Score:0

Microsoft Remote Desktop (MacOS) - Certificate trust

ua flag

I've got a Windows RemoteApps setup to access a few applications from home but having some issues connecting from MacOS devices using the Microsoft Remote Desktop app. I initially thought it coincided with a certificate renewal but there's no issues from Windows devices and I'm fairly certain all aspects of the setup (Gateway, Connection broker, session servers) are all using the correct wildcard certificate.

When I try to connect to a remote app from the Workspaces tab, I simply get Error 0x4 so I imported a single app from an RDP file to see if I got any further information. It can connect to an individual app if I uncheck Bypass for local addresses but I get the error certificate name does not match input (screenshot below). The red boxes all match each other (green boxes are the server name and subdomain) so the certificate should be fine as servername.domain.red.boxes falls within the *.red.boxes wildcard

Why won't it trust the cert by default?

SSL certificate prompt

djdomi avatar
za flag
you did not show the full trust path. However in linux and windows you must have a hard copy of the original certificate in/on a specific path
yagmoth555 avatar
cn flag
In the keychain utility can you thrust the certificate ?
ua flag
@djdomi The trust path is in the center of the screenshot. It's a publicly trusted CA (Sectigo).
Appleoddity avatar
ng flag
I would not be surprised if this is a bug or lack of support for multi-level subdomains. I.e. `*.your.domain` does not match `*.*.your.domain`. Or, there are known issues, especially with non-Microsoft and MAC computers that won’t trust a certificate of the entire chain is not presented to the client. Try making sure the certificate’s intermediate and root carts are present on your RDP server. https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/configure-intermediate-certificates
ph flag
@Appleoddity Wildcard certs are not supposed to match multi-level subdomains; see [this stackoverflow answer](https://stackoverflow.com/questions/2115611/wildcard-ssl-on-sub-subdomain#9743652). If this is a multi-level subdomain (it looks like it from the image), then *no* platform should be accepting it as valid for that sub-subdomain.
ua flag
@GordonDavisson I think that's it, I made the incorrect assumption multi-level subdomains were included in a wildcard. Though it is interesting that this is the only platform it comes up on and it was working fine before
Appleoddity avatar
ng flag
@GordonDavisson I thought the same thing, but then I found multi-level wildcard certs when I took a quick search and the OP said it works on other OSes. So I figured there was something I was unaware of. But upon taking a closer look what I read is misleading.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.