Solved

Remote Desktop Farm - .local domain, Certificate issues

Posted on 2014-12-25
3
748 Views
Last Modified: 2014-12-29
I have a 2012 R2 Remote Desktop Services farm configured. There are 4 Terminal servers, and they are load balanced. TS1, TS2, TS3, TS4.

TS1 is also the broker for the farm. This is a .local domain, so I cannot use a third party root CA for a certificate.

The issue: When I RDP to the collection name, "farm1.domain.local", it throws an untrusted certificate warning. I have installed Active Directory Cert Services, and set up my own CA.

When no Certs are installed - Untrusted Certificate warning
I need specific steps to create and install the proper certificates to make this farm function properly. I can't simply check the box that says, " Don't ask me again"

What I have tried, is exporting the certificate of each terminal server, and then using Group Policy to add it to the Trusted Root certificate authority, the problem is, then when users RDP to farm.domain.local, is says, certificate mismatch error, it says you are connecting to "farm1.domain.local", but the certificate shows "TS1.domain.local"

Installed each TS server cert to the trusted root via GPO - new error

Users will connect mainly locally to the the farm1.domain.local, however, users may remote via the rdp gateway at some point to access the server. I am not sure how this will play a part yet.



Please see the screenshots attached, I have goggled this for days. Can anyone tell me the right way to do this? I need specific instruction on how to generate the certs, and where/how to install them.

Thanks!
0
Comment
Question by:85PC
  • 2
3 Comments
 
LVL 16

Expert Comment

by:Learnctx
Comment Utility
When you request or issue the certificate, specify a subject alternate name (SAN) for the server.

SAN:DNS=boc-ts1.boc.local&DNS=farm1.boc.local

You can also add the short names or IP addresses as well.

SAN:DNS=boc-ts1.boc.local&DNS=boc-ts1&DNS=farm1.boc.local&DNS=farm1&IPAddress=10.1.1.1

This will generate a certificate which will validate for both DNS names.

See http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx.

http://blogs.technet.com/b/isablog/archive/2011/10/09/how-to-generate-a-certificate-with-subject-alternative-names-san.aspx
0
 

Author Comment

by:85PC
Comment Utility
Learnctx - Couple of questions -

Do I need to use the computer template on my internal CA to publish this template?

Do I create a certificate on each terminal server, and which store does it go in, personal or trusted root? Will clients trust the cert if it's just in the terminal servers cert snap in? or do I have to push this out to client computers too somehow?

Do I create a certificate on teach terminal server with the DNS name and CN name Farm1.boc.local, or do I need to somehow create 1 certificate with all the servers listed in the certificate and the farm1.boc.local ?

How do I get the
0
 
LVL 16

Accepted Solution

by:
Learnctx earned 500 total points
Comment Utility
As per http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx:

Basic requirements for Remote Desktop certificates:

1.    The certificate is installed into computer’s “Personal” certificate store.
2.    The certificate has a corresponding private key.
3.    The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.

Open in new window


The full steps in the article , are below:

Here is the exact process: 

1.    Open CERTSRV.MSC and configure certificates.
2.    Open Certification Authority.
3.    In the details pane, expand the instructor computer name.
4.    Right-click Certificate Templates and select Manage. Right-click Workstation Authentication and click Duplicate Template.
5.    On the General tab, change the Template display name to Client-Server Authentication and check Publish certificate in Active Directory.
6.    On the Extensions tab, click Application Policies then Edit. Click Add then select Server Authentication. Click OK until you return to the Properties of New Template dialog.
7.    Click the Security tab. For Domain Computers, click the checkbox to ‘Allow Autoenroll’. Click OK. Close the Certificate Templates Console.
8.    In the certsrv snap-in, right-click Certificate Templates and select New then Certificate Template to Issue.
9.    Select Client-Server Authentication and then click OK.

Open in new window


Do I create a certificate on each terminal server, and which store does it go in, personal or trusted root? Will clients trust the cert if it's just in the terminal servers cert snap in? or do I have to push this out to client computers too somehow?
The certificate will go into the computer's personal store. To do this as administrator launch mmc.exe and add the certificate snappin. When you open it you will be given the option to add the certificate to the computers personal store rather than your own accounts.

Do I create a certificate on teach terminal server with the DNS name and CN name Farm1.boc.local, or do I need to somehow create 1 certificate with all the servers listed in the certificate and the farm1.boc.local ?
Yes you create 1 CSR per server regardless of if they will have the same SAN of farm1.boc.local. This is because each computer will generate its own private key (asymmetric encryption).
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
Not many admins are aware that GPOs can be activated and deactivated time-based. Time to change that :)
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now