Click here to get back home

Where to View Machine Certificate?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Where to View Machine Certificate? Will 11-01-2006
Posted by Will on November 1, 2006, 2:25 am
Please log in for more thread options
 When you login to a host using the latest version of RDP, and attempt
authentication, it uses the host certificate to match the name of the target
server against the hostname you specify in your connect string. What
application can be used on the target host to view that certificate and to
replace it?

A new Windows Server 2003 install had its machine name changed and now the
self-signed ceritifcate for the host has the wrong hostname in it. I want
to replace that. The same machine is failing secure updates with the DNS
server, and I have to wonder is the issue somewhat similar, with the DNS
server unable to match the reverse lookup of the host's IP with its server
name as shown in its certificate.

We do NOT currently have a Microsoft certificate server in use. All
certificates would be the self signed ones that any install gets.

--
Will



Posted by Brian Komar [MVP] on November 1, 2006, 7:52 am
Please log in for more thread options
 Comments inline...

usc@noemail.nospam says...
> When you login to a host using the latest version of RDP, and attempt
> authentication, it uses the host certificate to match the name of the target
> server against the hostname you specify in your connect string. What
> application can be used on the target host to view that certificate and to
> replace it?

Use the Certificates mmc console focused on the local machine. You must
be a member of the local Administrators group to access this console.
>
> A new Windows Server 2003 install had its machine name changed and now the
> self-signed ceritifcate for the host has the wrong hostname in it. I want
> to replace that. The same machine is failing secure updates with the DNS
> server, and I have to wonder is the issue somewhat similar, with the DNS
> server unable to match the reverse lookup of the host's IP with its server
> name as shown in its certificate.
>

What self-signed certificate. The only automatically issued self-signed
certificate is for EFS. There is no such thing as a self-signed machine
certificate. It sounds more like there are issues with the machine's
account in AD preventing authenticated access to the DNS server

> We do NOT currently have a Microsoft certificate server in use. All
> certificates would be the self signed ones that any install gets.
>

There are no self-signed certificates issued for this purpose. You may
have a CA that you do not know about. More likely, something did not go
right with the machine rename, and you need to fix the computer account
in AD.
>

Posted by Paul Adare on November 1, 2006, 1:27 pm
Please log in for more thread options
microsoft.public.windows.server.security news group, Brian Komar [MVP]

> What self-signed certificate. The only automatically issued self-signed
> certificate is for EFS. There is no such thing as a self-signed machine
> certificate. It sounds more like there are issues with the machine's
> account in AD preventing authenticated access to the DNS server
>

I believe that Terminal Services, if configured to use RDP over TLS will
self sign a certificate.

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld


Posted by Paul Adare on November 1, 2006, 2:08 pm
Please log in for more thread options
microsoft.public.windows.server.security news group, Paul Adare

> microsoft.public.windows.server.security news group, Brian Komar [MVP]
>
> > What self-signed certificate. The only automatically issued self-signed
> > certificate is for EFS. There is no such thing as a self-signed machine
> > certificate. It sounds more like there are issues with the machine's
> > account in AD preventing authenticated access to the DNS server
> >
>
> I believe that Terminal Services, if configured to use RDP over TLS will
> self sign a certificate.

Ok, so according to the following article, it won't create a self-signed
cert:

http://technet2.microsoft.com/WindowsServer/en/library/a92d8eb9-f53d-
4e86-ac9b-29fd6146977b1033.mspx?mfr=true

or

http://tinyurl.com/obzp5

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld


Posted by Will on November 1, 2006, 6:38 pm
Please log in for more thread options
> > I believe that Terminal Services, if configured to use RDP over TLS will
> > self sign a certificate.
>
> Ok, so according to the following article, it won't create a self-signed
> cert:
>
> http://tinyurl.com/obzp5

When I connect by RDP, here is the exact text on the security alert of RDP
client 5.2:

"The remote computer could not be fully authenticated due to problems
with its security certificate. It may be unsafe to proceed with the
connection at this point.

Name of Remote Computer:
<server name I specified to RDP client>

Name in Certificate from Remote Computer:
<original server name, no longer exists>

The following errors were encountered while validating the remote
computer's certificate:

! The server name on the certificate is incorrect.

! The certificate is not from a trusted certifying authority."


Now the word certificate appears there at least five times. I may not be a
brain surgeon, but I think there must be a certificate on the target server!
:)

On the target server, we have the following settings for the Microsoft RDP
5.2 connection (set in the Terminal Services Configuration application, in
the Connections section):

Security layer: Negotiate
Encryption level: High
Certificate: <the only certificate that I can select here has the original
computer name on it....

Note that last field. The server demands you provide a certificate and the
only one when I browser for other certificates is the one with the wrong
computer name on it. I didn't create that thing manually. I would put
money on it that Windows Setup for Windows 2003 created it. I see that
certificate in the certmgr.msc application under Trusted Roots. We
absolutely with certainty do not have a CA on our network.

So my question is how do I create a peer certificate, so I can select it
from the RDP connection configuration, and delete the old (now incorrect
one) from the Trusted Roots section of the certificate manager?

If I create this new certificate, are there other parts of Windows that are
hard coded in the registry or in setup / ini files to use the incorrect
certificate that I would also need to patch up?

--
Will



Similar ThreadsPosted
Security event view April 20, 2006, 1:04 pm
View effective permissions June 22, 2006, 4:19 am
Not able to view secondary hard drive January 11, 2006, 9:53 am
Permission to View Event Viewer June 6, 2008, 9:11 am
Allow non-Administrator to view and terminate processes for all users July 21, 2006, 5:56 pm
unable to view configuration from Local Security Policy June 21, 2005, 10:07 pm
certificateauthority.view issues-automating cert revokecation June 21, 2007, 10:41 am
Machine does not respond. June 28, 2005, 12:42 pm
Any Way To Get Machine Name for Client in Event ID 560? November 13, 2005, 6:38 pm
Security within Virtual Machine December 5, 2005, 6:16 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap