3

Probably I am doing the wrong procedure (I am not an expert in Windows Servers).

Our server was using a 128 SHA1 self-signed certificate for RDP on SBS 2011. The certificate has expired. I proceeded to create a new certificate from IIS 7 Server Certificate selecting the option "Create Self-Signed Certificate".

Then I went to Remote Desktop Session Host Configuration and then right-click on RDP-Tcp, then I selected the generated certificate from RDP-Tcp properties.

After Apply and test again the RDP, I am getting a warning that says "this ca root certificate is not trusted. to enable trust..."

Even though I can establish the RDP, the complaint is there.

How can I fix it?

Carlos
  • 83
  • 1
  • 1
  • 6
  • 1) Do you get this warning when connecting from machines that are joined to the SBS domain? 2) Do you access RDP from machines not connected to the domain? – I say Reinstate Monica Apr 28 '17 at 16:56
  • Machines are connected to same domain, the problem is the self-signed certificate. It has to be setup correctly. – Carlos May 01 '17 at 16:38
  • If the certificate has expired like the man said, the fix my network wizard will not work. It does not renew the certificate. How do I know this, our certificate expired today, I just ran the fix my network wizard and the SBS is saying it can't be 'renewed' because it's expired :). – Joshua Keller Oct 22 '19 at 19:55

2 Answers2

4

The correct way to renew or add certificates (whether self-signed or signed by a public CA) in Windows Small Business Server is to use the Windows SBS Console's "Fix my network" wizard. The wizard does two things:

  • If you're using a self-signed certificate that's expired, it renews it
  • It correctly (re-)installs the existing certificate in the various services on the server that use the certificate, such as Exchange, Remote Web Access, Remote Desktop Session Broker, etc. You should never install the certificates in these services manually on an SBS server.

Run the Fix my network wizard to fix the certificate as follows:

  1. Start the Windows SBS Console
  2. Click the Network icon at the top, then click the Connectivity tab
  3. In the right-pane, click Fix my network
  4. If multiple issues are detected, you need to fix the one named Self-issued certified is expired

Now, in your case since you have already manually renewed the certificate, the wizard may not find an expired certificate to fix. If so, re-install the already-renewed certificate through the SBS console as follows:

  1. Start the Windows SBS Console
  2. Click the Network icon at the top, then click the Connectivity tab
  3. In the right-pane, click Add a trusted certificate
  4. When the wizard starts, click Next
  5. At the Get the certificate screen select I want to use a certificate that is already installed on the server then click Next
  6. Select the correct certificate from the list then click Next
  7. The wizard will install the certificate. click Finish when done.

How I expect this to solve your problem

Based on your comment, all of the machines using RDP on the server are domain-joined. Therefore, they should all trust the certificate installed by the SBS Console. Only non-domain workstations need additional action performed in order to trust a self-signed certificate in use by the SBS server, namely using the provided certificate install package to configure the non-domain machine to add the certificate to its Trusted Root Certificates store.

Community
  • 1
I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
  • 2
    Rule #2 of SBS, always use the wizard (Rule #1 was to run anything else) – Jacob Evans May 01 '17 at 17:21
  • Thanks Twisty, I am following your steps, and I am in the point of 5. At the Get the certificate screen select.... But, I see 2 options: "I want to renew my current trusted certificate with the same provider." === and the 2nd options says "I want to replace the existing certificate with a new one". – Carlos May 01 '17 at 18:02
  • Ok, choose the "replace" option. (Don't worry, if there is not a certificate you can replace it with, you'll be able to cancel the wizard without making changes) – I say Reinstate Monica May 01 '17 at 19:03
2

To get a properly trusted certificate, you need to do one of two things.

  1. Get a public cert from a paid provider, or from the LetsEncrypt project
  2. Create a CA for internal use

Let's Encrypt is a great project, but would require HTTP from the internet open to your server to verify domain ownership.

Creating an internal CA can be done via adding the "Active Directory Certificate Services" role to a server. It is not typically reccomended to install a CA on a domain controller, but in a SBS that is what everything is based around.

https://technet.microsoft.com/en-us/library/cc731183(v=ws.11).aspx

The third way to fix this as a one off, single server fix, is to generate a self-signed certificate with the proper name to match. Then you would need to pull a copy of the cert, and put it in the trusted root certification authorities for every computer that is making a connection. This can be done via GPO if needed.

Cory Knutson
  • 1,866
  • 12
  • 20
  • It has to be a internal CA certificate since RDP is intranet based. Can you provide procedure for this setup? – Carlos Apr 28 '17 at 18:25
  • I edited my answer to include some basic documentation. – Cory Knutson Apr 28 '17 at 19:04
  • So what that it's internal CA certificate, still can be signed by trusted provider, then browsers or rdp clients won't complain. – Danila Ladner Apr 29 '17 at 04:38
  • 1
    Danila, trusted providers are not longer issuing SSL certificate for intranets, they were forced to unplug that service last year (for security reasons). So, you have to do it with your own self-signed approach which Microsoft provides and it is the one I am mentioning here. – Carlos May 01 '17 at 14:03
  • Thanks Cory for your update, but It seems that the URL applies only to Windows 2008, I tried to follow-up on my SBS 2011. Do you have one that works with SBS 2011? – Carlos May 01 '17 at 14:10
  • Public CAs shut off issuing Certs for .local domains, but that was not in your question. Is that what your domain is using? I will check around on CA support for SBS 2011, but it should be the same as 2008. Did you check the Add roles and features for the role mentioned in the guide? – Cory Knutson May 01 '17 at 15:40