5,099 questions
Remote desktop gateway certificate check fails - at client
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 85%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVN%3C/text%3E%3C/svg%3E)
Victor Nikityuk
6
Reputation points
Good day!
I have a scenario that is already described in a number of answered questions:
- Windows 2019 server with Remote Desktop services, including Remote Desktop Gateway with web access;
- Windows 10 client at another location behind a web proxy.
This used to work perfectly, until I have updated the server certificate. The certificate contains all SANs for the server; it is installed at the client PC at the "Trusted root certificates" store, both at user and computer accounts. When I open RDWeb site Internet Explorer I have no certificate issues, it displays as "valid".
However, when I try to connect to the server with RDP client, it fails with the message - "The computer can’t verify the identity of the RD Gateway. It’s not safe to connect to servers that can’t be identified." But when I try to connect from another PC in the same network (Windows Server 2012), it works perfectly! So the problem, as I can get, is at the client side.
I have already removed all of the old certificates. What else could cause this problem?! Thank you beforehand.
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
{count} vote
-
Victor Nikityuk 6 Reputation points
2021-02-09T07:15:10.227+00:00 I have tried analyzing the network traffic with Wireshark, and it shows all as it should be: the client connects to the proxy server (port 3128) and requests connection to the RD gateway with HTTPS. The RD Gateway provides the correct certificate (with SANs and a correct fingerprint). Still, the check fails at the client side.
Both old and new certificates are SHA256RSA, nothing is changed here.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-02-10T03:40:37.71+00:00 Hi
What type of the certificate?
If it is a trust the self-signed Root CA on the client, you will need to export the CA certificate from the server, then import the certificate as a Trusted Root Certification Authority on the client computer.
-
Victor Nikityuk 6 Reputation points
2021-02-10T06:17:02.523+00:00 Yes, it is a self-signed certificate.
The certificate is installed at the client into the "Trusted Root Certificate Authority" branch. I can open server web pages encrypted with this certificate and it appears as valid.
Still, when I try to connect with MSTSC, it shows the abovementioned error. I have no ideas what to do with that.
-
Anonymous
2021-02-22T02:08:54.093+00:00 What does it say in the properties of the RD Gateway Manager?
-
Victor Nikityuk 6 Reputation points
2021-02-24T06:08:05.443+00:00 At the "SSL certificate" tab it shows exactly the self-signed certificate that is being presented to the client, as I can verify by sniffing the network. This certificate is installed into the "Trusted root CAs" at the client. Still it can not connect with the abovementioned error.
The other computers at the same network connect perfectly. The problem is at one specific client PC. It is not easy to reinstall it from scratch (there's a lot of engineering software installed), so I'm still looking for a solution. Maybe you can help diagnosing it with Event Viewer at the client side?
Sign in to comment
Sign in to answer