Home / server / Questions / 591154
Accepted
Grant
Asked: 2014-04-25 09:29:15 +0800 CST

Remote desktop certificate error - how to connect anyways?

  • 772

I have a remote server that I can only access through RDP. It uses a proper SSL certificate from godaddy for RDP, not a self signed one. The server is 2008R2, and I believe is set to the default of requiring network level authentication. Unfortunately, I do not have any lights out management features or IPKVM on this server.

Due to heartbleed, I revoked all my certificates and reissued them. Unfortunately, I clearly missed setting RDP up for this new certificate. Now I get "This certificate has been revoked and is not safe to use", and "You may not proceed due to the severity of the certificate errors".

I know the certificate is revoked. That's why I'm trying to get in to fix it! But I can't replace the certificate until I can remote in. And I can't remote in until I replace the certificate.

Is my only option to drive there and login from the console, or is there a way to temporarily ignore the certificate error?

enter image description here

ssl-certificate

5 Answers

  1. Use with caution (as per Microsoft): There is a registry entry you can enter so this will go away: HKEY_LOCAL_MACHINE - Software – Microsoft – Terminal Server Client Add a new DWORD called AuthenticationLevelOverride and set its value to 0.

    AuthenticationLevelOverride

    You can also push this out via GPO: Open Group Policy Management and create or edit a Group Policy Object Under computer configuration - Preferences - Windows Settings - Registry Right click and create a new registry item:

    Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Terminal Server Client
Value name: AuthenticationLevelOverride
Value Type: REG_DWORD
Value data: 00000000
Hexadecimal

    Reg

    • 7

  2. You can use mmc to accomplish what you need since the snap-in works on remote computers. See: http://technet.microsoft.com/en-us/library/cc731617.aspx. The caveat to this is that you need another Windows Server computer handy to use this snap-in, and working over the network is questionable if the firewall blocks a lot of things.

    • 4
  3. Best Answer

    NathanC's suggestion of using mmc from another computer worked perfectly.

    Another option which works if you can't access it that way is using program which doesn't validate the certificate. Apparently Microsoft's RD Client for android is one such program.

    • 1

  4. The solution for me was to connect with the server's FQDN rather than just the hostname. That way the computer name matched the certificate.

    This requirement seems to have developed with one of the recent updates.

    • 0

  5. As far as I know, NLA is the opposite of the server authentication. NLA is User authentication of the connecting user. See Technet

    Server authentication is handled by the client.
    In RDP, go to Advanced and change Server authentication to "Warn me"

    enter image description here

    • -2