How can I work around problems with certificate configuration in Remote Desktop Services?
I am setting up a Remote Desktop Services farm, and am having trouble configuring certificates for it to use. A demonstration of the problem I'm seeing can be found in Step #4.
At this point I am convinced that there are problems with the user interface, and am looking for ways around them. Is there any way to configure certificates in Remote Desktop Services so that the settings hold and are reflected in the GUI? If not, is there any way for me to verify that the settings are correct?
Step #1 - Create certificate to be used.
I've configured a certificate to use with RD Web Access. The certificate is stored with in the Certificates MMC on my RD Connection Broker, and I am configuring the farm from that computer.
I found by letting RD Web Access generate its own certificate that the following properties are required:
- Enhanced Key Usage
- Server Authentication
- Client Authentication
- This may not be required, but the self-signed certificate includes it.
- Key Usage
- Digital Signature
- Key Agreement
- Subject Alternative Name
- DNS Name=domain.com
Detour about self-signed certificate generation
As a quick detour, I was able to work around a problem with creating self-signed certificates using powershell. The documentation for the New-RDCertificate cmdlet gives the following example:
PS C:\> $password = ConvertTo-SecureString -string "password" -asplaintext -force
New-RDCertificate -Role RDWebAccess -DnsName "test-rdwa.contoso.com" -Password $password -ConnectionBroker rdcb.contoso.com -ExportPath "c:\test-rdwa.pfx"
Typing this into the shell will result in an error message claiming that a function, Get-Server
cannot be found. Prior to using New-RDCertificate
, you must import the RemoteDesktop Module with Import-Module RemoteDesktop
.
Step #2 - Observe out-of-box behavior
The first time you visit the Deployment Properties dialog box by navigating to Server Manager -> Remote Desktop Services -> Collections and selecting "Edit Deployment Properties" from the "TASKS" dropdown list in the "COLLECTIONS" grouping, you will see the following screen:
This window is misleading because the level
field is listed as "Not Configured". If I understand correctly all three of the role services are using a self-signed certificate. For the RD Web Access role this can be verified by visiting the website:
The certificate being used also appears in the Certificates MMC:
Step #3 - Assign new certificate
The Deployment Properties dialog box will allow me to select my existing certificate. The certificate must be placed within the local computers Certificates MMC in the "Personal" certificate store. The private key will need to be exportable, and you will need to provide the password. I temporarily exported my certificate to a file named temp.pfx
with a password, and then imported it into Remote Desktop Services from there.
Once this is done the GUI will indicate that it is ready to accept the new configuration.
Once I click the "Apply" button, the GUI indicates success.
This can be verified by visiting the RD Web Access web site a second time. There is no certificate error.
Step #4 - The GUI fails to maintain its state
If the GUI is closed and reopened, all of these settings appear to be lost.
Actually, the certificate I configured is still being used. I am able to continue accessing the RD Web Access site without any certificate errors.
Oddly, if I use the "Create new certificate..." button to generate a self-signed certificate this window will update to an "Untrusted" level. This setting will then be maintained through the opening and closing of the Deployment Properties dialog box.
Is there anything I can do to have my settings appear to stick? I feel like something is wrong when the GUI claims I haven't fully configured certificates.
I checked our farm yesterday and noticed that is Windows 2008... Yours is 2012. I'm sure there are big differences, but I hope my info helps.
Opening MMC -> Certificates -> Computer account I see 2 certificates in "personal/Certificates" folder:
- Selfsigned Certificate (same Issuer an Subject)
- Certificate issued by our Domain CA
The selfsigned shows an error in the details, has your certificate the same error?
To solve this error, just copy and paste the certificate from "personal/Certificates" subfolder to "Trusted Root Certification Authorities/Certificates". With that step the same certificate gives no error.
After that, there's only two places where you configure the certificate (in RDS Windows 2008) that I've found.
Our RemoteApp Manager shows:
The Digital Signature settings:
And in the 'RD Session Host Configuration, in the settings of the connection:
At the end, and if I remember correct, we solved it checking all options, the event viewer, making sure of no certificate errors, populating some local groups, giving them access by the Security Policy...
Good Luck.
---- Updated ----
Remember to import in the user profile, the Issuer CA or the certificate (if it's self signed) in the "Trusted Root Certification Authorities/Certificates" so the client didnt get any certificate error. This point was important in our system.
I had the same exact issue and found the fix. It's all how you created the certificate template and request the certificate.
Here is the fix:
- Create a certificate template from by duplicating the Computer template
- Edit the new certificate and these two important mods 2a. Allow export private key 2b. On the Subject Name tab select "Supply in the request" radio button
- Publish the new template
- Create a new request and select the new template
- Add Common Name and DNS for the RDWeb. (I added all RD Farm servers)
Example:
CN=rdweb.domain.local
CN=rdcb.domain.local
CN=rdsh1.domain.local
CN=rdsh2.domain.local
CN=rdsh3.domain.local
rdweb.domain.local
rdcb.domain.local
rdsh1.domain.local
rdsh2.domain.local
rdsh3.domain.local
- Add rdweb.domain.local to friendly name and then generate the certificate
- Export the cert with private
- Import into RD deployment console.
You do all that and Level will be Trusted and Status OK