?
Solved

HA RD ConnectionBroker/SessionHost SSL certificate issue

Posted on 2014-02-07
5
Medium Priority
?
720 Views
Last Modified: 2014-03-10
I'm trying to get proper certificates on the connection broker/session host server to avoid warnings on external clients connecting through RDWeb
Spent some time testing but got nowhere so far

Thanks,
Alex
0
Comment
Question by:D-Tech Consulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39843950
The SSL certificate you use for RDWeb server must include external FQDN of RDWeb server in subject (CN) OR as Subject Alternate Name (SAN) entry
Also if this is certificate issued from internal CA server, you must install public key of internal CA root certificate on client computers in there trusted root certificate store in order to avoid warning messages.
If intermediate CA is also in certificate chain that cert also need to be installed on client computers

If this is public certificate, then probably you will not face issues.

The same process as above applied to public certificate as well if there is any warnings

Mahesh
0
 

Author Comment

by:D-Tech Consulting
ID: 39844200
Hi,

Thanks for replying
The Gateway/rdweb servers are using a public certificate, which works fine
The issue is when the connection is passed over to the connection broker/Session host servers
That's when the certificate issue arises

How can I configure/use a public certificate on cb/sh servers?
It seems to want to connect to internal names all the time
Not very clear about setup. I'm using HA for CB servers

The setup is functional, except the certificate warning

Thanks,
Alex
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39844524
You only connect to the internal Connection Broker once a connection is established through the RD Gateway using valid credentials. Since Your Connection broker \ session host servers are not exposed to the public and is part of internal network these error are expected

Previously a simple resolution to this issue is to use SAN certificate that allows you to add internal hostnames as SAN entry in public certs. But now this is not possible as public CA refuses to assign internal hostnames in public certificate.

Hence only work around are:
You could use split dns so that internal domain and external domain name is same and then you could use wild card \ standard ssl SAN cert from public CA for session host and  connection broker.
OR
you could use wild card cert \ standard SSL SAN cert from internal CA server on sessions host and connection broker servers so that cert errors can be resolved.
Check below excellent articles on the same issue
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
Also to setup certificates check below article
http://www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/

Hope that helps

Mahesh
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question