Forum Discussion
Remote Desktop Web Access HTML5 certificate error after replacing
Hi everyone.
We needed to update our certificate in our RDS servers. Unfortunately, now users receive this alert:
I know this is old, but I was hoping maybe someone found a better solution.
Stuff that I tested to reduce the problem:
- clear cookies for specific sites at the end of a session
- clear images and files when the browser close (running this manually solves this most of the time).
- Deployed the certificate thumbprint as GPO. (didn't have to before but maybe will assist later)
- Allow .RDP files from valid publishers and user's default .RDP settings (we use a wildcard certificate, so this is ashot in the dark.)
Any help would be appreciated.
Rahamim.
- What was the configuration of the previous certificate ? Did it work properly ? Did you check if both PKI and certificate template match best practices ?
- Hi RahamimL , no that was correct.
The Tumbprint shown in the error message is the Thumbprint form the old Certificate?
You can also check in the RD Gateway Manager if the assigning of the certificate to the Gateway Manager was successfully.
Also check with the command "netsh http show sslcert" on the broker and gateway server the T
thumbprint of the certificate.
cheers
- Hello,
Did you ever got this to work?
It's insane that users need clear cookies to get this to work.
I have to update certificate real soon and rds html5 users are 3rd party.
What was your rds html5 client version?
If you updated it did you update it before or after new certificate import?
Was certificate .cer or .pfx when you installed the new certificate?
Would be nice if I could update the new certificate and users would not have to do anything at their end.
Thank you in advance.jafrie12s As a bypass what I did was deployed the following for both chrome and edge. (We're not using Firefox):
- Deployed clear browsing data:
- Deployed limit cookies from matching URLs to the current session.
Both settings can be deployed to users or devices.
Again, this is a bypass. I still think there should be a better solution for this.
Rahamim.
Thank you for your quick response.
Sadly this not a solution for us because users are 3rd party and we can't deploy settings to their devices.
Could you please tell me,
1. Did you have newest version of html5 webclient installed? And if not, did you update it?
2. Did you have to remove old certificate from MMC before it started to work?
3. Did you try CTRL+F5 refresh the website, did it work after that?
I'm just hoping that you didn't have newest version installed and if I install newest version before I might not have this problem.
Does anyone know any other solution, some settings in IIS perhaps?
- Deployed clear browsing data:
Thank you Pat55 and RahamimL for your answers.
We had also HTML5 webclient version 1.0.27.
We did renew certificate through Connection Broker Server Manager to all RDS services.I did import the new certificate trough Powershell (Import-RDWebClientBrokerCert). I did use the same certificate what I used when I imported through CB/Server Manager.
Everything else worked fine except HTML5 webclient.
It gave the same error to us as it did to RahamimL.
It got resolved when browser cache (clear image/files and/or cookies) was cleared.
Before clearing browser cache it would remember the old brokercert.cerHas anyone found a solution to this problem. I have also tried everything, nothing works. Don't know were to look anymore.
Need some help
Thanks
- Hi. I have the same issue and I confirm the cause is on clients and not on RDS farm.
Some client works, some other not.
My workaround was also clear browser data and cached certificates. RahamimL Every year we have the same issue and unfortunately it seems that the only option is to get the users to clear their browser cache to allow the new certificate to be used.
Sad, but true - yearly certificate renewals are the bane of our existence...and Microsoft dont make it any easier with these challenges
You can prevent this happening by adding a Cache-control response header (no-cache) to brokercert.cer in IIS on the Broker server.
It won't help if people already have it cached, but in future it'll stop people's browsers caching the certificate and ending up with the mismatch.
