Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

HA RD ConnectionBroker/SessionHost SSL certificate issue

Posted on 2014-02-07
5
Medium Priority
?
728 Views
Last Modified: 2014-03-10
I'm trying to get proper certificates on the connection broker/session host server to avoid warnings on external clients connecting through RDWeb
Spent some time testing but got nowhere so far

Thanks,
Alex
0
Comment
Question by:D-Tech Consulting
  • 2
5 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 39843950
The SSL certificate you use for RDWeb server must include external FQDN of RDWeb server in subject (CN) OR as Subject Alternate Name (SAN) entry
Also if this is certificate issued from internal CA server, you must install public key of internal CA root certificate on client computers in there trusted root certificate store in order to avoid warning messages.
If intermediate CA is also in certificate chain that cert also need to be installed on client computers

If this is public certificate, then probably you will not face issues.

The same process as above applied to public certificate as well if there is any warnings

Mahesh
0
 

Author Comment

by:D-Tech Consulting
ID: 39844200
Hi,

Thanks for replying
The Gateway/rdweb servers are using a public certificate, which works fine
The issue is when the connection is passed over to the connection broker/Session host servers
That's when the certificate issue arises

How can I configure/use a public certificate on cb/sh servers?
It seems to want to connect to internal names all the time
Not very clear about setup. I'm using HA for CB servers

The setup is functional, except the certificate warning

Thanks,
Alex
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39844524
You only connect to the internal Connection Broker once a connection is established through the RD Gateway using valid credentials. Since Your Connection broker \ session host servers are not exposed to the public and is part of internal network these error are expected

Previously a simple resolution to this issue is to use SAN certificate that allows you to add internal hostnames as SAN entry in public certs. But now this is not possible as public CA refuses to assign internal hostnames in public certificate.

Hence only work around are:
You could use split dns so that internal domain and external domain name is same and then you could use wild card \ standard ssl SAN cert from public CA for session host and  connection broker.
OR
you could use wild card cert \ standard SSL SAN cert from internal CA server on sessions host and connection broker servers so that cert errors can be resolved.
Check below excellent articles on the same issue
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
Also to setup certificates check below article
http://www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/

Hope that helps

Mahesh
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question