I have a remote server that I can only access through RDP. It uses a proper SSL certificate from godaddy for RDP, not a self signed one. The server is 2008R2, and I believe is set to the default of requiring network level authentication. Unfortunately, I do not have any lights out management features or IPKVM on this server.
Due to heartbleed, I revoked all my certificates and reissued them. Unfortunately, I clearly missed setting RDP up for this new certificate. Now I get "This certificate has been revoked and is not safe to use", and "You may not proceed due to the severity of the certificate errors".
I know the certificate is revoked. That's why I'm trying to get in to fix it! But I can't replace the certificate until I can remote in. And I can't remote in until I replace the certificate.
Is my only option to drive there and login from the console, or is there a way to temporarily ignore the certificate error?
We had a customer report an issue with a hosted server last night. They were trying to RDP in to a hosted Windows Server 2008 machine from Vista PC’s and we’re not able to. XP clients were fine. Here’s the error they got:
“Remote Desktop cannot connect to the remote computer because the authentication certificate received from the remote computer is expired or invalid”.
Windows is trying to make RDP secure, doing all sorts of mutual authentication things with x.509 certificates. The solutions I first saw were to renew a certificate from the PKI. Huh? This is a workgroup machine in an isolated/firewalled network. No go there sunshine!
The solution was to fire up the Certificates snap-in in MMC on the server for the local computer, browse to Remote Desktop and delete the certificate. This was because the cert was expired.
Alternatively you can change the security of RDP from “SSL [TLS 1.0]” or “Negotiate” to “RDP Security Layer” to instruct RDP to abandon the certificate. This is done in the properties of RDP in the Terminal Services Configuration MMC.
If the cert wasn’t expire then you should check that the time was correct on both the client and the server.
-
If you have server 2012
//www.youtube.com/watch?v=yRjoGb6DmcA
or 2008 just launch Rdgateway and why dont u purchase a certificate just cost 69$
1 found this helpful thumb_up thumb_down -
thanks, i think i will purchase one but i need to catch this ideally before it expires. im assuming if i renew it with another self-assigned cert i will again need to distribute to all machines?
-
YupMark286 wrote:
thanks, i think i will purchase one but i need to catch this ideally before it expires. im assuming if i renew it with another self-assigned cert i will again need to distribute to all machines?
-
Why to work hard? do from GPO - please spice if you except an anser so i get notification and check backMark286 wrote:
thanks, i think i will purchase one but i need to catch this ideally before it expires. im assuming if i renew it with another self-assigned cert i will again need to distribute to all machines?
//technet.microsoft.com/en-us/library/cc770315[v=ws.10].aspx
-
you can change the self-signed certificate at anytime, thanks to the guys above for their help.
Ask a question
Quick access
- Forums home
- Browse forums users
- FAQ
Search related threads
- Remove From My Forums
Answered by:
Answers
-
5
Sign in to vote
Turns out restarting the Remote Desktop Configuration service will renew the certificate if it is expired. I did not have to delete it first however I did test on another server by deleting it then restarting the service.It still properly created the certificate. Doing so generates an event log message:
Log Name: System
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date: 5/26/2011 12:14:31 PM
Event ID: 1056
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: servername.domain.com
Description:
A new self signed certificate to be used for Terminal Server authentication on SSL connections was generated. The name on this certificate is servername.domain.com
. The SHA1 hash of the certificate is in the event data.Thank you to all of youwho chimed in & got me going down the right path.
Patrick Hoban
//patrickhoban.wordpress.com- Marked as answer by Patrick Hoban Thursday, May 26, 2011 5:33 PM
Thursday, May 26, 2011 5:33 PM
-
0
Sign in to vote
Yes, I have it set to "Allow connections from computers running any versions of Remote Desktop".
No, I have not configured RDP to use any other certificate. Looking at the RDP-tcp properties Certificate is still set to Auto generated. Clicking on Auto generated gives me a message that says, "This certificate is managed by the Remote Desktop Session Host server and you cannot view the certificate details. It is recommended that you procure a certificate from a Certificate Authority."
Again, it appears that the self-signed certificate in Remote Desktop\Certificates is supposed to auto-renew but is not.
Patrick Hoban
//patrickhoban.wordpress.comMonday, May 16, 2011 6:18 PM
-
0
Sign in to vote
I believe the error they get is due to the certificate being expired not becuase it is not issued by a trusted source. The certificate epired on 5/3/2011 & that's when they started getting the error.
I am not aware of a way to renew the certificate in the certificates MMC.
I do not see any errors in the Event Log around the time of the certificate expiring.
I still can't figure out why the certificate is not renewing itself since that's what appears to be happening on every other server I have.
Patrick Hoban
//patrickhoban.wordpress.comTuesday, May 17, 2011 4:30 AM
-
0
Sign in to vote
Anyone elseseen this behavior before?Patrick Hoban
//patrickhoban.wordpress.comTuesday, May 24, 2011 2:51 AM
-
1
Sign in to vote
Please confirm that this server does not have any RDS roles installed and is just using Remote Desktop for Administration.
Go to Start -> Administrative Tools -> remote Desktop Services -> Remote Desktop session host Configuration
Check the "Remote Desktop Licensing mode"
Since you indicated this server uses RDP just for Administration and does not have RDS role installed, this should show "Remote Desktop for Administration", if its not let us know.
Now go to the properties of RDP-TCP and check the Certificate option, it sshould show:
Certificate: Autogenerated
If its not whats it set to?
You can select Default here to use Autogenerated Certificate, then test the connection again.
You can also delete the expired certificate from the certificate store.
Sumesh P - Microsoft Online Community Support- Proposed as answer by Sumesh P Thursday, May 26, 2011 4:20 AM
- Marked as answer by Patrick Hoban Thursday, May 26, 2011 5:34 PM
- Unmarked as answer by Patrick Hoban Thursday, May 26, 2011 5:43 PM
- Unproposed as answer by Sumesh P Friday, May 27, 2011 7:26 AM
Tuesday, May 24, 2011 6:10 AM
-
5
Sign in to vote
Turns out restarting the Remote Desktop Configuration service will renew the certificate if it is expired. I did not have to delete it first however I did test on another server by deleting it then restarting the service.It still properly created the certificate. Doing so generates an event log message:
Log Name: System
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date: 5/26/2011 12:14:31 PM
Event ID: 1056
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: servername.domain.com
Description:
A new self signed certificate to be used for Terminal Server authentication on SSL connections was generated. The name on this certificate is servername.domain.com
. The SHA1 hash of the certificate is in the event data.Thank you to all of youwho chimed in & got me going down the right path.
Patrick Hoban
//patrickhoban.wordpress.com- Marked as answer by Patrick Hoban Thursday, May 26, 2011 5:33 PM
Thursday, May 26, 2011 5:33 PM
-
1
Sign in to vote
I had the same problem. The solution for me was straight forward.
My Remote Desktop Configuration service was disabled.
I enabled it, rebooted and the cert was renewed.
Thursday, October 3, 2013 5:17 PM
-
0
Sign in to vote
THANK YOU! This fixed it for me and my company!
Wednesday, October 8, 2014 12:10 AM