2012 RDS Certificate Prompts

Hello Experts,

    I have a 2012 RDS environment with a Gateway Server, Connection Broker, and 4 Session Hosts. I am using round robin DNS internally to direct remote.domainname.com to the 4 session hosts, with 4 A records, one for each host.

When I RDP to remote.domainname.com I am directed to one of the 4 session hosts, but I am getting a certificate prompt that the remote identity cannot be verified. Please see screenshot.

We are using an SSL cert on the gateway, so when I RDP in externally to remote.domainname.com with the gateway server and settings in advanced settings, I do not receive any cert prompts. This is because the cert is coming from the gateway, which is a trusted GoDaddy SSL cert.

However, internally, I am getting prompted with the local session host certs, since RDP is not going through the gateway. I know if I deployed each session hosts certs to all domain computers internally this would not prompt, but I believe there has to be another way. I am hoping someone has another option for me. I am wondering if there is a way to present the SSL cert to clients instead of the local session host name's cert. Thanks in advance.
rds.png
LVL 1
CCtechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Round-robin DNS is all-but-dead for RDS in 2012. Let the connection broker do what it is supposed to do and load balance for you. That's the (current) source of your certificate issues.
0
CCtechAuthor Commented:
A quick update, I forgot to set the "Connect and do not warn me" setting in advanced tab of RDP client. This eliminates the individual cert prompts, but I am still prompted originally when connecting via the gateway server. See attached. I may need to install the SSL cert somewhere else on the gateway server?
rds2.png
0
CCtechAuthor Commented:
Thank you Cliff. If I point the RDP client to the name of the broker, I am RDPing directly in to the broker server, not the session hosts.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Cliff GaliherCommented:
Correct. That is by design. The remote desktop client has also been updated to include a collection name which matches a collection you've created in your deployment topology. This property is passed to the connection broker and the connection broker will redirect you to the least loaded (session-wise) session host.

If you simply point RDC to the connection broker, no collection name is specified and so the connection is assumed to be  local.  

RDP files published via RDWA include this property, which RDC and other remote desktop apps published by Microsoft (Windows Store, Apple store, etc) know how to process and pass along.  This is why RDWA is now considered a core component and is included in a default deployment.

Alternately, you can save and manually add this property to a .rdp file.

You *cannot* specify this property in the RDC GUI. The GUI was not enhanced to include it, and likely never will be. Microsoft is no longer relying heavily on the RDC GUI as an end-user tool and so is spending very few resources enhancing it.
0
CCtechAuthor Commented:
Thank you for clarifying. I am not using web access, so where would I pull the settings to save the .rdp file I can distribute to clients? For example, I have a Collections named "Remote Desktops" that includes the 4 session hosts. I obviously can not use "Remote Desktops" in the computer name in RDP GUI as you stated, so I am lost as to where I would get settings to use. Thank you.
0
CCtechAuthor Commented:
Cliff,  I did find this article: http://tech.jesseweeks.me/2013/07/configuring-custom-rdp-shortcuts-for.html but when configuring the RDP icon as directed in article I am getting an error when trying to connect, attached.
rds3.JPG
0
Cliff GaliherCommented:
Well, it is doable.  Although I would *strongly* urge you to reconsider using rdwa for this purpose.   Otherwise you are making life exceedingly hard on yourself.   RDWA is not just the web interface.  It also provides XML feeds that users can discover and subscribe to, or can be pushed out to clients via group policy making the whole RDWeb backend transparent.  Much more scalable than editing .rdp files or even the old way of creating published .rdp files or .msi's as 2008 used to do.

But if you really want to go this route. You'll need to open the .rdp file and add these two lines:

use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.<RDS COLLECTION NAME>


Replacing <RSD COLLECTION NAME> with the name of a collection in the deployment (since a deployment can have many collections.)

You can see collections and their names in server manager in 2012.  There is also powershell commands to list them.  Plenty of ways to get the names. But if you aren't creating collections in your RDS deployment, the point becomes moot.  You'll need to do that to make this all worthwhile.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cliff GaliherCommented:
That error occurs in instances where you didn't specify a valid collection name.  Or when you tried to edit a "signed" .rdp file. Like any signed file, edits cause the signature to be unmatched.  This is also by design to prevent Man-in-the-Middle (MitM) attacks, and is not unique to RDP.  Files you create and save from RDC itself are unsigned. But if you grabbed an .rdp file from another source (such as an older 2008 deployment) it may have a signature and cannot be edited in this manner.
0
CCtechAuthor Commented:
Cliff, I have verified collection name is identical to the one shown in Server manager and it still fails. I also have created a new RDP file, so it should be unsigned.

My issue with rdwa is that I can not publish both Apps and desktops together. I know the workaround is to publish mstsc.exe, but still I will be directing this with the /v parameter to round robin DNS entries again. I will continue to work on getting the published RDP client to work. Doesn't the broker save the RDP configuration for individual collections somewhere in the registry, if I recall?
0
Cliff GaliherCommented:
Not in the registry. In a database.  That's why the RDCB installs (or requires in the case of an HA deployment) a SQL instance.  And getting those won't help you. I haven't seen your specific deployment so I can't say what mistake specifically you might be hitting.  I *can* tell you that I have used the .rdp edit successfully and it does work as intended. I also fully understand why round-robin was deprecated and should not be used (changes to the initial connection process from 2008 R2.)  It *does* work when done properly.  Beyond that, there is just no good way for me to troubleshoot this issue in a forum.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.