Solved

How to apply an SSL cert to my RDS Session Host/RemoteApp Server?

Posted on 2011-03-06
14
5,440 Views
Last Modified: 2012-07-22
I'm having trouble applying my certificate from a CA to my RDS implementation.  I have two servers.  Server one is hosting two roles, Session Host and WebAccess.  Server Two is the Gateway.  I purchased two certificates.  First one went on the gateway.  Simply added it in IIS, and selected it in the RDS configuration.  I'm able to access it fine from the public internet (I still get security prompts from the session host cert).  Adding the cerrt to the Session Host/WebAccess server is giving me trouble.  I tried the same method, adding it to IIS and selecting it in RemoteApp Manager.  When I go to the side it still shows the original self signed cert.  I tried using the MMC to go into certificates and delete the self signed cert.  It just comes back on its own.  If it go into the session host properties and try to select the cert there, it gives me a message stating "There are no certificates installed on this remote desktop session host server".  Any idea what I'm doing wrong here?
0
Comment
Question by:chome81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 35057025
You will need to install your public certificate via a WMI script. Follow the "Using a WMI script" section of http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

Good Luck
0
 

Author Comment

by:chome81
ID: 35060022
I'm not sure this addresses my issue.  I was able to get somewhere last night.  After contacting the CA and getting a new cert I was able to select the cert in Remote Desktop Host Configuration, however, the old original still shows when I go to the web app page.  I've selected it in Remote App Manager, but ti still doesn't show.  Any thoughts?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35060071
None other than using the script in the article (modified for your installation) to install the cert. The author indicates that is required for installing a public CA cert.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 

Author Comment

by:chome81
ID: 35060146
It doesn't look like its referencing WebAccess.  Any idea there?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35060228
I am not so sure you need the cert on web access. From http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx:

"Web SSO with RD Gateway
Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.

The configuration of Web SSO for RD Gateway assumes that:

•an RD Gateway is deployed
•a ‘Connection Authorization Policy’ is set to use password for the users connecting
•and the RD Gateway server is used by RemoteApp programs
More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.

The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.

Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.

1.On the RD Session Host server, open RemoteApp Manager. To open RemoteApp Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
2.In the Actions pane of RemoteApp Manager, click RD Gateway Settings. (Or, in the Overview pane, next to RD Gateway Settings, click Change.)
3.Select the Use these RD Gateway server settings.
4.In the Server name box, click the FQDN of the RD Gateway server.
5.In the Logon box, select the Ask for password (NTLM).
6.Select the Use the same user credentials for RD Gateway and RD Session Host server check box.
7.Click OK to close the RemoteApp Deployment Settings dialog box"


From step 5 (NTLM) and 6 (Use same credentials) it would appear that the authentication would pass through from the gateway to the session host.
0
 

Author Comment

by:chome81
ID: 35063026
I'll need one for web access if I don't want users to get a security prompt when they go to the site.  For example, the current site URL would be https://server.domain.local/reweb.  I'm used NAT on our firewall to direct one of our public IP's to the private IP of that server.  Now I'm able to access the site via the public IP, for example  https://60.60.60.60/rdweb.  I created a public DNS record (access.domain.com) and have it resolve to 60.60.60.60.  This allows me at this point to externally access the site with https://access.domain.com/rdweb.  I purchased an SSL cert for access.domain.com so that I wouldn't get the security warning.  Selected that cert in RemoteApp Manager.  Unfortunately when I go to the site I still get a warning about he self signed cert (server.domain.local).  I shouldn't even be seeing that cert anymore...
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 35063188
For IIS it doesn't really care what the server is called internally - you just get the cert for the "access.domain.com" name. Typically that is done through IIS Manager, select the server in the tree, then server certificates and go through the create/complete request exercise with your CA provider. Alternatively you can just take the certificate from the CA and import it into the personal datastore for the computer. At this point you have your certificate issued to access.domain.com.

Externally you would resolve that to 60.60.60.60 as per your example. After it has been imported to your server, then you need to associate it with your web site using IIS manager. Select your site in the tree on the left, then select bindings on the right and edit the https binding. You will be able to select your certificate from your CA at that point. I would suspect that when you get to this point you will find that it is still pointing to your server.domain.local cert.

0
 

Author Comment

by:chome81
ID: 35063206
Everything you described above is exactly what I did, with exception to going into IIS and assigning the cert through bindings.  I assigned the cert in RemoteApp Manager.  Everything else in IIS I did.  I'll check that out today and repost.  Thanks bgoering.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063207
The certificate issued to name must match the name the browser has resolved for the certificate to be valid. In your case if you want to access the site internally the browser on the internal network must resolve access.domain.com to 192.168.1.5 (or whatever your internal address is). This can be done through an entry in the hosts file on the machine you are running the browser on, or by hosting access.domain.com zone on your internal dns for your internal .local domain, but pointing to the internal address.

The key thing is what the browser thinks the site name is from how it was resolved must match the subject name on the certificate.
0
 

Author Comment

by:chome81
ID: 35063213
Agreed.  I don't see many using the WebAccess internally, but I've created the appropriate Host A records in DNS just in case.  The browser will match now externally and internally.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063229
Maybe I am missing what the issue is. As I understand it when accessing the site you are getting an error about invalid cert and when you look at the cert you are seeing the internal self-signed cert instead of the one you purchased?

If that is the case then you need to associate the proper cert through the IIS bindings as indicated above.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063233
Oh - sorry, didn't see your response between my two posts :)

I will wait to hear back from you...
0
 

Author Comment

by:chome81
ID: 35070979
Bgoering, that was the issue.  I needed to edit the bindings and select the new cert just like you stated.  Thanks a ton!
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35071215
Great - glad you got it going
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question