Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

  • Article

[Today's post comes to us courtesy of Shawn Sullivan and Justin Crosby]

Remote Desktop Disconnected

You may receive the following errors when attempting to access a client machine through the Remote Web Workplace (RWW) or the TS Gateway:

clip_image001

[To connect to Remote Web Workplace, you must install the proper certificate. Contact the person who provides technical support for your network.]

Likewise, connections to TS Gateway will fail as well. You will receive the following error:

clip_image003

[This computer can't connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server's certificate is not valid. Contact your network administrator for assistance.]

To determine whether you trust the certificate or not, browse to RWW from Internet Explorer. If it’s not trusted, you will receive the following error in IE:

clip_image005

Also, check for the certificate status to the right of the URL field:

clip_image006

Certificate Creation

When you complete the Internet Address Management Wizard for the first time, a certificate installation package is created for distribution to non domain-joined client machines and mobile devices. Details regarding this package can be found here:

https://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

NOTE: This package is not for installation on the SBS 2008 server

Connections to TS Gateway or Terminal Services through RWW will fail if either the certificate is not trusted, or the name on the certificate does not match the name of the server that you are connecting to.

Certificate Not Trusted

If you are receiving these errors, you need to install the root CA certificate from the SBS server by using the certificate installation package as described in:

https://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

Once the certificate is installed, you can view it in IE by going to Tools > Internet Options > Content > Certificates. You will also stop receiving certificate errors once to connect to RWW.

clip_image008

Certificate Name Does Not Match

Connections will also fail if you connect to TS Gateway or RWW using a different address than that on the certificate. In this case, you will receive the following error when you connect.

For RWW, you will receive these errors in IE:

clip_image010

If you check the certificate status to the right of the URL field, you’ll see this:

clip_image012

For TS Gateway, you will receive the following:

clip_image014

In either case, click on View certificates to show the Issued to name on the certificate. This is the name that you need to put into IE or the RDP client:

00c4000.tmp

In the case of the above certificate, I would type https://remote.contoso.com/remote to connect to RWW. For TS Gateway, I would connect in the following manner:

clip_image018

Certificate Has Expired

This issue can also occur if the SSL certificate has expired.  SBS 2008 self-signed leaf certificates are valid for 2 years and the root cert is valid for 5.  If your self-signed certificate has expired run the "Fix My Network" wizard from the Connectivity tab.  This wizard will automatically issue a new matching cert.  If you are using a trusted (purchased) certificate you will need to contact the cert issuer for a new cert and import it using the "Add a trusted certificate" wizard.

hdcFB23.tmp

Wrong Version of Remote Desktop Connection

RWW and TS Gateway require that the connecting client have Remote Desktop Connection 6.1 or greater installed.   RDP 6.1 is included with XP SP 3, Windows 2008, and Vista SP 1. RDP 6.1 is available as a separate download for XP SP 2 (requires a reboot).

You can tell the version of the RDP client by looking at the version of C:\windows\system32\mstsc.exe

  • 6.0.6001.18000 is RDP 6.1
  • 6.0.6000.16386 is RDP 6.0

NOTE: After installing SP3 for XP you may see the following error "Remote Desktop Web Connection ActiveX control is not installed. A connection cannot be made without a working installed version of the control."   If you receive this error please review KB951607 for information on enabling the IE-add on to support RWW.

In Summary:

  1. For TS Gateway or RWW to function properly, you cannot receive any certificate errors when you connect.
  2. Your client machine must trust the Root CA certificate.  Install the certificate installation package on the client accomplish this. (This package is created by running the Internet Address Management Wizard.)
  3. You must connect to TS Gateway or RWW using the address listed on the Issued to field on the certificate.
  4. The certificate must NOT be expired.
  5. You must be running Remote Desktop Connection 6.1 on the client making the connection.  (https://support.microsoft.com/kb/951616)