Remote Desktop Gateway server certificate has expired or been revoked
Remote Desktop Gateway server’s certificate has expired or has been revoked - Windows 7 issueArchived Forums Show
Remote Desktop Services (Terminal Services)
All replies
Windows 11 says RDG Server certificate is expired or revoked, but it's not.I have a server running RDG (Remote Desktop Gateway) and RRAS using the same certificate. Windows 10 and Windows 7 clients (Home users) have no issues using either RDG or VPN. I have a user who just upgraded their home pc to Windows 11 and now receives "Your computer can't connect to the remote computer because the Remote Desktop Gateway server's certificate has expired or has been revoked. Contact your network administrator for assistance" I have verified both by examining the certificate, and by using the provider's test (DigiCert) that the certificate is valid and not revoked. I installed Windows 11 on a test machine and receive the same message when trying to connect to RDG.. I am however able to connect using VPN against RRAS on the same server using the same certificate. I advised the user to revert to Windows 10 and she's now able to connect again. Help! Going to advise all users to not upgrade at this point. windows-11remote-desktop-clientComment Comment · Show 12 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. DaleBentley-0520 · Dec 18, 2021 at 07:27 AM Have found the answer after testing across multiple versions of RD Gateway. We found that Windows 11 connected fine to RDG if running on Windows Server 2016 or 2019, however failed with the error you detailed Windows Server 2008R2 or 2012. Turns out the TLS version on 2008/2012 is still TLS 1.0 . So we forced this to TLS 1.2, restarted server and now we can connect with Windows 11. So to update the server to TLS 1.2 make sure this update is applied: https://support.microsoft.com/en-us/topic/update-to-add-rds-support-for-tls-1-1-and-tls-1-2-in-windows-7-or-windows-server-2008-r2-8aff6954-a80d-411c-c75c-6aeaaab4f570 Then you need to edit registry in multiple places as per this: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)?redirectedfrom=MSDN#bkmk_schanneltr_tls10 . Restart server after these changes and Windows 11 will now work with RD Gateway running on Server 2008/2012. 2 Votes 2 · RichardSims-5033 DaleBentley-0520 · Dec 21, 2021 at 02:57 AM Awesome! That fixed it, not only for RDG, but also for SSTP! 0 Votes 0 · DaleBentley-0520 RichardSims-5033 · Dec 21, 2021 at 03:11 AM Good to have someone else confirm this worked for their sites as well. Appreciate your update. 0 Votes 0 · WaynePolakoff-0207 · Nov 04, 2021 at 01:18 PM Same issue here. Verified it's definitely something in Windows 11. Luckily it's just one so far. 1 Vote 1 · RichardSims-5033 WaynePolakoff-0207 · Nov 04, 2021 at 01:59 PM Ok great, hopefully Microsoft is reading :) 0 Votes 0 · BenedettoTommy-0321 · Nov 09, 2021 at 11:47 PM Same issue here. Patch Tuesday did not fix the issue. 0 Votes 0 · DaleBentley-0520 BenedettoTommy-0321 · Dec 21, 2021 at 03:14 AM See my earlier post, explains what do do and link to steps to apply TLS 1.2 which fixes issue 0 Votes 0 · MikeCrockett-5823 · Nov 10, 2021 at 03:06 AM We are seeing the same here.. looks like Windows 11. Win 10 has no issues with the cert.. just 11. Hope they get this fixed before everyone jumps on the bandwagon and try's to WFH on 11. :) 0 Votes 0 · DaleBentley-0520 MikeCrockett-5823 · Dec 21, 2021 at 03:13 AM See my earlier post, explains what do do and link to steps to apply TLS 1.2 which fixes issue 0 Votes 0 · AnthonyStewart-2295 · Nov 11, 2021 at 08:33 PM Same here. Found this error about a week ago but this the first time I've seen any posts about it. A friend of mine suggested it may be a TLS issue, but I don't know very much about this subject. Very inconvenient to say the least. 0 Votes 0 · DaleBentley-0520 AnthonyStewart-2295 · Dec 21, 2021 at 03:12 AM See my earlier post, explains what do do and link to steps to apply TLS 1.2 0 Votes 0 · Show more commentsRichardSims-5033 answered • Nov 4, '21 Ok great, hopefully somebody at Microsoft is reading :) Comment Comment Show 0 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. Reza-Ameri answered • Nov 12, '21 | Reza-Ameri commented • Nov 13, '21 Since other people are facing this problem, I advise you to open start and search for feedback and open the Feedback Hub app and report this issue and those who are facing the same issue , you may open the Feedback Hub app and vote for this issue. Comment Comment · Show 2 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. AnthonyStewart-2295 · Nov 13, 2021 at 12:41 AM Thank you for the suggestion. I have raised this as an issue on the Feedback Hub. 0 Votes 0 · Reza-Ameri AnthonyStewart-2295 · Nov 13, 2021 at 04:42 PM Welcome and thank you for sharing this issue 0 Votes 0 · MatWright-2697 answered • Nov 14, '21 | MatWright-2697 published • Nov 14, '21 Also raised as an issue on the Feedback Hub Comment Comment Show 0 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. LucaMarangone-8917 answered • Nov 16, '21 | RichardSims-5033 commented • Nov 16, '21 Same problem. I suppose the key is here Comment Comment · Show 1 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. RichardSims-5033 · Nov 16, 2021 at 10:09 PM Our certificate is SHA256 from DigiCert. 