Time to renew certificate used for signing .rdp files

Discussion:

(too old to reply)

Saucer Man

2009-07-22 12:01:15 UTC

Permalink

Does this mean that I will have to re-created all my .rdp files and replace
them on all the workstations?

--
Thanks!

Saucer Man

2009-07-24 11:52:34 UTC

Permalink

Post by Saucer Man
Does this mean that I will have to re-created all my .rdp files and
replace them on all the workstations?
--
Thanks!

Anyone?

2009-07-24 13:25:45 UTC

Permalink

Hi,

If the certificate that was used to sign an rdp file has
expired, the user will receive the prompt saying that
"the publisher of this remote connection cannot be identified..."
They can select "Don't ask me again..." so that they will
not be prompted in the future.

If the above behavior is acceptable to you, then I would
say there is no need to recreate the .rdp files. If it is
not, then I recommend replacing them. You may want
to consider purchasing a cert that is valid for 5 years, you
can get them for about $13/year now.

You will need to replace the cert used for signing because
the server will not sign a file with an expired cert.

Thanks.

-TP

Post by Saucer Man
Does this mean that I will have to re-created all my .rdp files and
replace them on all the workstations?

Saucer Man

2009-07-27 12:18:31 UTC

Permalink

If they are only prompted once and they have the option to supress future
messages, that will acceptable.

This one-time only prompting will work with Server 2008 and XP clients? I
had a thread here last year about preventing the security warning "unknown
publisher" and it was stated that unless the files are digitally signed,
that message will not disappear.

Hi,
If the certificate that was used to sign an rdp file has expired, the user
will receive the prompt saying that "the publisher of this remote
connection cannot be identified..." They can select "Don't ask me
again..." so that they will not be prompted in the future.
If the above behavior is acceptable to you, then I would say there is no
need to recreate the .rdp files. If it is not, then I recommend replacing
them. You may want to consider purchasing a cert that is valid for 5
years, you can get them for about $13/year now.
You will need to replace the cert used for signing because the server will
not sign a file with an expired cert.
Thanks.
-TP

Post by Saucer Man
Does this mean that I will have to re-created all my .rdp files and
replace them on all the workstations?

2009-07-27 13:19:24 UTC

Permalink

This prevents the security warning coming as a result of
the .rdp file not being signed. It does *not* prevent
other reasons that trigger a security warning, like starting
an unsigned .exe located on network drive--these types
of prompts are controlled by the settings for the applicable
security zone.

-TP

Post by Saucer Man
If they are only prompted once and they have the option to supress
future messages, that will acceptable.
This one-time only prompting will work with Server 2008 and XP
clients? I had a thread here last year about preventing the security
warning "unknown publisher" and it was stated that unless the files
are digitally signed, that message will not disappear.

Saucer Man

2009-07-27 14:16:39 UTC

Permalink

Maybe that's where my confusion was. RDP signing vs. EXE signing. Thanks
for the help!

This prevents the security warning coming as a result of the .rdp file not
being signed. It does *not* prevent other reasons that trigger a security
warning, like starting an unsigned .exe located on network drive--these
types of prompts are controlled by the settings for the applicable
security zone.
-TP

Saucer Man

2009-07-27 19:22:38 UTC

Permalink

One more question. If I tell terminal server NOT to sign .rdp files, will
the user still only get a one time prompt that they will be able to suppress
for future connections?

Post by Saucer Man
Maybe that's where my confusion was. RDP signing vs. EXE signing. Thanks
for the help!

This prevents the security warning coming as a result of the .rdp file
not being signed. It does *not* prevent other reasons that trigger a
security warning, like starting an unsigned .exe located on network
drive--these types of prompts are controlled by the settings for the
applicable security zone.
-TP

2009-07-27 19:40:10 UTC

Permalink

Yes, one prompt per server name.

-TP

Post by Saucer Man
One more question. If I tell terminal server NOT to sign .rdp files,
will the user still only get a one time prompt that they will be able
to suppress for future connections?

Saucer Man

2009-07-28 11:55:17 UTC

Permalink

I should probably delete the certificate that is about to expire. I am
getting a lot of warnings in the event logs that it will expire. Will
deleting it stop these warnings? Then I can uncheck "sign .rdp files" and
create new .ones, hopefully for the last time and be done with it.

Post by TP
Yes, one prompt per server name.
-TP

Post by Saucer Man
One more question. If I tell terminal server NOT to sign .rdp files,
will the user still only get a one time prompt that they will be able
to suppress for future connections?

2009-07-29 16:06:17 UTC

Permalink

What is the precise error? When viewing the error you
can click the Copy button and then paste into your reply.
For security reasons you may want to change the
computer name and/or other information you potentially
wish to keep private.

-TP

Post by Saucer Man
I should probably delete the certificate that is about to expire. I
am getting a lot of warnings in the event logs that it will expire.
Will deleting it stop these warnings? Then I can uncheck "sign .rdp
files" and create new .ones, hopefully for the last time and be done
with it.

