Blog Post

Core Infrastructure and Security Blog
14 MIN READ

Remote Desktop Connection (RDP) - Certificate Warnings

BrandonWilson's avatar
BrandonWilson
Icon for Microsoft rankMicrosoft
Sep 20, 2018
First published on TechNet on Dec 18, 2017   Hello everyone!  Tim Beasley, Platforms PFE here again from the gorgeous state of Missouri.  Here in the fall, in the Ozark Mountains area the color...
Updated Oct 31, 2019
Version 7.0
DonGeddes
JacobLavender
TimBeasley
RichardHauer's avatar
RichardHauer
Copper Contributor
Aug 23, 2024

Tim_Beasley you seem to be all over this topic, so hoping you can help as I've not found anything anywhere that seems to meet our scenario, that I would have assumed was actually the most common case. Here goes.

 

1. No on-prem hybrid, just regular Entra Domain with Intune delivering some policies incl firewall

2. User devices (Win11 23H2) are on a local network with IP range 10.0.0.0/24

3. Users all log into their machines using AD UPN - account profiles are established on their devices as admins

4. If a user tries to RDP into their machine from another machine on the network we get a certificate error:

   - MSTSC is set to 'use a web account to sign in on the remote computer'

   - MSTSC server auth is set to 'Warn me' if server authentication fails

   - MSTSC connect to is 'DESKTOP-12345' (we cannot use IP address as this does not work with 'use a web account...' according to connect-to-remote-aadj-pc 

   - MSTSC username can be either the user [upn] (their email) or AzureAD\[upn] with the same result

   - client appears to connect with a series of screens that are only shown the first time through:

       - login to Entra

       - Entra MFC

       - Warning that "you are going to connect Remote computer called 'DESKTOP-12345'

   - Certificate warning is shown stating:

       - The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.

       - Name mismatch. Requested computer name DESKTOP-12345. Name in the certificate from teh remote computer 172.XX.XX.1

       - The server name on the certificate is incorrect

 

The statement _may be unsafe to proceed_ gives the impression clicking OK on the warning will let us through, but it does not complete the connection.

 

Looking at the certificate I can see that the `Subject` is the device's ObjectID in Entra.
I can also see in `Subject Alternate Names` that there are **only** IP addresses listed including the 10... address of the machine on the local network and the 172... address mentioned in the error message which is a HyperV Virtual Ethernet Adapter. The hostname of the computer is not included in the certificate.

 

This makes me think:

1. the login was granted by Entra which issued the certificate to the machine

2. the RDP system seems to be expecting connection using the IP address, which conflicts with the rules of using a web account

3. if the cert is in fact issued by Entra there must be somewhere in Entra or Intune where I can tell it to include the hostname of the machine in the certificate that it issues

 

Has anyone got any insights into what is going wrong here? I feel like I'm a tick-box away from solving this issue.

BezaluCSM's avatar
BezaluCSM
Copper Contributor
Mar 13, 2025

I've recently started encountering this issue with an org that recently transitioned to be Entra/Intune native. There is/was no PKI, and several devices are behaving perfectly fine, where a chunk of others match the exact behavior you described here. There is no hostname in the Subject Alternate Names, only IPs. The machines that are working do have hostnames there. I cannot find any notable differences between the machines other than this behavior. Two examples being freshly deployed after any significant changes related to the transition.

 

Have you found any resolution for this?