Hi,
I'm having trouble with a small installation of Remote Desktop which is supposed to be accessed from outside our network. I'm using a Server 2012 system for all RD roles (TS, gateway, web access, and broker, although we shouldn't actually need the latter two). This is the only 2012 system in the network; we have two DCs, 2008 and 2008 R2, and we have cert root and issuing authorities also on 2008 R2. Our Internet-based clients trust our root cert and the PKI is working ok for other (non-RD) servers.
Things work fine if the "RD Connection Broker - Enable Single Sign On" certificate is a self-signed cert generated by Server Manager on the 2012 box. However, if I assign a cert from our issuing CA to that role, it doesn't work. Interestingly, it works fine if the *other* certs (RD Gateway, RD Web Access, and RD Connection Broker - Publishing) are from our CA. (Now, when I say "works fine" I mean after ignoring a security warning on the client due to the Broker SSO cert not being trusted.)
The procedure I'm using for the certs is as follows:
1. Make a cert template based on the "Web Server" 2008 built-in template with some straightforward changes, and make the issuing CA use the template. Initially I had upped the crypto strength and made several extensions critical, but for troubleshooting I made a template without those changes and it still doesn't work.
2. Request a new cert via the Certificates snap-in on the 2012 machine, on the local computer account. Initially I was using a friendly name for the Subject CN and then using a DNS Alternative Name extension to give the 2012 box' external domain name. To be more sure for testing, I used the external domain for the Subject CN and then also provided DNS Alternative Names for both the external and internal domains (which are subdomains of the same domain). For crypto provider, we use "RSA,Microsoft Software Key Storage Provider" and disable the others.
Internet connections come in via some tricky DNAT but I don't think this is the problem as it works perfectly from outside with a self-signed cert for Broker SSO. Only our internal DNS knows about the internal domain.
3. Manually issue the cert on the CA. (Our site is small and for security we require manual issuance for all certs.)
4. Export the cert from the CA via PKCS #7, with the option to include all certs in the cert path, and then import this in the Certificates snap-in on the 2012 machine.
5. On the 2012 box, export the private key via PKCS #12 and "include all certificates in the certification path if possible". For troubleshooting I also tried "Export all extended properties" and it didn't fix the issue. I'm exporting with password protection.
6. In Server Manager->Remote Desktop Services->Overview, on the Deployment Overview, I pick Tasks->Edit Deployment Properties and use the "Select existing certificate..." button for the desired role on the Certificates page.
If the "RD Connection Broker - Enable Single Sign On" certificate is from our CA via the above procedure, then attempting to log on from the Internet gives an error on the client reading:
"Your computer can't connect to the remote computer because the Remote Desktop Gateway and the remote computer are unable to exchange policies. This could happen due to the following reasons:
1. The remote computer is not capable of exchanging policies with the Remote Desktop Gateway.
2. The remote computer's configuration does not permit a new connection.
3. The connection between the Remote Desktop Gateway and the remote computer ended.
Contact your network administrator for assistance."
My test client is Windows 7 SP1, if memory serves with an update manually installed to upgrade to RDP8.
The logs on the client show nothing unusual. In the System log on the Server 2012 box I get two errors:
ID 36874
An [sic] TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
followed by:
ID 36888
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
I found some advice that this error may be the result of the cert not being a CNG cert. The CA is 2008 R2, the domain has always been at least 2008 functional level (was originally 2008 and recently schema updated for 2008 R2), and only 2008 R2 CAs have ever been used on it. I have furthermore verified by dumping the cert store that under CERT_KEY_PROV_INFO_PROP_ID, ProviderType and KeySpec are both zero, which in my understanding means this is a CNG cert.
To reiterate, the problem does *not* happen if I replace the "RD Connection Broker - Enable Single Sign On" certificate with a self-signed cert created by Server Manager.
The test cert I'm trying to use for RD Connection Broker SSO has the following info:
Version=V3
Signature algorithm=sha512RSA
Signature hash algorithm=sha512
Issuer=our issuing authority
Valid to=two weeks today (it's just for testing)
Subject=external.domain.com
Public key=RSA (2048 Bits)
Template=Test - Delete Please(1.3.6.1.4.1.311.21.8.5198179.16696210.7229373.7348787.5553704.31.11896299.7938212)
Major Version Number=100
Minor Version Number=2
Enhanced Key Usage=Server Authentication (1.3.6.1.5.5.7.3.1)
Key Usage=Digital Signature, Non-Repudiation [turned this on as a test], Key Encipherment, Data Encipherment (f0)
Application Policies=
[1]Application Certificate Policy:
Policy Identifier=Server Authentication
Subject Alternative Name=
DNS Name=external.domain.com
DNS Name=thebox.internal.domain.com
Forgive me if I'm missing something obvious - I'm not a full-time netadmin and I'm new to RD and PKI. I hope someone can shed some light on this troublesome mystery.
