Solved

How to apply an SSL cert to my RDS Session Host/RemoteApp Server?

Posted on 2011-03-06
14
5,342 Views
Last Modified: 2012-07-22
I'm having trouble applying my certificate from a CA to my RDS implementation.  I have two servers.  Server one is hosting two roles, Session Host and WebAccess.  Server Two is the Gateway.  I purchased two certificates.  First one went on the gateway.  Simply added it in IIS, and selected it in the RDS configuration.  I'm able to access it fine from the public internet (I still get security prompts from the session host cert).  Adding the cerrt to the Session Host/WebAccess server is giving me trouble.  I tried the same method, adding it to IIS and selecting it in RemoteApp Manager.  When I go to the side it still shows the original self signed cert.  I tried using the MMC to go into certificates and delete the self signed cert.  It just comes back on its own.  If it go into the session host properties and try to select the cert there, it gives me a message stating "There are no certificates installed on this remote desktop session host server".  Any idea what I'm doing wrong here?
0
Comment
Question by:chome81
  • 8
  • 6
14 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 35057025
You will need to install your public certificate via a WMI script. Follow the "Using a WMI script" section of http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

Good Luck
0
 

Author Comment

by:chome81
ID: 35060022
I'm not sure this addresses my issue.  I was able to get somewhere last night.  After contacting the CA and getting a new cert I was able to select the cert in Remote Desktop Host Configuration, however, the old original still shows when I go to the web app page.  I've selected it in Remote App Manager, but ti still doesn't show.  Any thoughts?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35060071
None other than using the script in the article (modified for your installation) to install the cert. The author indicates that is required for installing a public CA cert.
0
 

Author Comment

by:chome81
ID: 35060146
It doesn't look like its referencing WebAccess.  Any idea there?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35060228
I am not so sure you need the cert on web access. From http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx:

"Web SSO with RD Gateway
Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.

The configuration of Web SSO for RD Gateway assumes that:

•an RD Gateway is deployed
•a ‘Connection Authorization Policy’ is set to use password for the users connecting
•and the RD Gateway server is used by RemoteApp programs
More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.

The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.

Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.

1.On the RD Session Host server, open RemoteApp Manager. To open RemoteApp Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
2.In the Actions pane of RemoteApp Manager, click RD Gateway Settings. (Or, in the Overview pane, next to RD Gateway Settings, click Change.)
3.Select the Use these RD Gateway server settings.
4.In the Server name box, click the FQDN of the RD Gateway server.
5.In the Logon box, select the Ask for password (NTLM).
6.Select the Use the same user credentials for RD Gateway and RD Session Host server check box.
7.Click OK to close the RemoteApp Deployment Settings dialog box"


From step 5 (NTLM) and 6 (Use same credentials) it would appear that the authentication would pass through from the gateway to the session host.
0
 

Author Comment

by:chome81
ID: 35063026
I'll need one for web access if I don't want users to get a security prompt when they go to the site.  For example, the current site URL would be https://server.domain.local/reweb.  I'm used NAT on our firewall to direct one of our public IP's to the private IP of that server.  Now I'm able to access the site via the public IP, for example  https://60.60.60.60/rdweb.  I created a public DNS record (access.domain.com) and have it resolve to 60.60.60.60.  This allows me at this point to externally access the site with https://access.domain.com/rdweb.  I purchased an SSL cert for access.domain.com so that I wouldn't get the security warning.  Selected that cert in RemoteApp Manager.  Unfortunately when I go to the site I still get a warning about he self signed cert (server.domain.local).  I shouldn't even be seeing that cert anymore...
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 35063188
For IIS it doesn't really care what the server is called internally - you just get the cert for the "access.domain.com" name. Typically that is done through IIS Manager, select the server in the tree, then server certificates and go through the create/complete request exercise with your CA provider. Alternatively you can just take the certificate from the CA and import it into the personal datastore for the computer. At this point you have your certificate issued to access.domain.com.

Externally you would resolve that to 60.60.60.60 as per your example. After it has been imported to your server, then you need to associate it with your web site using IIS manager. Select your site in the tree on the left, then select bindings on the right and edit the https binding. You will be able to select your certificate from your CA at that point. I would suspect that when you get to this point you will find that it is still pointing to your server.domain.local cert.

0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:chome81
ID: 35063206
Everything you described above is exactly what I did, with exception to going into IIS and assigning the cert through bindings.  I assigned the cert in RemoteApp Manager.  Everything else in IIS I did.  I'll check that out today and repost.  Thanks bgoering.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063207
The certificate issued to name must match the name the browser has resolved for the certificate to be valid. In your case if you want to access the site internally the browser on the internal network must resolve access.domain.com to 192.168.1.5 (or whatever your internal address is). This can be done through an entry in the hosts file on the machine you are running the browser on, or by hosting access.domain.com zone on your internal dns for your internal .local domain, but pointing to the internal address.

The key thing is what the browser thinks the site name is from how it was resolved must match the subject name on the certificate.
0
 

Author Comment

by:chome81
ID: 35063213
Agreed.  I don't see many using the WebAccess internally, but I've created the appropriate Host A records in DNS just in case.  The browser will match now externally and internally.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063229
Maybe I am missing what the issue is. As I understand it when accessing the site you are getting an error about invalid cert and when you look at the cert you are seeing the internal self-signed cert instead of the one you purchased?

If that is the case then you need to associate the proper cert through the IIS bindings as indicated above.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063233
Oh - sorry, didn't see your response between my two posts :)

I will wait to hear back from you...
0
 

Author Comment

by:chome81
ID: 35070979
Bgoering, that was the issue.  I needed to edit the bindings and select the new cert just like you stated.  Thanks a ton!
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35071215
Great - glad you got it going
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now