Troubleshooting RDP Gateway

This page lists the most common issues encountered when enabling or operating RDP gateway mode.

For target-host certificate validation issues, see Remote Certificate Validation with RDP Proxy. For direct RDP Proxy troubleshooting, see RDP Proxy Technical Notes.

Listener Is Not Running

Gateway connections fail immediately. Confirm Enable RDP proxy and Enable RDP Gateway are both set to Yes on Admin > Proxying > RDP. If the gateway is hosted on a distributed engine, allow up to 30 seconds after saving for the engine to pick up the change.

Certificate Served Does Not Match the Secret

After a certificate change, the gateway presents the previous certificate. Wait 30 seconds for the distributed engine to pick up the change, then re-test. If the old certificate still appears, confirm the Secret's certificate is valid, has not expired, and that the engine service account has view permission on the secret.

Client Reports "The certificate received from the remote computer was issued to a different computer"

The gateway certificate's subject alternative name does not include the hostname the client used. Replace the certificate with one whose SAN includes the hostname clients actually resolve, or change DNS so clients reach the gateway at a hostname the certificate covers. Certificates that have only a common name without a matching SAN are rejected by modern mstsc.exe.

Client Reports "A certificate chain processed, but terminated in a root certificate which is not trusted"

The client machine does not trust the issuing Certificate Authority (CA). Install the issuing CA's root and any intermediate certificates into the client's trusted root-certification authorities and intermediate certification authorities stores. There is no way to relax gateway certificate trust on the client. Either the chain must be trusted, or the certificate must be reissued from a CA the client already trusts.

Engine Does Not Support Gateway Mode

The site or engine shows the RDP gateway as disabled even after enabling it. Older distributed engines do not advertise the RD gateway capability, and Secret Server suppresses gateway mode for such engines. Upgrade the engine to a version that advertises the RD gateway capability. After the engine re-registers, gateway mode becomes available.

Session Disconnects Shortly After Connecting

mstsc shows "Your Remote Desktop Gateway server has ended the connection" within a few seconds of the Windows login screen. If Validate remote certificates is Yes, confirm the target host's certificate is trusted by the engine machine. Otherwise, install the issuing CA in the engine's trusted root store, or set Validate remote certificates to No. If session recording is enabled, confirm the recording storage path has free space.

Connection Fails Only on Newer Windows Clients

Windows Server 2025 (24H2) and recent Windows 11 releases enforce tighter TLS defaults and stricter chain validation than earlier Windows versions. Verify the gateway certificate chain is complete, that intermediate certificates are present on clients, and that the TLS version negotiated between client and gateway is one that both sides support. Certificates issued with deprecated hash algorithms may need to be reissued.

Verify the Presented Certificate from a Probe Machine

From any machine that can reach the gateway port, run the following PowerShell command and compare the output to the thumbprint of the certificate configured on Secret Server:

$cert = (Invoke-WebRequest -Uri "https://<gateway-hostname>:<gateway-port>" -UseBasicParsing).BaseResponse.ResponseUri				
# Use Test-NetConnection plus a TLS probe tool of your choice to compare thumbprints.

If the thumbprints differ for more than 30 seconds after saving a certificate change, investigate per Certificate Served Does Not Match the Secret.