Remote desktop certificate error - how to connect anyways?

Question

I have a remote server that I can only access through RDP. It uses a proper SSL certificate from godaddy for RDP, not a self signed one. The server is 2008R2, and I believe is set to the default of requiring network level authentication. Unfortunately, I do not have any lights out management features or IPKVM on this server.

Due to heartbleed, I revoked all my certificates and reissued them. Unfortunately, I clearly missed setting RDP up for this new certificate. Now I get "This certificate has been revoked and is not safe to use", and "You may not proceed due to the severity of the certificate errors".

I know the certificate is revoked. That's why I'm trying to get in to fix it! But I can't replace the certificate until I can remote in. And I can't remote in until I replace the certificate.

Is my only option to drive there and login from the console, or is there a way to temporarily ignore the certificate error?

enter image description here

Or an XP, for that purpose. It doesn't check the certificate's revocation either. — ivan_pozdeev, Oct 28 '14 at 00:42

score 8 · Answer 1 · edited Jun 04 '19 at 16:40

Use with caution (as per Microsoft): There is a registry entry you can enter so this will go away: HKEY_LOCAL_MACHINE - Software – Microsoft – Terminal Server Client Add a new DWORD called AuthenticationLevelOverride and set its value to 0.

AuthenticationLevelOverride

You can also push this out via GPO: Open Group Policy Management and create or edit a Group Policy Object Under computer configuration - Preferences - Windows Settings - Registry Right click and create a new registry item:

Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Terminal Server Client
Value name: AuthenticationLevelOverride
Value Type: REG_DWORD
Value data: 00000000
Hexadecimal

Reg

This works correctly for Win Server 2012 at least. – Varun Sharma Oct 26 '17 at 01:29 — Varun Sharma, Oct 26 '17 at 01:29

score 4 · Answer 2 · answered Apr 24 '14 at 18:01

4

You can use mmc to accomplish what you need since the snap-in works on remote computers. See: http://technet.microsoft.com/en-us/library/cc731617.aspx. The caveat to this is that you need another Windows Server computer handy to use this snap-in, and working over the network is questionable if the firewall blocks a lot of things.

answered Apr 24 '14 at 18:01

Nathan C

15,059
4
43
62

That worked. I am lucky enough to have another server with a private unfirewalled connection between the two. – Grant Apr 24 '14 at 18:07

score 1 · Accepted Answer · answered Apr 24 '14 at 18:08

NathanC's suggestion of using mmc from another computer worked perfectly.

Another option which works if you can't access it that way is using program which doesn't validate the certificate. Apparently Microsoft's RD Client for android is one such program.

score 0 · Answer 4 · answered May 15 '18 at 10:14

0

The solution for me was to connect with the server's FQDN rather than just the hostname. That way the computer name matched the certificate.

This requirement seems to have developed with one of the recent updates.

answered May 15 '18 at 10:14

Jure Sah

1

score -2 · Answer 5 · answered Apr 24 '14 at 17:38

-2

As far as I know, NLA is the opposite of the server authentication. NLA is User authentication of the connecting user. See Technet

Server authentication is handled by the client.
In RDP, go to Advanced and change Server authentication to "Warn me"

enter image description here

answered Apr 24 '14 at 17:38

MichelZ

11,068
4
32
59

1

I have tried "Warn me" and "Connect and don't warn me". Neither option allows me to proceed, I get the error shown in the screenshot. – Grant Apr 24 '14 at 17:39
OK.. interesting! – MichelZ Apr 24 '14 at 17:44

Remote desktop certificate error - how to connect anyways?

5 Answers5