Certificate issue with RemoteApp on Server 2008

I am trying to set up a proof-of-concept demo for deploying applications via RemoteApp, the application-streaming-over-RDP stuff in Windows Server 2008.

The TS Gateway server (call it srv-web) and the box hosting the applications (call it srv-app) are two different boxes.

The connections need to come through a TS Gateway server over HTTPS, as srv-app is on an internal LAN behind NAT.

Only srv-web is exposed to the internet, and only port 443 (HTTPS) is open.

If I ignore/accept the various warnings, the connection works perfectly well.

The object here is to get things working as smoothly as possible for our clients.

I have an SSL certificate installed on both srv-web and srv-app. srv-web is set up to use it for TS Gateway, and that works fine. The CN of the certificate matches the external public hostname.

The warning I am getting is as follows (I have doctored the real hostname out of the screenshot)

alt text

My question, I suppose, is how to I choose the SSL certificate srv-app uses to provide proof of its identity to connecting clients?

EDIT: I found where to set this - it's in Remote Desktop Session Host Configuration -> RDP-Tcp properties, general tab at the bottom.

However I have another problem, somewhat predictably I now have a mismatched server name:

alt text

I suspect this is going to require a topology change somewhere. Feedback from someone who's already done this would be great.

EDIT 2: I have worked around this by setting the following option in Custom RDP Settings.

authentication level:i:0

However this isn't a satisfactory solution as it is just disabling the check. I would still appreciate any more feedback on this.

Many thanks.


go to your rdp-tcp properties and choose the general tab-->and select your external cert at the bottom of the properties sheet. This will allow all communication to be based on the external cert instead of a mismatch when rdp uses the default internal for the server itself


It looks, to me, like you're trying to connect to the server using its "internal name" but you've selected the certificate that has an "external name" specified.

If you want the "internal name" to work "behind the firewall" and your NAT firewall doesn't support "hairpin NAT" (i.e. NAT'ting a request coming from the LAN interface back to the LAN interface) then you could do the classic "cheat" of creating a DNS zone in your internal DNS servers named "publicname.ourdomain.com" with a single "@" A record in it that contains the internal IP address of the server computer.

It's like "split horizon DNS", but constrained to a single name (so that "normal" name resolution of the rest of the "ourdomain.com" zone is unaffected).


I've seen this in our own environment. From what I can see, a Gateway-tunneled RDP connection will actually use two sets of certificates: First it will encrypt the tunnel between the client and the gateway, and then secondly between the client and the server (although this traffic already is inside the gateway-secured tunnel). It baffled me as well, and I haven't found any other "proper" way to do it than to use two certificates, one that matches your gateway's external name, and one that matches the internal name of you TS Server. Please update this thread if you find anything!