0

I've got a Windows RemoteApps setup to access a few applications from home but having some issues connecting from MacOS devices using the Microsoft Remote Desktop app. I initially thought it coincided with a certificate renewal but there's no issues from Windows devices and I'm fairly certain all aspects of the setup (Gateway, Connection broker, session servers) are all using the correct wildcard certificate.

When I try to connect to a remote app from the Workspaces tab, I simply get Error 0x4 so I imported a single app from an RDP file to see if I got any further information. It can connect to an individual app if I uncheck Bypass for local addresses but I get the error certificate name does not match input (screenshot below). The red boxes all match each other (green boxes are the server name and subdomain) so the certificate should be fine as servername.domain.red.boxes falls within the *.red.boxes wildcard

Why won't it trust the cert by default?

SSL certificate prompt

Crimsonfox
  • 353
  • 1
  • 3
  • 18
  • you did not show the full trust path. However in linux and windows you must have a hard copy of the original certificate in/on a specific path – djdomi Apr 04 '22 at 16:39
  • In the keychain utility can you thrust the certificate ? – yagmoth555 Apr 04 '22 at 17:59
  • @djdomi The trust path is in the center of the screenshot. It's a publicly trusted CA (Sectigo). – Crimsonfox Apr 04 '22 at 20:44
  • I would not be surprised if this is a bug or lack of support for multi-level subdomains. I.e. `*.your.domain` does not match `*.*.your.domain`. Or, there are known issues, especially with non-Microsoft and MAC computers that won’t trust a certificate of the entire chain is not presented to the client. Try making sure the certificate’s intermediate and root carts are present on your RDP server. https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/configure-intermediate-certificates – Appleoddity Apr 05 '22 at 03:42
  • 1
    @Appleoddity Wildcard certs are not supposed to match multi-level subdomains; see [this stackoverflow answer](https://stackoverflow.com/questions/2115611/wildcard-ssl-on-sub-subdomain#9743652). If this is a multi-level subdomain (it looks like it from the image), then *no* platform should be accepting it as valid for that sub-subdomain. – Gordon Davisson Apr 05 '22 at 07:30
  • @GordonDavisson I think that's it, I made the incorrect assumption multi-level subdomains were included in a wildcard. Though it is interesting that this is the only platform it comes up on and it was working fine before – Crimsonfox Apr 05 '22 at 07:40
  • @GordonDavisson I thought the same thing, but then I found multi-level wildcard certs when I took a quick search and the OP said it works on other OSes. So I figured there was something I was unaware of. But upon taking a closer look what I read is misleading. – Appleoddity Apr 05 '22 at 12:37

0 Answers0