0 Votes 0 · Dav-8447 answered • Nov 18, '21 | RichardSims-5033 commented • Nov 18, '21 Same issue. Comment Comment · Show 1 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. RichardSims-5033 · Nov 18, 2021 at 03:35 PM Yes! That works for me too. Not a solution, but a great workaround... Thanks! 0 Votes 0 · MikeCrockett-5823 answered • Nov 18, '21 Yes.. that worked for us as well. But you cannot do more that one screen with that app. Most people are WFH now (Covid) and complain if they do not have dual screens. :) Comment Comment Show 0 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. ArmandoCastillo-3083 answered • Nov 23, '21 | ArmandoCastillo-3083 published • Nov 23, '21 Amy one have an alternative? been trying to run an application though RDS servers and have that same issue Comment Comment Show 0 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. Gaz3000-7279 answered • Nov 23, '21 Same here, using RDCMAN and also the default Remote Desktop client in Windows, neither work when connecting to our Remote Desktop Gateway, apparent expired certificate. App store Remote Dektop app works though. Comment Comment Show 0 Comment 5 |1600 characters needed characters left characters exceeded
▼
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total. Solved: How do I fix RemoteApp Disconnected error because Gateway server’s certificate has expired or has been revoked?Posted by October 30, 2021October 30, 2021 Problem SymptomThe detailed error message is as below:
Follow the below solution steps to resolve RemoteApp Disconnected error because Gateway server’s certificate has expired or has been revoked. SolutionMake sure your CRL settings and/or OCSP settings are correct if you use self signed certificates. Make sure your client can contact the publishers CRL if you use a publicly signed certificate. In the Gateway Server, launch Server Manager > Remote Desktop Services > Collections > {Collection-name} > Tasks > Edit Deployment Properties. Click on the Certificates > RD Gateway > View Details > Check the date is still valid. 13 Replies
· · ·
Habanero OP
davidr4
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
I am pretty sure there is a pull down menu where you can select All File types when you are browsing 0
· · ·
Jalapeno OP
JeremySh0e
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
When I do that and try to import a .crt file it says "the certificate is not a valid Personal Information Exchange (PFX) file." I am not even sure if importing a certificate is what I need to be doing. 0
· · ·
Mace OP
Justin1250
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
You have to request a whole new cert from GoDaddy 0
· · ·
Jalapeno OP
JeremySh0e
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Godaddy has the cert valid for 1 year. Are you saying that I need to Re-Key it or something else? 0
· · ·
Datil OP
Best Answer
Jim Peters
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
If it has expired, (Look at validity end date), you have to buy a new one. SSLs are good for 1, 2 or 3 years. Generate a CSR on the server you wish to install it on. Use this during the order process. Go through verification process and then when you recieve the new SSL, "complete the certificate signing request" which will ask you for the file. Download the new file and intermediate cert from their user portal if you need it. During the life of an existing SSL, you can "re-issue" or "replace" it. I believe this always free. Do the same process of CSR create, go through order process, download new one from user portal. What you don't want to do is "revoke" it, unless you mean it. It is destructive of your existing SSL is immediately marked as revoked and you have to buy a new one to replace it. 0
· · ·
Mace OP
Da_Schmoo
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
You have to download a new key. If Godaddy "autorenewed" it, which I didn't know was an option for SSL certs, you probably have the credit sitting there waiting for you to use it. 0
· · ·
Jalapeno OP
JeremySh0e
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
