1

I am receiving the message "Your computer can't connect to the remote computer because the Remote Desktop Gateway's server's certificate has expired or has been revoked" when trying to access a TS gateway server published through Forefront. The certificate in use is from my internal enterprise CA.

As far as I can tell the types line up and the entire chain can be validated properly. Nothing interesting shows up in the system logs for my TS, TS Gateway, Forefront or client. The only thing I can think of is it is some kind of validation problem. I'm not sure from where or how to diagnose further.

EDIT - I verified that the certificate path on my server is good with the following.

certutil -verify -urlfetch mycert.cer
....
Verified Issuance Policies: None
Verified Application Policies:
   1.3.6.1.5.5.7.3.1 Server Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

The same certificate in use within IIS is also in use in the TS Gateway screen.

EDIT - the client is running Windows 7, mstsc version 6.1.7601.17514.

EDIT - interesting.. it sounds like RDP needs to have OCSP enabled in order to do CRL lookups. http://www.experts-exchange.com/Networking/Security/Q_25072298.html

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113

1 Answers1

1

Either:

  1. The client doesn't have the CA Root cert installed on their computer, in the Trust Root Certs folder.
  2. The CRL URL in the Certificate can't be resolved by the client, or returns an outdated CRL.

By default MS CAs are configured to publish CRLs only to AD, which is not accessible from the outside world. MSTSC 6.0+ will return this error if they can't get the CRL and a URL is specified.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • Thanks. That is along the lines I was thinking. I specifically added a HTTP distribution point and set up the necessary publishing rules and DNS to allow it to be accessible from the outside. Both CRLs (for the intermediate and offline CA) are up to date. Might it be an order problem? The LDAP entries are before the HTTP. – Tim Brigham Dec 22 '11 at 19:13
  • Also the client is on the internal domain and trust to the associated CAs is not a problem. – Tim Brigham Dec 22 '11 at 19:14
  • Order shouldn't matter in the CRL URL list. If you have a 2008R2 or Win7 (w/ RSAT) open `mmc` and add the "Enterprise PKI" plugin, see what it has to say about the configuration. – Chris S Dec 22 '11 at 19:39
  • All the entries in the Enterprise PKI plugin show OK. – Tim Brigham Dec 22 '11 at 19:43
  • There is also a standard server listed in the PKI plugin which I have yet to retire listed. It shouldn't enter into this equation though. – Tim Brigham Dec 22 '11 at 19:46
  • What OS and MSTSC version is the client running? – Chris S Dec 22 '11 at 19:50