Remote Desktop Services certificate expired
Renewing SSL certificates for RDS deployments when they expire
Prior to beginning, you'll need the new .pfx file and password for the renewed SSL certificate. You can find more details about exporting to .pfx here. Before anything, you have to make sure you have all the servers in the deployment on the broker. Head to the top right and select "Manage" then "Add Servers" In the add servers dialogue, no need to type anything just click "Find Now" and it will load all the servers in the domain. Select any in the list, then press CTRL+A (MACs would be Command+A) to select them all then hit the arrow in the middle of the two boxes and choose OK. Server manager will take a bit to load all the information and refresh. Once completed head to "Remote Desktop Services" on the left side. Then go to "Collections" And then on the far right, you'll hit "Tasks" then "Edit Deployment settings" Now select Certificates on the left to get to the "Manage Certificates" Section. Here we have the 4 services that work off the SSL certificate. You'll have to do the following steps for EACH of the 4 services to update them. Select any of the 4, then choose "select existing certificate..." You'll use the second section "Choose a different certificate" You'll be back at the Deployment Options screen, hit Apply at the bottom right, let it load and repeat for the new 3 services. Once done Hit apply one last time and then OK. CREATE A NEW CERTIFICATE REQUEST:
SUBMIT YOUR CSR AND GET A NICE NEW CERTIFICATE:
INSTALL A CERTIFICATE ON THE TS/RD GATEWAY SERVER:
MAP A CERTIFICATE TO THE LOCAL TS / RD GATEWAY SERVER:
We had a customer report an issue with a hosted server last night. They were trying to RDP in to a hosted Windows Server 2008 machine from Vista PC’s and we’re not able to. XP clients were fine. Here’s the error they got: “Remote Desktop cannot connect to the remote computer because the authentication certificate received from the remote computer is expired or invalid”. Windows is trying to make RDP secure, doing all sorts of mutual authentication things with x.509 certificates. The solutions I first saw were to renew a certificate from the PKI. Huh? This is a workgroup machine in an isolated/firewalled network. No go there sunshine! The solution was to fire up the Certificates snap-in in MMC on the server for the local computer, browse to Remote Desktop and delete the certificate. This was because the cert was expired. Alternatively you can change the security of RDP from “SSL (TLS 1.0)” or “Negotiate” to “RDP Security Layer” to instruct RDP to abandon the certificate. This is done in the properties of RDP in the Terminal Services Configuration MMC. If the cert wasn’t expire then you should check that the time was correct on both the client and the server. |