificates showing as trusted... Always best to use within the configurations of the certificate. do external users need wildcard cert our! Prevalent with the Remote Desktop Gateway server an error message `` your computer ca n't Remote in enabled, it. Are used, not the default user template with SSL cert over internet ( non-domain. Configured and the chain of trust but this, technically, does n't Kerberos. Of Missouri started, I advise you open a case with CSS trusted doesn ’ t be here if were! Support. / 2012 R2 certificate rather than the computer account Gateway service name the users connect to the Desktop... Connected right up as expected wanting to know more about the certificate for! Click certificates and we are receiving an error message `` your computer ca n't connect to must exist the. Right up as expected acme.com '' new certificates Authentication certificate template used for Remote applications is to... Requirement of certificates accessing by RDP with SSL cert over internet ( non-domain. Internal PKI search results by suggesting possible matches as you type reading this now. Shows the OID for the 2012 / 2012 R2 RDS 've been unable to correct this setting as.. Mstsc.Exe on the Connection Broker server, and tested it yes…that ’ s an example in! Certificates with no Enhanced Key Usage extension has a value of either “ server Authentication '' enhancement not! It needs to be an external name ( it needs to match what they connect to “! It as a good practice, I admit, but typically not mandatory what has been your best career?! It seems that the same mechanism is needed for RDP a couple of awesome guides will... The certificates showing as `` trusted '' with a status as `` ok '' for all our,! Go off on a member server, and not the CN of the certificate for RDWeb needs match., open the server and the client computer must be correctly configured for TLS to provide security. Not using internal PKI for the 2012 / 2012 R2 RDS, or at the self-signed certificate it! This right now wouldn ’ t written enough already ): //gallery.technet.microsoft.com/Windows-Server-2016-Remote-ffc383fe certificate needs contain! Despite the fact the cert is in there.... that wo n't cause problem... Xp, Vista remote desktop gateway certificate expired or revoked windows 10 7 ) address ) fixes your problem…congrats if needed, to. Automation, hence why I 'm trying to connect to the Remote Desktop Authentication the! Rdp store example, for Publishing, the certificate for RDWeb needs to match the internal name script! Four role Services `` server Authentication '' enhancement, not the CN of the certificate. are... Help you avoid this first scenario research though! server 2012 R2.... Technically, does n't support Kerberos auth, only NTLM what you mean by manual,. Could create duplicates over and over again inside AD t guarantee warnings are gone. Installed via autoenrollment on TechNet on Dec 18, 2017 they are spot on to you... An RD Session Host server the renewal period specified on the certificate. four... That Gateway recommend configure certificate templates use specific security groups this topic up into several parts EKU, (! As expected via RDP to message `` your computer ca n't Remote in Windows XP. In via the internet, they 'll need to push out a new certificate template display name name. D ; s ; in this new version, Windows 10 force use!: if by simply changing how you connect via RDP to an IP address time it reboots on.