How can I work around problems with certificate configuration in Remote Desktop Services?

I am setting up a Remote Desktop Services farm, and am having trouble configuring certificates for it to use. A demonstration of the problem I'm seeing can be found in Step #4.

At this point I am convinced that there are problems with the user interface, and am looking for ways around them. Is there any way to configure certificates in Remote Desktop Services so that the settings hold and are reflected in the GUI? If not, is there any way for me to verify that the settings are correct?

Step #1 - Create certificate to be used.

I've configured a certificate to use with RD Web Access. The certificate is stored with in the Certificates MMC on my RD Connection Broker, and I am configuring the farm from that computer. certificate

I found by letting RD Web Access generate its own certificate that the following properties are required:

  • Enhanced Key Usage
    • Server Authentication
    • Client Authentication
      • This may not be required, but the self-signed certificate includes it.
  • Key Usage
    • Digital Signature
    • Key Agreement
  • Subject Alternative Name
    • DNS Name=domain.com

Detour about self-signed certificate generation

As a quick detour, I was able to work around a problem with creating self-signed certificates using powershell. The documentation for the New-RDCertificate cmdlet gives the following example:

PS C:\> $password = ConvertTo-SecureString -string "password" -asplaintext -force
New-RDCertificate -Role RDWebAccess -DnsName "test-rdwa.contoso.com" -Password $password -ConnectionBroker rdcb.contoso.com -ExportPath "c:\test-rdwa.pfx"

Typing this into the shell will result in an error message claiming that a function, Get-Server cannot be found. Prior to using New-RDCertificate, you must import the RemoteDesktop Module with Import-Module RemoteDesktop.

Step #2 - Observe out-of-box behavior

The first time you visit the Deployment Properties dialog box by navigating to Server Manager -> Remote Desktop Services -> Collections and selecting "Edit Deployment Properties" from the "TASKS" dropdown list in the "COLLECTIONS" grouping, you will see the following screen: enter image description here

This window is misleading because the level field is listed as "Not Configured". If I understand correctly all three of the role services are using a self-signed certificate. For the RD Web Access role this can be verified by visiting the website: certificate error

The certificate being used also appears in the Certificates MMC: certificates MMC showing the RD Web Access certificate

Step #3 - Assign new certificate

The Deployment Properties dialog box will allow me to select my existing certificate. The certificate must be placed within the local computers Certificates MMC in the "Personal" certificate store. The private key will need to be exportable, and you will need to provide the password. I temporarily exported my certificate to a file named temp.pfx with a password, and then imported it into Remote Desktop Services from there.

Once this is done the GUI will indicate that it is ready to accept the new configuration. ready to accept certificate

Once I click the "Apply" button, the GUI indicates success. enter image description here

This can be verified by visiting the RD Web Access web site a second time. There is no certificate error. enter image description here

Step #4 - The GUI fails to maintain its state

If the GUI is closed and reopened, all of these settings appear to be lost. settings are lost

Actually, the certificate I configured is still being used. I am able to continue accessing the RD Web Access site without any certificate errors.

Oddly, if I use the "Create new certificate..." button to generate a self-signed certificate this window will update to an "Untrusted" level. This setting will then be maintained through the opening and closing of the Deployment Properties dialog box.

Is there anything I can do to have my settings appear to stick? I feel like something is wrong when the GUI claims I haven't fully configured certificates.


I checked our farm yesterday and noticed that is Windows 2008... Yours is 2012. I'm sure there are big differences, but I hope my info helps.

Opening MMC -> Certificates -> Computer account I see 2 certificates in "personal/Certificates" folder:

  • Selfsigned Certificate (same Issuer an Subject)
  • Certificate issued by our Domain CA

The selfsigned shows an error in the details, has your certificate the same error? Error

To solve this error, just copy and paste the certificate from "personal/Certificates" subfolder to "Trusted Root Certification Authorities/Certificates". With that step the same certificate gives no error. OK Certificate

After that, there's only two places where you configure the certificate (in RDS Windows 2008) that I've found.

Our RemoteApp Manager shows: Main

The Digital Signature settings: DSS

And in the 'RD Session Host Configuration, in the settings of the connection: RDSHC

At the end, and if I remember correct, we solved it checking all options, the event viewer, making sure of no certificate errors, populating some local groups, giving them access by the Security Policy...

Good Luck.

---- Updated ----

Remember to import in the user profile, the Issuer CA or the certificate (if it's self signed) in the "Trusted Root Certification Authorities/Certificates" so the client didnt get any certificate error. This point was important in our system.


I had the same exact issue and found the fix. It's all how you created the certificate template and request the certificate.
Here is the fix:

  1. Create a certificate template from by duplicating the Computer template
  2. Edit the new certificate and these two important mods 2a. Allow export private key 2b. On the Subject Name tab select "Supply in the request" radio button
  3. Publish the new template
  4. Create a new request and select the new template
  5. Add Common Name and DNS for the RDWeb. (I added all RD Farm servers)

Example:

CN=rdweb.domain.local

CN=rdcb.domain.local

CN=rdsh1.domain.local

CN=rdsh2.domain.local

CN=rdsh3.domain.local

rdweb.domain.local

rdcb.domain.local

rdsh1.domain.local

rdsh2.domain.local

rdsh3.domain.local

  1. Add rdweb.domain.local to friendly name and then generate the certificate
  2. Export the cert with private
  3. Import into RD deployment console.

You do all that and Level will be Trusted and Status OK