Sometimes RDP shows certificate warning and kerberos single sign-on does not work

Question

I'm using Windows 7 and the Servers are Windows 2008 R2. So far there are at least 4 Servers that show this behavior.

Sometimes I get a warning when trying to connect via RDP stating the certificate name is wrong. When I reboot the server this warning disappears. After a reboot or maybe 2 or 3 the warning shows again. I always connect using the hostname only.

When the warning is shown, single sign-on does not work anymore. The certificate might be self signed or from our internal pki. The only difference is an additional "publisher not trusted" warning when the cert is self signed.

When I use the fqdn, I pass the certificate check but Kerberos SSO does still not work.

What is wrong? How can I fix this? How do I debug this to get more information? What changes after a reboot, so it works again?

score 1 · Accepted Answer · answered Jul 03 '12 at 13:43

1

Problem might have been solved. The domain-controller running the FSMO PDC emulator role was running on VMware ESXi. First of all moved that to a hardware DC.

Additionally completely disabled timesync in the virtual DCs. See http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 for details.

So far I have not seen the warnings anymore.

answered Jul 03 '12 at 13:43

Jonathan

575
1
7
17

Jonathan, Its advisable to have at least one DC as a physical machine. Ran into lots of problems with service startup dependencies when a DC was not online yet. However, the real solution is to disable the time sync. All virtual DCs should get their time from another NTP source and the host machine should never sync it. – Brent Pabst Jul 03 '12 at 13:58
@BrentPabst, I previously followed http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318 which just disables the regular timesync. All the time a physical DC was on site. The virtual one was running the FSMO PDC role. After moving the FSMO Roles to a hardware DC all seems good. – Jonathan Jul 03 '12 at 16:09

score 0 · Answer 2 · answered Apr 26 '12 at 16:38

When you connect with the RDP client, are you using the full name that matches the name in the certificate? For example if you RDP to a host using only the name foo, and allow your DNS search path to figure out this is foo.example.com, and your certificate has a value foo.example.com, then your going to get an error.

So to be more specific. If you install a certificate with the name foo.example.com, then you most RDP to that host using only that name, and not the IP address, a DNS alias, or any shortened forms of the name.

Since you have an internal CA, you might want to consider creating a wildcard certificate, and/or a certificate that has multiple names.

As mentioned I always use the hostname only. So why does it work sometimes? — Jonathan, Apr 27 '12 at 13:28
When using the fqdn, I pass the certificate check but Kerberos SSO does still not work. — Jonathan, May 09 '12 at 07:56

Sometimes RDP shows certificate warning and kerberos single sign-on does not work

2 Answers2