Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to apply an SSL cert to my RDS Session Host/RemoteApp Server?

Posted on 2011-03-06
14
Medium Priority
?
5,566 Views
Last Modified: 2012-07-22
I'm having trouble applying my certificate from a CA to my RDS implementation.  I have two servers.  Server one is hosting two roles, Session Host and WebAccess.  Server Two is the Gateway.  I purchased two certificates.  First one went on the gateway.  Simply added it in IIS, and selected it in the RDS configuration.  I'm able to access it fine from the public internet (I still get security prompts from the session host cert).  Adding the cerrt to the Session Host/WebAccess server is giving me trouble.  I tried the same method, adding it to IIS and selecting it in RemoteApp Manager.  When I go to the side it still shows the original self signed cert.  I tried using the MMC to go into certificates and delete the self signed cert.  It just comes back on its own.  If it go into the session host properties and try to select the cert there, it gives me a message stating "There are no certificates installed on this remote desktop session host server".  Any idea what I'm doing wrong here?
0
Comment
Question by:chome81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 35057025
You will need to install your public certificate via a WMI script. Follow the "Using a WMI script" section of http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

Good Luck
0
 

Author Comment

by:chome81
ID: 35060022
I'm not sure this addresses my issue.  I was able to get somewhere last night.  After contacting the CA and getting a new cert I was able to select the cert in Remote Desktop Host Configuration, however, the old original still shows when I go to the web app page.  I've selected it in Remote App Manager, but ti still doesn't show.  Any thoughts?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35060071
None other than using the script in the article (modified for your installation) to install the cert. The author indicates that is required for installing a public CA cert.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:chome81
ID: 35060146
It doesn't look like its referencing WebAccess.  Any idea there?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35060228
I am not so sure you need the cert on web access. From http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx:

"Web SSO with RD Gateway
Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.

The configuration of Web SSO for RD Gateway assumes that:

•an RD Gateway is deployed
•a ‘Connection Authorization Policy’ is set to use password for the users connecting
•and the RD Gateway server is used by RemoteApp programs
More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.

The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.

Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.

1.On the RD Session Host server, open RemoteApp Manager. To open RemoteApp Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
2.In the Actions pane of RemoteApp Manager, click RD Gateway Settings. (Or, in the Overview pane, next to RD Gateway Settings, click Change.)
3.Select the Use these RD Gateway server settings.
4.In the Server name box, click the FQDN of the RD Gateway server.
5.In the Logon box, select the Ask for password (NTLM).
6.Select the Use the same user credentials for RD Gateway and RD Session Host server check box.
7.Click OK to close the RemoteApp Deployment Settings dialog box"


From step 5 (NTLM) and 6 (Use same credentials) it would appear that the authentication would pass through from the gateway to the session host.
0
 

Author Comment

by:chome81
ID: 35063026
I'll need one for web access if I don't want users to get a security prompt when they go to the site.  For example, the current site URL would be https://server.domain.local/reweb.  I'm used NAT on our firewall to direct one of our public IP's to the private IP of that server.  Now I'm able to access the site via the public IP, for example  https://60.60.60.60/rdweb.  I created a public DNS record (access.domain.com) and have it resolve to 60.60.60.60.  This allows me at this point to externally access the site with https://access.domain.com/rdweb.  I purchased an SSL cert for access.domain.com so that I wouldn't get the security warning.  Selected that cert in RemoteApp Manager.  Unfortunately when I go to the site I still get a warning about he self signed cert (server.domain.local).  I shouldn't even be seeing that cert anymore...
0
 
LVL 28

Accepted Solution

by:
bgoering earned 2000 total points
ID: 35063188
For IIS it doesn't really care what the server is called internally - you just get the cert for the "access.domain.com" name. Typically that is done through IIS Manager, select the server in the tree, then server certificates and go through the create/complete request exercise with your CA provider. Alternatively you can just take the certificate from the CA and import it into the personal datastore for the computer. At this point you have your certificate issued to access.domain.com.

Externally you would resolve that to 60.60.60.60 as per your example. After it has been imported to your server, then you need to associate it with your web site using IIS manager. Select your site in the tree on the left, then select bindings on the right and edit the https binding. You will be able to select your certificate from your CA at that point. I would suspect that when you get to this point you will find that it is still pointing to your server.domain.local cert.

0
 

Author Comment

by:chome81
ID: 35063206
Everything you described above is exactly what I did, with exception to going into IIS and assigning the cert through bindings.  I assigned the cert in RemoteApp Manager.  Everything else in IIS I did.  I'll check that out today and repost.  Thanks bgoering.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063207
The certificate issued to name must match the name the browser has resolved for the certificate to be valid. In your case if you want to access the site internally the browser on the internal network must resolve access.domain.com to 192.168.1.5 (or whatever your internal address is). This can be done through an entry in the hosts file on the machine you are running the browser on, or by hosting access.domain.com zone on your internal dns for your internal .local domain, but pointing to the internal address.

The key thing is what the browser thinks the site name is from how it was resolved must match the subject name on the certificate.
0
 

Author Comment

by:chome81
ID: 35063213
Agreed.  I don't see many using the WebAccess internally, but I've created the appropriate Host A records in DNS just in case.  The browser will match now externally and internally.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063229
Maybe I am missing what the issue is. As I understand it when accessing the site you are getting an error about invalid cert and when you look at the cert you are seeing the internal self-signed cert instead of the one you purchased?

If that is the case then you need to associate the proper cert through the IIS bindings as indicated above.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35063233
Oh - sorry, didn't see your response between my two posts :)

I will wait to hear back from you...
0
 

Author Comment

by:chome81
ID: 35070979
Bgoering, that was the issue.  I needed to edit the bindings and select the new cert just like you stated.  Thanks a ton!
0
 
LVL 28

Expert Comment

by:bgoering
ID: 35071215
Great - glad you got it going
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question