You have XP SP3 clients, running RDP shell 6.1, protocol 7.0. You've also applied security update KB2621440, CredSSP fixit 50588 and downloaded and ran a root certificate update.
You get the following error when connecting via RDP to a server signed by a certificate.
The connection has been terminated because an unexpected server authentication certificate was received from the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.
Things to check:
1) On the XP machine, you'll need the certutil tool. To get this, install the Windows Server 2003 Admin Tool Kit
2) Check the certificates CRL distrubution point. To do this, open mmc and add the certifcates snap in. Locate the certifcate, open it's properties and you will find this information on the details tab.
To set to go out direct, enter proxycfg -d
To set to use a proxy, run proxycfg -p hostname/ip:portnumber (I.e proxy.local:8080)
4) Verify you can connect to the CRL distribution point. Still in command prompt, enter
certutil -url <enter URL of CRL as identified in step 2>
A tool will open. Click retrieve, and if the status is 'failed' you will need to check your firewall or proxy settings as your machine clearly cannot connect to it.
The general rule is allow http and https from your internal network to your certificate
providers domains or IP's, especially the one used in the CRL url. (step 2). Also add windowsupdate.com and update.microsoft.com incase you need to pull down
an updated root certificate.
If using a proxy, you will also need to allow anonymous requests into the rule.
Modify your rules and run the certutil test until you get an OK status. We are now able to connect to the CRL!
5) Try to connect to the RDP connection again. It is important to note (and caught me out) you will need to clear the CRL cache before testing! Why? Because it doesn't perform the CRL check everytime you try and connect. Instead, it caches the last result. So if the last time you tried to connect, the CRL check failed and you received the 'unexpected server authentication certifcate' error message, even if you've since fixed the issue, you will still get the error message until the cache is cleared!
To manually clear the CRL cache, run certutil -urlcache delete* before you test. This will force the connection to try and retrieve the CRL.
If it can retrieve the CRL successfully, it will now likely be able to establish the connection with no error.
Hope this helps!