Remote Desktop Server Certificate not trusted

Document ID : KB000006814
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

After setting up a policy for RDP access to a Windows target device, users launching the RDP applet for the first time are presented with a popup stating "The certificate is not from a trusted certifying authority". In fact the certificate authority (CA) that issued the server certificate is trusted on our workstations. We also loaded the certificate chain into CA PAM, but this did not help.

Cause:

The RDP applet creates and maintains its own trust store on the user's client workstation. As of CA PAM release 2.8.X it does not check other existing trust stores, including the one maintained on the CA PAM server using the Config > Security page.

Resolution:

If the only message in the popup under the "Certificate errors" header is "The certificate is not from a trusted certifying authority", then the only problem with the certificate is that neither it nor the certificate from the issuing CA is found in the RDP applet's trust store yet. Check the "Do not ask me again for remote connections to the computer" checkbox in the popup before clicking on the OK button. This will add the certificate chain to the trust store, and the popup will not come up the next time the user connects to this target device via the RDP access method. There also should be no popups for first-time connections to other devices with certificates issued by the same CA.