Wyse 3040 – ThinOS – RDS Certificate Warning

Viewing 1 post (of 1 total)
  • Author
  • #86551
    • Total Post: 1
    • Newbie


    I’ll start off by saying that, yes, I know about “SecurityPolicy=Low” option and that it does resolve the issue I’m about to describe. I’d love to find an actual solution though, as this workaround doesn’t exist as an option in ThinOS 9.1.

    So, I have a full RDS setup on Server 2012 R2. I have:

    • One server that just serves as the RD Gateway
    • One server that serves as the RD Connection Broker (HA enabled), the RD Licensing, and RD Web Access
    • 5 RD Session Hosts.

    I use a third party (GoDaddy) wildcard (*) certificate that is valid and active. It is assigned to all four “role services”. All of them report back as “Trusted”. So, everything has a public certificate except my session hosts, which just have their default self-signed certificates.

    How I’ve always connected to my RDS setup… I have my RD Gateway public facing (TCP 443 and UDP 3391 forwarding to my RD Gateway server). My RD Connection Broker is not public facing, as it has never been a requirement. I simply configure my host as my RD Connection Broker DNS name (even though it is not public facing) and configure my TSGWSERVER as my RD Gateway DNS name.

    This has worked perfectly up until the more recent ThinOS 8.6 version. I’m not sure exactly which version, but the problem is still present in 8.6_606. What I experience is this:

    1. I startup my connection and enter in my username and password.
    2. It authenticates through RD Gateway and passes me onto the RD Connection Broker
    3. The RD Connection Broker chooses one of my five RD Session Hosts (load balanced).
    4. ThinOS brings up a certificate warning for the RD Session Host that is chosen, saying the certificate doesn’t match. It’s obvious why, because it’s returning the IP address of the RD Session Host rather than its local DNS name. DNS validation is always going to fail if it’s referencing an IP address. Yes, I’ve tried importing even the local self-signed certificates for the RD Session Hosts into ThinOS. Again, it doesn’t matter because ThinOS is referencing local IP addresses rather than local DNS names.

    I can test this same scenario outside of Wyse and it never complains. By that, I mean I’ve tested from an external (off network, non-domain joined) Windows 10 computer using the default RDP client. I’ve tested from the official iOS Microsoft RDP client. I’ve tested from the official Android Microsoft RDP client. None of them complain about certificates. Only ThinOS does.

    Any ideas on how to make ThinOS stop referencing a local IP address and instead get it to acknowledge the local DNS name of RD Session Hosts?


Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.