TS Gateway Certificates Part III: Connection Time Issues related to TS Gateway Certificates

This is the third and final part of our recent series on configuring certificates on TS Gateway. See also Part I and Part II


Background


TS clients authenticate TS Gateway server using server security certificates (X.509 format). TS Gateway passes the server security certificate to the clients during the SSL handshake process. During the SSL handshake process, the clients might drop connections because the certificate authority is untrusted or the TS Gateway server was unable to produce a valid certificate. In either case, the user will be unable to launch a remote connection using the TS Gateway. The following illustration summarizes certificate-related issues that can occur during connection establishment:


clip_image002


This blog identifies certificate-related connection issues that affect the user’s ability to establish a remote TS connection using the TS Gateway server, and actions that can be taken by end users and administrators to resolve these issues. For information on why TS Gateway needs a certificate and which is the recommended certificate to use on TS Gateway, see Part I: Introduction to TS Gateway Certificates . And for information on how to deploy a certificate on TS Gateway, see Part II: How to deploy a certificate on TS Gateway.


Certificate authority not trusted


Error message – “This computer can’t connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server’s certificate is not valid. Contact your network administrator for assistance. “


clip_image004


Brief description – The TS Gateway certificate authority is not trusted by the client. This issue can most likely arise if the administrator has provisioned the TS Gateway with a self-signed certificate or private certificate authority.


Resolution (user-specific) – Import the TS Gateway certificate to the client machine and install it in the user trusted store.


To install the certificate in the user trusted store:


1. Download the TS Gateway certificate on the client machine.


2. Click Start, click Run, type “mmc.exe” (without the quotation marks), and then click OK.


3. Click File, and then click Add/Remove Snap-In,


4. Click the Certificates snap-in, and then click Add.


5. Click User account, and then click Next.


6. Click Local computer, and then click Finish.


7. Expand Certificates (Local Computer).


8. Right-click Trusted Root Certification Authorities, click All Tasks, and then click Import.


9. Use the Certificate Import Wizard to import the certificate to the user trusted store.


After completing the above actions, try reconnecting using TS Gateway.


Certificate identity mismatch


Error message – “This computer can’t connect to the remote computer because the Terminal Services Gateway server address requested and the certificate subject name do not match. Contact your network administrator for assistance.”


clip_image006


Brief description – The security certificate name presented by the TS Gateway server does not match the TS Gateway name. This can happen either because you used the TS Gateway NetBIOS name to connect or the administrator has incorrectly configured the TS Gateway certificate name with an internal FQDN name. You can verify the discrepancy by reviewing the server certificates as shown here:


clip_image008


For SAN certificates:


clip_image010



Resolution -


1) User action - Try reconnecting using the full FQDN of the TS Gateway server


2) Administrators action – If you are an administrator, verify that the TS Gateway certificate name matches the external FQDN of the TS Gateway server


Invalid TS Gateway certificate –


Error message – “This computer can’t connect to the remote computer because the Terminal Services Gateway server’s certificate is expired or revoked. Contact your network administrator for assistance.”


clip_image012


Brief description – The TS Gateway server certificate’s validity period has expired. For instance, self-signed certificates have a validity period of 6 months. You will see the following screenshot on the TS Gateway server manager snap-in (Administrator only):


clip_image013


Resolution (administrator action) – Create and assign a TS Gateway certificate. Refer to the –“Obtain a certificate for the TS Gateway server” section at the following URL:


http://technet.microsoft.com/en-us/library/cc754252.aspx


No TS Gateway certificates received


Error message – “This computer can’t connect to the remote computer because no certificate was configured to use at the Terminal Services Gateway server. Contact your network administrator for assistance.”


clip_image015


Brief Description – The TS Gateway server certificate was either overwritten or was never configured on the TS Gateway. You will see the following screenshot on the TS Gateway manager snap-in:


The following screenshot represents the scenario in which no TS Gateway certificate exists for selection (Administrator action):


clip_image017




The following screenshot represents the scenario in which a valid TS Gateway certificate exists for selection (Administrator only):



clip_image019



Resolution (administrator action) – Create a certificate and export it to the certificate Personal store of Local Computer. Install the certificate on the TS Gateway. Refer to the –“To map a certificate to the local TS Gateway server” section at the following URL:


http://technet.microsoft.com/en-us/library/cc754252.aspx


Note: If you continue facing issues while trying to bind the TS Gateway certificate – refer to the following KB:


http://support.microsoft.com/kb/959120/