This is the third and final part of our recent series on configuring certificates on TS Gateway. See also Part I and Part II
Background
TS clients authenticate TS Gateway server using server security certificates (X.509 format). TS Gateway passes the server security certificate to the clients during the SSL handshake process. During the SSL handshake process, the clients might drop connections because the certificate authority is untrusted or the TS Gateway server was unable to produce a valid certificate. In either case, the user will be unable to launch a remote connection using the TS Gateway. The following illustration summarizes certificate-related issues that can occur during connection establishment:
This blog identifies certificate-related connection issues that affect the user’s ability to establish a remote TS connection using the TS Gateway server, and actions that can be taken by end users and administrators to resolve these issues. For information on why TS Gateway needs a certificate and which is the recommended certificate to use on TS Gateway, see Part I: Introduction to TS Gateway Certificates . And for information on how to deploy a certificate on TS Gateway, see Part II: How to deploy a certificate on TS Gateway .
Certificate authority not trusted
Error message - “This computer can’t connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server’s certificate is not valid. Contact your network administrator for assistance. “
Brief description - The TS Gateway certificate authority is not trusted by the client. This issue can most likely arise if the administrator has provisioned the TS Gateway with a self-signed certificate or private certificate authority.
Resolution (user-specific) - Import the TS Gateway certificate to the client machine and install it in the user trusted store.
To install the certificate in the user trusted store:
1. Download the TS Gateway certificate on the client machine.
2. Click Start , click Run , type “mmc.exe” (without the quotation marks), and then click OK .
3. Click File , and then click Add/Remove Snap-In ,
4. Click the Certificates snap-in, and then click Add .
5. Click User account , and then click Next .
6. Click Local computer , and then click Finish .
7. Expand Certificates (Local Computer) .
8. Right-click Trusted Root Certification Authorities , click All Tasks , and then click Import .
9. Use the Certificate Import Wizard to import the certificate to the user trusted store.
After completing the above actions, try reconnecting using TS Gateway.
Certificate identity mismatch
Error message – “This computer can’t connect to the remote computer because the Terminal Services Gateway server address requested and the certificate subject name do not match. Contact your network administrator for assistance.”
Brief description - The security certificate name presented by the TS Gateway server does not match the TS Gateway name. This can happen either because you used the TS Gateway NetBIOS name to connect or the administrator has incorrectly configured the TS Gateway certificate name with an internal FQDN name. You can verify the discrepancy by reviewing the server certificates as shown here:
For SAN certificates:
Resolution -
1) User action - Try reconnecting using the full FQDN of the TS Gateway server
2) Administrators action - If you are an administrator, verify that the TS Gateway certificate name matches the external FQDN of the TS Gateway server
Invalid TS Gateway certificate -
Error message – “This computer can’t connect to the remote computer because the Terminal Services Gateway server’s certificate is expired or revoked. Contact your network administrator for assistance.”
Brief description – The TS Gateway server certificate’s validity period has expired. For instance, self-signed certificates have a validity period of 6 months. You will see the following screenshot on the TS Gateway server manager snap-in (Administrator only):
Resolution ( administrator action) - Create and assign a TS Gateway certificate. Refer to the –“Obtain a certificate for the TS Gateway server” section at the following URL:
http://technet.microsoft.com/en-us/library/cc754252.aspx
No TS Gateway certificates received
Error message – “This computer can’t connect to the remote computer because no certificate was configured to use at the Terminal Services Gateway server. Contact your network administrator for assistance.”
Brief Description – The TS Gateway server certificate was either overwritten or was never configured on the TS Gateway. You will see the following screenshot on the TS Gateway manager snap-in:
The following screenshot represents the scenario in which no TS Gateway certificate exists for selection (Administrator action):
The following screenshot represents the scenario in which a valid TS Gateway certificate exists for selection (Administrator only):
Resolution ( administrator action ) – Create a certificate and export it to the certificate Personal store of Local Computer. Install the certificate on the TS Gateway. Refer to the –“To map a certificate to the local TS Gateway server” section at the following URL:
http://technet.microsoft.com/en-us/library/cc754252.aspx
Note: If you continue facing issues while trying to bind the TS Gateway certificate – refer to the following KB: