Windows – Server address requested and the certificate subject do no match

rdpremote-desktop-servicesssl-certificatewindowswindows-server-2012-r2

I'm trying to setup Remote Desktop Gateway (Terminal Service Gateway) on virtual Windows Server 2012 R2. But when connect over internet (from Win7 RDP client) getting an error:

Your computer can't connect to the remote computer because the Remote Desktop Gateway server address requested and the certificate subject do no match.

Here's my configuration:

Host is running Windows Server 2008 R2 Std
RDG is running Windows Server 2012 R2 Std virtually (I also tried 2008 R2 with equal result)
AD is virtual also (dc.domain.local, etc.)
Host is server.domain.local
Host is running RRAS with NAT so port host:33899 is forwarded to rdg:3389
RDG is rdg.domain.local
RDG uses self-signed SSL certificate for example.com set in Gateway Manager:

Whatever name I would use for SSL certificate, client sees it with Subject=rdg.domain.local!

enter image description here

I also tried create a self-signed certificate manually using makecert and use/import it but with equal result.

Best Answer

Apparently MS botched the instruction somewhat.

I believe you need to create the cert request in iis manager on the rdg gateway computer. The request needs to specify the fqdn used by the clients to connect over the internet. For processing the request signing you use a CA trusted by your client computers. If you have full control over the client computers you can use your own CA, as long as they trust your CA root certificate. Otherwise use a commercial CA such as Verisign, Thawte or such. After importing the signed cert to iis it should be available for import to your rdg gateway.

It is all documented in the official guide: http://technet.microsoft.com/en-us/library/dd983941%28WS.10%29.aspx

including the helpful if ranting comment at the bottom of http://technet.microsoft.com/en-us/library/dd983949(v=ws.10).aspx

And except apparently this little detail: http://blog.xiquest.com/2010/01/rd-gatewayweb-access-outside-the-firewall/

"Open up “IIS Admin” console from the “Administrative Tools” menu. Navigate to the default web site and configure the “Application Settings” for “Default Web Site\RDWeb\Pages“. Change the following setting: “DefaultTSGateway” = [fqdn of Internet accessible TS Gateway]

Note: make sure this is also the server name listed on your SSL certificate."

I'll tidy up this post as soon as I get behind a proper computer.

Related Solutions

How to setup RD Gateway on the same server as TMG

Well, first of all don't use port 443, that's the default SSL port. If you use a different port for RDP (your explanation doesn't ring true with me - I've never seen an ISP that filters port 3389, but I suppose anything's possible), then you should at least use a port that's not also in use by a common protocol or service.

Second of all, TMG lets you configure a Remote Access VPN. This is what you probably should be doing instead of, or in addition to setting up a Remote Desktop Gateway.

Third, sounds like you'd benefit from hiring an experienced Windows SA to set this up for you, even if only on a contract or consultant basis.

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

UPDATE: Here's a generalized Powershell solution that grabs and sets the thumbprint of the first SSL cert in the computer's personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct cert. I've left my original answer intact below this for reference.

# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

In order to get the thumbprint value

Open the properties dialog for your certificate and select the Details tab
Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
Remove all the spaces from the string. You'll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It's not visible in Notepad.
This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or if PowerShell is your thing, you can use this instead:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Note: the certificate must be in the 'Personal' Certificate Store for the Computer account.

Best Answer

Related Solutions

How to setup RD Gateway on the same server as TMG

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

Related Topic