Hi guys,
I am migrating from a Windows Server 2008 R2 RDS deployment to Windows Server 2012 RDS. In fact, it's nearly complete except for a certificate issue that I can't seem to nail down.
Issue:
Some client machines (Win7/8) are unable to connect through the new 2012 RDG due to an untrusted certificate error. Our users RDP through the RDG to either Windows remote servers or to a 2012 RDSH. No RemoteApps.
Symptoms:
Using mstsc.exe, here's the error that comes up right after entering creds when prompted:
'This computer can't verify the identity of the RD Gateway "publicA-record.domain.com". It's not safe to connect to servers that can't be identified. Contact your network administrator for assistance.'
There is no option to ignore, the user simply is not allowed to connect. This occurs for all remote servers they are trying to connect to.
There's a view certificate button on that msgbox, and here we see our wildcard cert with these notes:
''Windows does not have enough information to verify this certificate."
"The issuer of this certificate could not be found."
The certificate path on the wildcard certificate lists only itself. There should be three levels: itself, the intermediate CA, and root CA.
Notes:
We reused the same Entrust CA wildcard certificate from the old 2008 R2 RDG onto the new 2012 RDG. I used webdeploy to move the IIS site over. It required a password, so I am assuming that the cert's private key was copied over as well. (How can I administratively confirm this?)
All users can still connect to the old RDG without issue. Those that get the error above can connect to the new 2012 RDG after installing the Entrust intermediate CA cert.
Interesting observation: on my Win8 machine, one user account can access both the old and new RDGs without issue. On the same machine, on another account, the untrusted cert issue above is seen.
Here's our setup:
1x Server 2012 RDG
1x Server 2012 RDSH - also Connection Broker, Web Access (not used), and not in a farm configuration
Is there a certificate setting I missed? Really weird because every thing looks right, and others are able to connect to the new RDG fine from the get-go. Are there changes in IIS8 or elsewhere in Server 2012 that would cause this?
Thanks!