Certificate warning when starting applications via remote desktop services
In my test environment I recently built a new Windows Server 2016 based remote desktop environment.
The environment consists of a server with the roles RD Web Access, RD Gateway, RD Gateway, RD
Connection Broker and the RD License Server as well as another server that acts only as RD Session Host.
For the roles Web Access, Gateway and Connection Broker, an official wildcard certificate was used and a official DNS name has been created so that the server can be accessed via the Internet.
After everything was set up I did some tests and tried to access the Web Access site over the internet from a computer that wasn’t a Member of the Domain
Although I am using an official wildcard certificate the following warning was displayed when an application or desktop was started:
Your remote desktop desktop connection failed because the remote computer cannot be authenticated The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed. Name mismatch Requested remote computer: SHEPSRV129. SHEP-NET. DE Name in the certificate from the remote computer *.pre-system.de Certificate errors The following errors were encountered while validating the remote computer's certificate: The server name on the certificate is incorrect.
The reason for this message is that in the RDP file the internal name of the RD Connection Broker was used and my client tries to connect to this server.
The problem can be solved by specifying an alternative name, which is then transmitted in the RDP file. We can configure this alternative name using the following PowerShell cmdlet:
Set-RDSessionCollectionConfiguration -CollectionName "Standard Apps" -CustomRdpProperty "use redirection server name:i:1`n alternate full address:s:webinterface.pre-system.de"
The name of the Collection for which the setting is to be made and the name to be requested instead of the internal name are specified.
After I made the settings and logged off and back on Web Access once, so that the new settings become effective, I received the following application startup error:
Remote Desktop can't connect to the remote computer "webinterface. pre-system. de" for one of these reasons: 1) Your user account is not listed in the RD Gateway's permission list 2) You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format (for example, computer1. fabrikam. com or 184.108.40.206).
The reason for this error is the Remote Desktop Resource Authorization Policy, which by default only allows connections to the internal name of the Connection Broker Server. Now that my client is trying to webinterface.pre-system.de this attempt is prevented by the policy.
To allow access, the RD Gateway Manager must be opened on the gateway server. In the Gateway Manager open the item “Manage Local Computer Groups” in the menu on the right and add the name webinterface.pre-system.de in the tab and field Network ressources .
If there are still problems with the gateway configuration, these can be found in the event log on the gateway server under “Custom Views” -> “Server Roles” -> “Remote Desktop Services1”.