Saucer Man

2009-07-29 19:58:37 UTC

Permalink

Here's the error...

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date: 7/21/2009 11:45:50 PM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: COMPUTER.domain.local
Description:
Certificate for local system with Thumbprint 34 14 51 27 c0 5d 1b 37 19 36
57 df 93 a6 8e 87 8f 7e 42 ed is about to expire or already expired.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider
Name="Microsoft-Windows-CertificateServicesClient-AutoEnrollment"
EventSourceName="AutoEnrollment" />
<EventID Qualifiers="32768">64</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-07-22T03:45:50.000Z" />
<EventRecordID>9685</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>COMPUTER.domain.local</Computer>
<Security />
</System>
<EventData>
<Data Name="Context">local system</Data>
<Data Name="ObjId">34 14 51 27 c0 5d 1b 37 19 36 57 df 93 a6 8e 87 8f 7e
42 ed</Data>
</EventData>
</Event>

What is the precise error? When viewing the error you can click the Copy
button and then paste into your reply.
For security reasons you may want to change the computer name and/or other
information you potentially wish to keep private.
-TP

Post by Saucer Man
I should probably delete the certificate that is about to expire. I
am getting a lot of warnings in the event logs that it will expire. Will
deleting it stop these warnings? Then I can uncheck "sign .rdp
files" and create new .ones, hopefully for the last time and be done
with it.

2009-07-29 21:21:25 UTC

Permalink

It appears that your server is having trouble renewing its
certificate from the Active Directory Certificate Services
Certification Authority (AD CS CA). This is not related
to terminal services. Please see this document:

Event ID 64 - AD CS Certification Authority Certificate
and Chain Validation

http://technet.microsoft.com/en-us/library/cc774595(WS.10).aspx

Did you have the AD CS role installed on one of your
servers, and then removed it? Is AD CS properly configured
and reachable from your TS?

You should post to a different group regarding AD CS. Here
are some to consider:

microsoft.public.windows.server.active_directory
microsoft.public.windows.server.general
microsoft.public.windows.server.security
microsoft.public.windows.server.setup

Thanks.

-TP

Post by Saucer Man
Here's the error...
Log Name: Application
7/21/2009 11:45:50 PM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: COMPUTER.domain.local
Certificate for local system with Thumbprint 34 14 51 27 c0 5d 1b 37
19 36 57 df 93 a6 8e 87 8f 7e 42 ed is about to expire or already
expired.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider
Name="Microsoft-Windows-CertificateServicesClient-AutoEnrollment"
EventSourceName="AutoEnrollment" />
<EventID Qualifiers="32768">64</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-07-22T03:45:50.000Z" />
<EventRecordID>9685</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>COMPUTER.domain.local</Computer>
<Security />
</System>
<EventData>
<Data Name="Context">local system</Data>
<Data Name="ObjId">34 14 51 27 c0 5d 1b 37 19 36 57 df 93 a6 8e 87
8f 7e 42 ed</Data>
</EventData>
</Event>

Saucer Man

2009-07-30 12:26:45 UTC

Permalink

I followed the steps in that TechNet article and the certificate that it
point to is the TS cert that I originally posted about. The article states
that the AD CS startup can fail if there are problems with the availability,
validity, and chain validation for the CA certificate. It is referring to
the cert I used to sign my .rdp files with. I think I need to remove this
cert from the server and set up TS not to sign .rdp files.

I never had an AD CS role installed and removed. I never got this warning
until my TS cert passed 90% of its lifetime like the article mentions.

It appears that your server is having trouble renewing its certificate
from the Active Directory Certificate Services Certification Authority (AD
CS CA). This is not related to terminal services. Please see this
Event ID 64 - AD CS Certification Authority Certificate and Chain
Validation
http://technet.microsoft.com/en-us/library/cc774595(WS.10).aspx
Did you have the AD CS role installed on one of your servers, and then
removed it? Is AD CS properly configured and reachable from your TS?
You should post to a different group regarding AD CS. Here are some to
microsoft.public.windows.server.active_directory
microsoft.public.windows.server.general
microsoft.public.windows.server.security
microsoft.public.windows.server.setup
Thanks.
-TP

Post by Saucer Man
Here's the error...
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date: 7/21/2009 11:45:50 PM Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: COMPUTER.domain.local
Certificate for local system with Thumbprint 34 14 51 27 c0 5d 1b 37
19 36 57 df 93 a6 8e 87 8f 7e 42 ed is about to expire or already
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider
Name="Microsoft-Windows-CertificateServicesClient-AutoEnrollment"
EventSourceName="AutoEnrollment" />
<EventID Qualifiers="32768">64</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-07-22T03:45:50.000Z" />
<EventRecordID>9685</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>COMPUTER.domain.local</Computer>
<Security />
</System>
<EventData>
<Data Name="Context">local system</Data>
<Data Name="ObjId">34 14 51 27 c0 5d 1b 37 19 36 57 df 93 a6 8e 87
8f 7e 42 ed</Data>
</EventData>
</Event>