What I am seeing is that on the server the certificate expired yesterday. What I see at Godaddy is that the certificate does not expire for another year from yesterday. It's like the certificate auto-renewed. 0
· · ·
Jalapeno OP
JeremySh0e
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
I have downloaded the key. It is a .crt file. I imported it into Personal Certificates. I believe that I now need to export it as .pfx file so I can use with Remote Desktop Gateway server. When I try to export it, it will only let me experot as .cer or .p7b. The option for .pfx is grayed out.It looks like the cert that I imported does not contain the private key. Again - I think that is what I need to do. 0 · · ·
· · ·
Mace OP
Da_Schmoo
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
When you go to export the key, one of the first choices is if you want to export the private key. If you don't choose yes, the next screen will have the .pfx option greyed out. If you answered yes and it is still greyed out, that usually means that when the cert request was made, the option to make the private key exportable wasn't selected. 0
· · ·
Jalapeno OP
JeremySh0e
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
I don't think it contains the private key. I am thinking that I need to re-key the cert, download the new one and import it to the server. I have tried to do this by creating a CSR, then going to rekey on Godaddy site. When I click submit is says that it needs to be at least 2048 bit.I genereated the CSR using 4096 key size. I went ahead and generated another CSR using 2048 and tried again and it says the same thing "Please provide a CSR generated with at least 2048-bit keys." I am terrible with certs 0
· · ·
Mace OP
Da_Schmoo
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Make sure you are doing the export from the server you made the original cert request from. As far as the Godaddy issue, never seen that particular problem. 0
· · ·
Mace OP
Justin1250
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Are you using the MS RSA provider? The steps should be similar to this: http://www.urtech.ca/2010/08/how-to-renew-a-terminal-server-remote-desktop-certificate/ 0
· · ·
Jalapeno OP
JeremySh0e
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
I was generating the CSR from the wrong place. I generated from IIS and was able to get the new cert (I did not get the error "Please provide a CSR generated with at least 2048-bit keys.") Thanks for all the help. 0
This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question. 14 Replies
· · ·
Chipotle OP
I had exactly the same error message however it was working the day I setup but next day it just died. However, my setup wasn't as like your external and internal - mine is purely internal. I tried everything deleting certificate from IIS, RDP server, and client. Re-creating and assigning but none worked. one thing I remembered as I was going thru the whole suite of RDP components: RDP Manager, RDP Session Host, RDP Remote App etc etc... I found: RemoteApp Manager > RD Host Session Server Setting (click Change) > RD Gateway tab and ticked Automatically detect RD Gateway Server Settings. Then I restarted the Remote Desktop Gateway service and what do you know...DAMN THING ACTUALLY WORKED!!! Wooohoooo... So you might want to check in your environment this might help.... Cheers, IT 1
· · ·
Jalapeno OP
Hey thanks for the reply, I tried to turn them to automatic and the results are not any better. Instead of the certificate error I know get an error stating: The gateway server you are trying to contact it temporarily unavailable. It is actually working internally and I have rebuilt this server more than once. I have even gone as far as setting up a test environment to try to resolve the issues I see from a far. However nothing has worked yet, Microsoft's instructions to get this working are designed for internal use only and are convoluted to say the least. There is very little instruction or even experience around the external access for this service. I have already dumped so many hours into this, I am almost looking for a alternative solution. maybe I will just open a VPN tunnel to allow remote access to the server. 0
· · ·
Chipotle OP
Your main issue here is that externally not able to access - correct? 1-) I think you might want to try putting it on your DMZ just for test. 2-) Assuming that you have done the routing on your firewall? 3-) Assuming you have mapped to external IP (NATing)and published the URL externally? 4-) Check the port the RDP WebAccess connecting on - you need to open that port on your firewall. 5-) Assuming you have configured HTTPS traffic for this site with port?
