30 August 2010

Configuring Remote Desktop Certificates and Eliminate Certificate Warnings

We have all been faced with the annoying warning message when connecting to an RDP server it's a warning concerning  -- something about a certificate yada yada yada....

If we have a closer look at it we can see what it is actually moaning about.



"The identity of the remote computer cannot be verified. Do you want to connect anyway?"
This tells us what the problem is but we need to look a little further down to see Why it cannot verify the identity/

The Certificate name section is correct - the server name and domain are correct, so why the warning.  we need to look further down.
Certificate errors section informs us that  "The certificate is not from a trusted certificate  authority."

To view the offending certificate click on the "View Certificate..."  button.



The "Issued to:" Line is fine. the problem comes with "Issued by:"  If you have a trusted Certificate authority you will not get this warning.

Cool  - So now we know What the problem is and why there is a problem.

Lets go about fixing it.

There is a very detailed article here: http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

Basic steps are:
Configure the correct Certificate Template on your internal Certificate Authority.
Either manually enroll your server for a cert - or set the group policy to auto enroll. The latter being the recommended.


So great. We have avoided one annoying security prompt, what's the big deal?  Well the big deal comes on when you start publishing your servers and they need to be connected via Remote desktop connection broker or a Remote Desktop Gateway or through a UAG or TMG publishing rule.  These `security warning can cause all sorts of problems from breaking Single Sign On (SSO) to preventing your connection from being established at all.

Don't believe me?  check out: http://blogs.technet.com/b/fsl/archive/2010/07/15/issues-with-remoteapp-and-remote-desktop-publishing-through-uag.aspx

2 comments:

john white said...

It says "certifying authority" you say certificate authority. Also think you mean from not form in last proper paragraph.

Etienne Liebetrau said...

As John points out -- in most cases CA can refer to Certificate Authority, but in actually as a function it is the Certifying Authority

Post a Comment