I'm using Windows 7 and the Servers are Windows 2008 R2. So far there are at least 4 Servers that show this behavior.
Sometimes I get a warning when trying to connect via RDP stating the certificate name is wrong. When I reboot the server this warning disappears. After a reboot or maybe 2 or 3 the warning shows again. I always connect using the hostname only.
When the warning is shown, single sign-on does not work anymore. The certificate might be self signed or from our internal pki. The only difference is an additional "publisher not trusted" warning when the cert is self signed.
When I use the fqdn, I pass the certificate check but Kerberos SSO does still not work.
What is wrong? How can I fix this? How do I debug this to get more information? What changes after a reboot, so it works again?
Problem might have been solved. The domain-controller running the FSMO PDC emulator role was running on VMware ESXi. First of all moved that to a hardware DC.
Additionally completely disabled timesync in the virtual DCs. See http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 for details.
So far I have not seen the warnings anymore.
When you connect with the RDP client, are you using the full name that matches the name in the certificate? For example if you RDP to a host using only the name
foo, and allow your DNS search path to figure out this isfoo.example.com, and your certificate has a valuefoo.example.com, then your going to get an error.So to be more specific. If you install a certificate with the name
foo.example.com, then you most RDP to that host using only that name, and not the IP address, a DNS alias, or any shortened forms of the name.Since you have an internal CA, you might want to consider creating a wildcard certificate, and/or a certificate that has multiple names.