I am receiving the message "Your computer can't connect to the remote computer because the Remote Desktop Gateway's server's certificate has expired or has been revoked" when trying to access a TS gateway server published through Forefront. The certificate in use is from my internal enterprise CA.
As far as I can tell the types line up and the entire chain can be validated properly.
Nothing interesting shows up in the system logs for my TS, TS Gateway, Forefront or client. The only thing I can think of is it is some kind of validation problem. I'm not sure from where or how to diagnose further.
EDIT – I verified that the certificate path on my server is good with the following.
certutil -verify -urlfetch mycert.cer
....
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
The same certificate in use within IIS is also in use in the TS Gateway screen.
EDIT – the client is running Windows 7, mstsc version 6.1.7601.17514.
EDIT – interesting.. it sounds like RDP needs to have OCSP enabled in order to do CRL lookups. http://www.experts-exchange.com/Networking/Security/Q_25072298.html
Best Answer
Either:
By default MS CAs are configured to publish CRLs only to AD, which is not accessible from the outside world. MSTSC 6.0+ will return this error if they can't get the CRL and a URL is specified.