RDP error

[k-strider]

ok tried to connect to schools Terminal Server (2K8) Via a TS Gateway (from outside)

now this worked fine in Vista before i blew away the Laptop to install Win7 Beta

i now get this error

The remote computer could not be authenticated due to problems with its security certificate. it may be unsafe to proceed.

Certificate name
Name in the Certificate from the remote computer:
TSServerName.My_internal_Domain.lan

Certificate errors
The Following errors were encountered while validating the remote computer's certificate:
A revocation check could not be performed for the certificate.

You cannot proceed because authentication is required.

Now the TS gateway mydesktop.schoolsdomain.sch.uk has a real proper Trustico Certificate, but obviously the actually Terminal Servers has an internally generated certificate from the domans Certificate authority.. the Cert is valid and working. even installing the root cert of my internal domain as a trusted root authority doesn't resolve it...

Anyone tried RDPing yet from Win 7 via a TS gateway???

[k-strider]

Ok.. this adds to the mystery.. using the TS gateway i can connect to a 2K3 server that is accepting RDP sessions. by manually filling out the RDP connection settings... manually filling them out for the 2K8 TS server i get the same error... so it must be something between 2K8 and Win7... a new feature / check that MS added either to 2K8 or Win7 that only gets tested between the two.... hum...

Edit... Interestingly I can connect to a normal 2K8 Server.. Via the TS gateway.. just not the actual Terminal Server!!

[PiqueABoo]

I think you need to look at what that (internal) certificate says about revocation via view certificate or whatever W7 has now - it probably points to somewhere internal you can't get to from the outside world.

You might be able to turn off revocation checking somewhere. Or you can, with a little effort, make certificates with custom revocation info.. or even no revocation info.

[k-strider]

i fixed this the otherday so i thought i should say what i did encase anyone else comes acropper

The Terminal Server was using cert signed by my CA, compname.internal.lan by changing the cert to a auto generated one the Win7 clients then started to connect just fine :-)

The TS gateway kept its Real world signed Cert

[hanisacsouka]

What do you mean by an auto generated certificate?

[k-strider]

see attached

[nut-ed]

Possibly you have enabled NLA, this is new for W2008 and causes non-connections for older clients (Network Level Authentication)

[cadams]

It seems im missing some little piece to this issue. I believe on a few win7 pro clients i need to set the certs to auto generated as K strider has shown, however win7 doesnt contian tsconfig, is there another way to do this on win7 pro so I can connect to 2008 servers?

[k-strider]

i had to set the Terminal Server certificate to Autogenerated.. as per the picture i posted earlier..

Administrative tools -> Terminal services -> Terminal Services Configuration.
Right Click RDP-TCP under the connectiosn box Properties... the bottom of the genral TAG chose autogenerated.

[RobFuller]

i fixed this the otherday so i thought i should say what i did encase anyone else comes acropper

The Terminal Server was using cert signed by my CA, compname.internal.lan by changing the cert to a auto generated one the Win7 clients then started to connect just fine :-)

The TS gateway kept its Real world signed Cert

I tried that but my home machine (not domain aware) sulks at a unidentified certificate, even when I try importing the certificate (user and computer) it still sulks.
What the heck have Microsoft done, looked around the web and this seems to be a common problem! I would love to get this sorted so I can offer the service to some of our staff.

[Ric_]

If it's anything like Citrix Secure Gateway, all the certificates along the length (so each hop) of the connection have to be trusted by each of the machines. This is so that you are gauranteed of a secure connection from start to finish.

My Secure Gateway connection takes advantage of this to limit who can access it. By installing the required certificate on machines that you trust (and license) to use the connection, you limit who can get access

[EduTech]

I might not be anyhelp here, i just know 2k8 can be a pain... by anychance do you use the more secure option? and if so have to tried using the less secure way?

Note: I have not using TSgateway for 2k8 but just a thought

James.

[stancho2003]

Thank You k-strider. That solved my problem. A+