Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM - User Defined RDP in version 13 - digital signature issue

I'm testing out v13 and User Defined RDP via webtop in my lab and am getting the following message when launching the .RDP file:

"The digital signature of this RDP File cannot be verified. The remote connection cannot be started."

Has anyone run into this at all? I'm wondering if it could be related to the use of default "clientssl" and "serverssl" profiles for the Virtual Server associated with the Access Policy.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can recreate your cert as below.

root@u1:~# openssl x509 -req -days 3650 -in vpn.home.lab.csr -CA dc7.h.l.cer -CAkey dc7.h.l.key -out vpn.home.lab.cer -set_serial 129 -sha256 -extensions some_ext -extfile ssl_ext

root@u1:~# cat ssl_ext 
[some_ext]

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The fact is the Microsoft RDP client has requirements about the certificates used to sign the .rdp files.

  • self-signed certificates are forbidden,
  • some extensions are needed, when creating the certificates.

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Change the certificate on APM and RDS server with these requirements.

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You assumptions is correct. You would need a valid client SSL certificate because the vdi profile generates a cryptographic signature based on the attached client SSL profile.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hey, is a self singed certificate should be enough ? im running the same test as DaytonG , ActiveX is not working with chrome browser and native option gives the same error as he mentioned "The digital signature of this RDP File cannot be verified. The remote connection cannot be started."

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi All,

I'm a bit confuse here. After making creating cert like Chris Zhang mention above, the where should we used it? Client ssl profile? Client PC (whom accessing through F5)? Or on the RDP server?

Thanks anyway..

0
Comments on this Answer
Comment made 5 months ago by Chris Zhang

Client SSL profile.

0