RDP presents Self-Signed certificate instead of Certificate Authority's one

Question

Few days ago I witnessed a strange problem within my domain:

• During RDP connection I see warnings about certificate being not trusted (and I see self-signed certificate, not issued by domain CA)

• I can no longer connect by RDP to servers with enabled NLA (Network Layer Authentication).

This problem is omnipresent - I experience it on different workstations and on different servers, including Windows Server 2012R2|2008R2, Windows 7 and Windows 10.

About CA infrastructure: one offline Root CA and one Domain Level Issuing CA. pkiview.msc says everything is OK: both Root and Issuer have valid Certificates, CDP's, IAI's and DeltaCRL's (issuer only). I've updated Root CRLs and republished them in AD because I thought that might be the case but no luck.

Custom Certificate Template with Client|Server|RDP Auth still exists and I can confirm that servers in question have such certificates in Personal folder in MMC Certificates Applet (and can request new ones from there), although only self-signed certificate is present in RDP folder.

Using MMC Certificates applet I also see that both Root and Issuer certificates are trusted.

So.. I don't really know what to do and how fix it, and why it's broken in first place. Any help is appreciated.

PS. Also some time ago I modified Default Domain GPO enforcing private network IP ranges. Can it be the reason? Anyway, I turned those back to default and no luck either.

UPDATE Some pics to clarify a bit:

1) Security Warning

2) ...because servers presents Self-Signed Certificate

3) However we can see proper CA-certificate in Personal storage on server in question

4) In Remote Desktop certificate storage I can see just Self-Signed Cert. I copied proper one there as well, but no effect. And if I delete Self-Signed Cert from there I won't be able to connect to server over RDP at all.

5) Also you can see that my local CAs are trusted by server:

6) And that is the error I get when I try to RDP to NLA-enabled server. So client for some reason can't or won't willingly use CredSSP. It worked a week before so I think it's connected to cert problem.

7) Finally some screens from Issuing CA. It seems to be OK.

Answer 1

Sometimes RDS loose certificate binding for static certificates (which are not assigned via GPO). You may need to execute the following command:

$path = (Get-WmiObject "Win32_TSGeneralSetting" -ComputerName "<RDS Server Name>" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="<Thumbprint>"}

Replace <RDS Server Name> with actual server name (if executed remotely) and <Thumbprint> with actual certificate's thumbprint. Thumbprint must specified in hex with no spaces, e.g. F02B346CDC02165543936A37B50F2ED9D5285F62.

For internal machines (which are part of AD forest and accessed via internal names), it is recommended to use GPO-assigned RDS certificates: Configuring Remote Desktop certificates

Answer 2

OK, I solved it. Michal Sokolowski was right when he pointed on CredSSP May 2018 update. Apparently everything I saw was because of it. As soon as I modified local GPO on client workstation everything went well.

So, solution is:

1) run gpedit.msc on client

2) open Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

3) enable Encryption Oracle Remediation and set it to Vulnerable

4) run gpupdate /force

And everything goes back to normal.

Answer 3

Apply all patches to the server and clients and this will fix your credssp error.