Thank you,
Kevin
I'm having trouble with a small installation of Remote Desktop which is supposed to be accessed from outside our network. I'm using a Server 2012 system for all RD roles (TS, gateway, web access, and broker, although we shouldn't actually need the latter two). This is the only 2012 system in the network; we have two DCs, 2008 and 2008 R2, and we have cert root and issuing authorities also on 2008 R2. Our Internet-based clients trust our root cert and the PKI is working ok for other (non-RD) servers.
Things work fine if the "RD Connection Broker - Enable Single Sign On" certificate is a self-signed cert generated by Server Manager on the 2012 box. However, if I assign a cert from our issuing CA to that role, it doesn't work. Interestingly, it works fine if the *other* certs (RD Gateway, RD Web Access, and RD Connection Broker - Publishing) are from our CA. (Now, when I say "works fine" I mean after ignoring a security warning on the client due to the Broker SSO cert not being trusted.)
The procedure I'm using for the certs is as follows:
1. Make a cert template based on the "Web Server" 2008 built-in template with some straightforward changes, and make the issuing CA use the template. Initially I had upped the crypto strength and made several extensions critical, but for troubleshooting I made a template without those changes and it still doesn't work.
2. Request a new cert via the Certificates snap-in on the 2012 machine, on the local computer account. Initially I was using a friendly name for the Subject CN and then using a DNS Alternative Name extension to give the 2012 box' external domain name. To be more sure for testing, I used the external domain for the Subject CN and then also provided DNS Alternative Names for both the external and internal domains (which are subdomains of the same domain). For crypto provider, we use "RSA,Microsoft Software Key Storage Provider" and disable the others.
Internet connections come in via some tricky DNAT but I don't think this is the problem as it works perfectly from outside with a self-signed cert for Broker SSO. Only our internal DNS knows about the internal domain.
3. Manually issue the cert on the CA. (Our site is small and for security we require manual issuance for all certs.)
4. Export the cert from the CA via PKCS #7, with the option to include all certs in the cert path, and then import this in the Certificates snap-in on the 2012 machine.
5. On the 2012 box, export the private key via PKCS #12 and "include all certificates in the certification path if possible". For troubleshooting I also tried "Export all extended properties" and it didn't fix the issue. I'm exporting with password protection.
6. In Server Manager->Remote Desktop Services->Overview, on the Deployment Overview, I pick Tasks->Edit Deployment Properties and use the "Select existing certificate..." button for the desired role on the Certificates page.
If the "RD Connection Broker - Enable Single Sign On" certificate is from our CA via the above procedure, then attempting to log on from the Internet gives an error on the client reading:
"Your computer can't connect to the remote computer because the Remote Desktop Gateway and the remote computer are unable to exchange policies. This could happen due to the following reasons:
1. The remote computer is not capable of exchanging policies with the Remote Desktop Gateway.
2. The remote computer's configuration does not permit a new connection.
3. The connection between the Remote Desktop Gateway and the remote computer ended.
Contact your network administrator for assistance."
My test client is Windows 7 SP1, if memory serves with an update manually installed to upgrade to RDP8.
The logs on the client show nothing unusual. In the System log on the Server 2012 box I get two errors:
ID 36874
An [sic] TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
followed by:
ID 36888
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
I found some advice that this error may be the result of the cert not being a CNG cert. The CA is 2008 R2, the domain has always been at least 2008 functional level (was originally 2008 and recently schema updated for 2008 R2), and only 2008 R2 CAs have ever been used on it. I have furthermore verified by dumping the cert store that under CERT_KEY_PROV_INFO_PROP_ID, ProviderType and KeySpec are both zero, which in my understanding means this is a CNG cert.
To reiterate, the problem does *not* happen if I replace the "RD Connection Broker - Enable Single Sign On" certificate with a self-signed cert created by Server Manager.
The test cert I'm trying to use for RD Connection Broker SSO has the following info:
Version=V3
Signature algorithm=sha512RSA
Signature hash algorithm=sha512
Issuer=our issuing authority
Valid to=two weeks today (it's just for testing)
Subject=external.domain.com
Public key=RSA (2048 Bits)
Template=Test - Delete Please(1.3.6.1.4.1.311.21.8.5198179.16696210.7229373.7348787.5553704.31.11896299.7938212)
Major Version Number=100
Minor Version Number=2
Enhanced Key Usage=Server Authentication (1.3.6.1.5.5.7.3.1)
Key Usage=Digital Signature, Non-Repudiation [turned this on as a test], Key Encipherment, Data Encipherment (f0)
Application Policies=
[1]Application Certificate Policy:
Policy Identifier=Server Authentication
Subject Alternative Name=
DNS Name=external.domain.com
DNS Name=thebox.internal.domain.com
Forgive me if I'm missing something obvious - I'm not a full-time netadmin and I'm new to RD and PKI. I hope someone can shed some light on this troublesome mystery.
Thank you,
Kevin