Solved

Remote Desktop Farm - .local domain, Certificate issues

Posted on 2014-12-25
3
1,384 Views
Last Modified: 2014-12-29
I have a 2012 R2 Remote Desktop Services farm configured. There are 4 Terminal servers, and they are load balanced. TS1, TS2, TS3, TS4.

TS1 is also the broker for the farm. This is a .local domain, so I cannot use a third party root CA for a certificate.

The issue: When I RDP to the collection name, "farm1.domain.local", it throws an untrusted certificate warning. I have installed Active Directory Cert Services, and set up my own CA.

When no Certs are installed - Untrusted Certificate warning
I need specific steps to create and install the proper certificates to make this farm function properly. I can't simply check the box that says, " Don't ask me again"

What I have tried, is exporting the certificate of each terminal server, and then using Group Policy to add it to the Trusted Root certificate authority, the problem is, then when users RDP to farm.domain.local, is says, certificate mismatch error, it says you are connecting to "farm1.domain.local", but the certificate shows "TS1.domain.local"

Installed each TS server cert to the trusted root via GPO - new error

Users will connect mainly locally to the the farm1.domain.local, however, users may remote via the rdp gateway at some point to access the server. I am not sure how this will play a part yet.



Please see the screenshots attached, I have goggled this for days. Can anyone tell me the right way to do this? I need specific instruction on how to generate the certs, and where/how to install them.

Thanks!
0
Comment
Question by:85PC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 17

Expert Comment

by:Learnctx
ID: 40518130
When you request or issue the certificate, specify a subject alternate name (SAN) for the server.

SAN:DNS=boc-ts1.boc.local&DNS=farm1.boc.local

You can also add the short names or IP addresses as well.

SAN:DNS=boc-ts1.boc.local&DNS=boc-ts1&DNS=farm1.boc.local&DNS=farm1&IPAddress=10.1.1.1

This will generate a certificate which will validate for both DNS names.

See http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx.

http://blogs.technet.com/b/isablog/archive/2011/10/09/how-to-generate-a-certificate-with-subject-alternative-names-san.aspx
0
 

Author Comment

by:85PC
ID: 40518465
Learnctx - Couple of questions -

Do I need to use the computer template on my internal CA to publish this template?

Do I create a certificate on each terminal server, and which store does it go in, personal or trusted root? Will clients trust the cert if it's just in the terminal servers cert snap in? or do I have to push this out to client computers too somehow?

Do I create a certificate on teach terminal server with the DNS name and CN name Farm1.boc.local, or do I need to somehow create 1 certificate with all the servers listed in the certificate and the farm1.boc.local ?

How do I get the
0
 
LVL 17

Accepted Solution

by:
Learnctx earned 500 total points
ID: 40519017
As per http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx:

Basic requirements for Remote Desktop certificates:

1.    The certificate is installed into computer’s “Personal” certificate store.
2.    The certificate has a corresponding private key.
3.    The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.

Open in new window


The full steps in the article , are below:

Here is the exact process: 

1.    Open CERTSRV.MSC and configure certificates.
2.    Open Certification Authority.
3.    In the details pane, expand the instructor computer name.
4.    Right-click Certificate Templates and select Manage. Right-click Workstation Authentication and click Duplicate Template.
5.    On the General tab, change the Template display name to Client-Server Authentication and check Publish certificate in Active Directory.
6.    On the Extensions tab, click Application Policies then Edit. Click Add then select Server Authentication. Click OK until you return to the Properties of New Template dialog.
7.    Click the Security tab. For Domain Computers, click the checkbox to ‘Allow Autoenroll’. Click OK. Close the Certificate Templates Console.
8.    In the certsrv snap-in, right-click Certificate Templates and select New then Certificate Template to Issue.
9.    Select Client-Server Authentication and then click OK.

Open in new window


Do I create a certificate on each terminal server, and which store does it go in, personal or trusted root? Will clients trust the cert if it's just in the terminal servers cert snap in? or do I have to push this out to client computers too somehow?
The certificate will go into the computer's personal store. To do this as administrator launch mmc.exe and add the certificate snappin. When you open it you will be given the option to add the certificate to the computers personal store rather than your own accounts.

Do I create a certificate on teach terminal server with the DNS name and CN name Farm1.boc.local, or do I need to somehow create 1 certificate with all the servers listed in the certificate and the farm1.boc.local ?
Yes you create 1 CSR per server regardless of if they will have the same SAN of farm1.boc.local. This is because each computer will generate its own private key (asymmetric encryption).
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup new Server 2012R2 DC 1 66
Looping through each DC for most recent LastLogon 24 104
User Account Question 6 50
Setting up two DCs 4 47
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question