Hello,

I installed a RDS farm in Windows 2012 R2 with 1 server acting as RDS Broker and WebApp, and 3 RDS Hosts. When we access the webapp site using the alias rds.company.com there is no warning with the certificate (internal CA). When we access a desktop by clicking in the collection name, there is a first warning like this:

And then one like this:

How do I make this messages disappear? Why is not trusting the certificate if it is trusting it for the web site?

Thanks in advance

Regards

Something I forget to tell is that these two messages appear with computers not domain joined. With domain joined computers is just the first message.

Thanks

Regards

Hi Sebastin,

The first warning is normal. It just tells the user he's about to connect to a server and which resources are mapped through that connection.

The second warning is on non-domain joined computers and you're using an internal CA for certificates in your deployment.

To get rid of the second warning on non-domain joined computers you need to add the CA's certificate to the local certificate store.

As for not getting the warning on the website itself: Not a clue. Are you using a browser with default settings? Have you tried accessing the website with different browsers and still no warning?

Hi Arjan,

In the non domain joined computer I had already loaded the internal CA cert in the trusted root certification authorities container. In fact, the web site, which uses the same cert, does not give any warnings.

About the first warning, there is no way to disable it? Anything in the client side? If I RDP directly to the server, this warning is not shown.

Thanks

Regards

Hi Sebastin,

The first warning is invoked by the ActiveX in the WebSite. Although the ActiveX runs client-side, there's no way to turn it off as far as I know.

Are the non-domain joined machines the same OS / SP / Patch level as the domain joined machines?

Arjan,

Ok, thanks. 

I will collect the SO and SP version of the clients and let you know.

Thanks

Regards

you can disable it client side by performing the following powershell command on your broker

Get-RDSessionCollection | Set-RDSessionCollectionConfiguration -CustomRdpProperty "authentication level:i:0"

Hi Razwer,

It actually did the trick, from non-domain-joined computers now I'm not experiencing the second warning. The first one seems to be not possible to disable. So I think this closes my issue.

Thank you all.

Regards

Hi Sebastin.Graa,

The setting Razwer gave you disables server authentication, which in effect simply masks the problem you were seeing.  If you know that the connection between the client and your servers is secure and there is no chance of MITM attack, then it is okay to use it from a security perspective.  There are unique cases where disabling server authentication is acceptable, however, you have not provided enough information for me to judge whether or not yours is one of those cases.

My recommendation would be for you to solve the certificate issue rather than disabling server auth.  One way would be to use a certificate from a trusted public authority rather than your internal CA.

-TP

• Marked as answer by Sebastián.Graña Saturday, April 26, 2014 6:05 PM
• Unmarked as answer by Sebastián.Graña Saturday, April 26, 2014 6:05 PM

Hi Sebastin.Graa,

The first warning may be removed for your domain-joined PCs by configuring the following group policy setting and applying it to the domain PCs:

Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Connection Client

Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

For the second warning I recommend you switch to using a certificate issued from a trusted public authority such as GoDaddy, Thawte, GeoTrust, VeriSign, etc.  This will allow both domain and non-domain PCs to connect without extra steps like configuring your internal PKI environment properly, adding certs to the local client PCs' trusted store, etc.

-TP

• Marked as answer by Sebastián.Graña Saturday, April 26, 2014 6:05 PM

Hello TP,

I understand that this settings disables the auth, and for me and my environment this is ok.

I don't think that purchasing a public CA auth will solve the problem. The internal cert I was using was from a CA that the non domain-joined PC already trust. The same cert was used for the web site and there was no error there.

Regards

Hello TP,

Will give a try to this. It will be perfect if no warnings were shown to the clients.

I saw that is also possible to do it with local gpo, for the non domain-joined.

Thanks

Thanks TP, no more warnings.

Best Regards

After weeks of testing this was the fix

Just to clarify

the issues I was having. Multiple Collection farms but two of them had some strange errors ranging from An authentication error has occured (Code: 0x607) when trying to log to the Client popping with a warning that logging into the machine "insert local FQN of the RDSSH" had a name mismatch with the Certificate issued to "Insert real world FQN of Collection farm RDS Public Cert"

IE: it appeared as though the Client was trying to log into the Local name of the RDS Host not the FQN name of the farm

The Main users of these two sites never complained about anything and it always worked for them but I could not get any new users into this farm

The Issues started after windows updates some months back. I built a new farm and used that at the time as I could not work out what changed

Just thought I would add this here for those have the same issues maybe this will help some one