Solved

Remote Desktop Farm - .local domain, Certificate issues

Posted on 2014-12-25
3
888 Views
Last Modified: 2014-12-29
I have a 2012 R2 Remote Desktop Services farm configured. There are 4 Terminal servers, and they are load balanced. TS1, TS2, TS3, TS4.

TS1 is also the broker for the farm. This is a .local domain, so I cannot use a third party root CA for a certificate.

The issue: When I RDP to the collection name, "farm1.domain.local", it throws an untrusted certificate warning. I have installed Active Directory Cert Services, and set up my own CA.

When no Certs are installed - Untrusted Certificate warning
I need specific steps to create and install the proper certificates to make this farm function properly. I can't simply check the box that says, " Don't ask me again"

What I have tried, is exporting the certificate of each terminal server, and then using Group Policy to add it to the Trusted Root certificate authority, the problem is, then when users RDP to farm.domain.local, is says, certificate mismatch error, it says you are connecting to "farm1.domain.local", but the certificate shows "TS1.domain.local"

Installed each TS server cert to the trusted root via GPO - new error

Users will connect mainly locally to the the farm1.domain.local, however, users may remote via the rdp gateway at some point to access the server. I am not sure how this will play a part yet.



Please see the screenshots attached, I have goggled this for days. Can anyone tell me the right way to do this? I need specific instruction on how to generate the certs, and where/how to install them.

Thanks!
0
Comment
Question by:85PC
  • 2
3 Comments
 
LVL 17

Expert Comment

by:Learnctx
ID: 40518130
When you request or issue the certificate, specify a subject alternate name (SAN) for the server.

SAN:DNS=boc-ts1.boc.local&DNS=farm1.boc.local

You can also add the short names or IP addresses as well.

SAN:DNS=boc-ts1.boc.local&DNS=boc-ts1&DNS=farm1.boc.local&DNS=farm1&IPAddress=10.1.1.1

This will generate a certificate which will validate for both DNS names.

See http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx.

http://blogs.technet.com/b/isablog/archive/2011/10/09/how-to-generate-a-certificate-with-subject-alternative-names-san.aspx
0
 

Author Comment

by:85PC
ID: 40518465
Learnctx - Couple of questions -

Do I need to use the computer template on my internal CA to publish this template?

Do I create a certificate on each terminal server, and which store does it go in, personal or trusted root? Will clients trust the cert if it's just in the terminal servers cert snap in? or do I have to push this out to client computers too somehow?

Do I create a certificate on teach terminal server with the DNS name and CN name Farm1.boc.local, or do I need to somehow create 1 certificate with all the servers listed in the certificate and the farm1.boc.local ?

How do I get the
0
 
LVL 17

Accepted Solution

by:
Learnctx earned 500 total points
ID: 40519017
As per http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx:

Basic requirements for Remote Desktop certificates:

1.    The certificate is installed into computer’s “Personal” certificate store.
2.    The certificate has a corresponding private key.
3.    The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.

Open in new window


The full steps in the article , are below:

Here is the exact process: 

1.    Open CERTSRV.MSC and configure certificates.
2.    Open Certification Authority.
3.    In the details pane, expand the instructor computer name.
4.    Right-click Certificate Templates and select Manage. Right-click Workstation Authentication and click Duplicate Template.
5.    On the General tab, change the Template display name to Client-Server Authentication and check Publish certificate in Active Directory.
6.    On the Extensions tab, click Application Policies then Edit. Click Add then select Server Authentication. Click OK until you return to the Properties of New Template dialog.
7.    Click the Security tab. For Domain Computers, click the checkbox to ‘Allow Autoenroll’. Click OK. Close the Certificate Templates Console.
8.    In the certsrv snap-in, right-click Certificate Templates and select New then Certificate Template to Issue.
9.    Select Client-Server Authentication and then click OK.

Open in new window


Do I create a certificate on each terminal server, and which store does it go in, personal or trusted root? Will clients trust the cert if it's just in the terminal servers cert snap in? or do I have to push this out to client computers too somehow?
The certificate will go into the computer's personal store. To do this as administrator launch mmc.exe and add the certificate snappin. When you open it you will be given the option to add the certificate to the computers personal store rather than your own accounts.

Do I create a certificate on teach terminal server with the DNS name and CN name Farm1.boc.local, or do I need to somehow create 1 certificate with all the servers listed in the certificate and the farm1.boc.local ?
Yes you create 1 CSR per server regardless of if they will have the same SAN of farm1.boc.local. This is because each computer will generate its own private key (asymmetric encryption).
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Both MMF (multi-mode fiber) and SMF (single-mode fiber) are types of optical fiber that can aid in communication applications. These thin strands of silica or glass will allow communication to occur between devices. The transmission of light between…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now