0
· · ·
Jalapeno OP
Best Answer
This has been resolved. It was a problem with the certificate and where I was creating it from. I was creating a self-signed cert from IIS. in order to specify my external domain I had to create the self signed certificate through the RD gateway manager. After I did this BOOM everything was working. 1
· · ·
Chipotle OP
Good work! 0
· · ·
Pimiento OP
Please Can you explain what you did exactly to solve that issue ??!! 0
· · ·
Serrano OP
Running into this problem ourselves, an explanation would be most appreciated :) 0
· · ·
Pure Capsaicin OP
Little Green Man
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
See Bold. 0
· · ·
Pure Capsaicin OP
Little Green Man
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
See above BA. 0
· · ·
Pimiento OP
1st Post
If you still need help with this, I can expalin. I don't want to go through the trouble though if you don't need it, so let me know by replying. 0
· · ·
Jalapeno OP
Sorry Bill, I haven't circled back to this in quite sometime. Basically there are multiple ways to issue a self signed certificate to a server. In this particular situation there is three, one through IIS manager, one through the certificate MMC snap-in, and one through the RDP gateway properties. The third place is where I was able to associate my server with my external domain and have it self sign. Once I created the certificate through the RDP gateway settings my website was loading my applications. I hope this helps. 0
· · ·
Sonora OP
1st Post
Hello all, One of my clients had a certificate expire on their server yesterday and now all the users are getting the following error on their desktop. I issued a new certificate (Renewed) on the server and it took care of the local computer errors, however, the remote desktop users from outside the organization still can't get Or this... RWA users can't remote desktop in because they get this error... And when you view certificate, the install certificate button is missing (See below) I "copied to file" and installed it to the Trusted Root Cert folder, but they still can't get access through remote desktop. Any help would be greatly appreciated! I'm trying to learn this certificate stuff... 0
· · ·
Pimiento OP
1st Post
Were you able to resolve your issue? If so I would like to know how this was resolved.
%uFEFFI am having a similar problem with a traveling user and it references the Hotel's wireless certificate. There is no "install" option. Thank you. ~Lynn 0
· · ·
Ghost Chili OP
starg33ker
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Hilynntober-rice2, welcome to SpiceWorks! When you see that there's been a "best answer" marked, that means the issue has been resolved. The poster mentioned the solution here http://community.spiceworks.com/topic/post/2521776 If this does not fix your issue, I would recommend you starting a new topic as you'll receive little to no help in a 2 year old thread. Hope to see you around!
2
This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question.
ProblemElevendays! That’s how long it took to fix this, after seven days, I bit the bullet and logged a call to Microsoft. I spent hours on the phone to the Remote Desktop Team, The Web Application Proxy Team, and the Networking Team. I replicated the error by building a complete new domain, PKI, ADFS, Remote Desktop Deployment and Web Application Proxy Server. Then today I got a call from the ‘Connectivity Team’ who had it fixed in about 45 minutes. Symptoms: I had the entire deployment built in VMware, and it was deployedbehind a Cisco ASA 5510, (it was a proof of concept for a client). The Web Application Proxy was in a DMZ. All this was sat on my test bench, and I was remote VPN connected. To test, I was using a Windows 10 client that was running on my laptop, (in VMware Fusion). I had all the public DNS names in the remote clients ‘Hosts file’. Your computer can’t connect to the remote computer because the Remote Desktop Gateway server’s certificate has expired or has been revoked. Contact your network administrator forassistance. After trying to get a rid of this error Microsoft asked me to put another client in the DMZ, and try connecting though the Web Application Proxy from there. Then I got this error; Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance. Resolution
This article describes a possible Microsoft® Remote Desktop Protocol (RDP) connection issue and the resolution. Issue: Connection failuresRDP connections begin to fail with no apparent cause. SymptomsThis issue might have the following symptoms:
CauseThe following events could cause this issue:
ResolutionUse the following steps to resolve this issue:
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us. ©2020 Rackspace US, Inc. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License See license specifics and DISCLAIMER |
