Microsoft Remote Desktop (MacOS) - Certificate trust

Crimsonfox

8/4/23, 3:01 PM

I've got a Windows RemoteApps setup to access a few applications from home but having some issues connecting from MacOS devices using the Microsoft Remote Desktop app. I initially thought it coincided with a certificate renewal but there's no issues from Windows devices and I'm fairly certain all aspects of the setup (Gateway, Connection broker, session servers) are all using the correct wildcard certificate.

When I try to connect to a remote app from the Workspaces tab, I simply get Error 0x4 so I imported a single app from an RDP file to see if I got any further information. It can connect to an individual app if I uncheck Bypass for local addresses but I get the error certificate name does not match input (screenshot below). The red boxes all match each other (green boxes are the server name and subdomain) so the certificate should be fine as servername.domain.red.boxes falls within the *.red.boxes wildcard

Why won't it trust the cert by default?

0 + 0

rdp

mac-osx

ssl-certificate

djdomi

8/4/23, 4:39 PM

you did not show the full trust path. However in linux and windows you must have a hard copy of the original certificate in/on a specific path

yagmoth555

8/4/23, 5:59 PM

In the keychain utility can you thrust the certificate ?

Crimsonfox

8/4/23, 8:44 PM

@djdomi The trust path is in the center of the screenshot. It's a publicly trusted CA (Sectigo).

Appleoddity

8/5/23, 3:42 AM

I would not be surprised if this is a bug or lack of support for multi-level subdomains. I.e. `*.your.domain` does not match `*.*.your.domain`. Or, there are known issues, especially with non-Microsoft and MAC computers that won’t trust a certificate of the entire chain is not presented to the client. Try making sure the certificate’s intermediate and root carts are present on your RDP server. https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/configure-intermediate-certificates

Gordon Davisson

8/5/23, 7:30 AM

@Appleoddity Wildcard certs are not supposed to match multi-level subdomains; see [this stackoverflow answer](https://stackoverflow.com/questions/2115611/wildcard-ssl-on-sub-subdomain#9743652). If this is a multi-level subdomain (it looks like it from the image), then *no* platform should be accepting it as valid for that sub-subdomain.

Crimsonfox

8/5/23, 7:40 AM

@GordonDavisson I think that's it, I made the incorrect assumption multi-level subdomains were included in a wildcard. Though it is interesting that this is the only platform it comes up on and it was working fine before

Appleoddity

8/5/23, 12:37 PM

@GordonDavisson I thought the same thing, but then I found multi-level wildcard certs when I took a quick search and the OP said it works on other OSes. So I figured there was something I was unaware of. But upon taking a closer look what I read is misleading.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Microsoft Remote Desktop (MacOS) - Certificate trust

TH: Microsoft Remote Desktop (MacOS) - ความน่าเชื่อถือของใบรับรอง

RO: Microsoft Remote Desktop (MacOS) - Certificat de încredere

RU: Удаленный рабочий стол Microsoft (MacOS) — доверие к сертификату

VI: Microsoft Remote Desktop (MacOS) - Chứng chỉ tin cậy

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.