asked on 2012 RDS Certificate Prompts
Hello Experts,
I have a 2012 RDS environment with a Gateway Server, Connection Broker, and 4 Session Hosts. I am using round robin DNS internally to direct remote.domainname.com to the 4 session hosts, with 4 A records, one for each host.
When I RDP to remote.domainname.com I am directed to one of the 4 session hosts, but I am getting a certificate prompt that the remote identity cannot be verified. Please see screenshot.
We are using an SSL cert on the gateway, so when I RDP in externally to remote.domainname.com with the gateway server and settings in advanced settings, I do not receive any cert prompts. This is because the cert is coming from the gateway, which is a trusted GoDaddy SSL cert.
However, internally, I am getting prompted with the local session host certs, since RDP is not going through the gateway. I know if I deployed each session hosts certs to all domain computers internally this would not prompt, but I believe there has to be another way. I am hoping someone has another option for me. I am wondering if there is a way to present the SSL cert to clients instead of the local session host name's cert. Thanks in advance.
rds.png
I have a 2012 RDS environment with a Gateway Server, Connection Broker, and 4 Session Hosts. I am using round robin DNS internally to direct remote.domainname.com to the 4 session hosts, with 4 A records, one for each host.
When I RDP to remote.domainname.com I am directed to one of the 4 session hosts, but I am getting a certificate prompt that the remote identity cannot be verified. Please see screenshot.
We are using an SSL cert on the gateway, so when I RDP in externally to remote.domainname.com with the gateway server and settings in advanced settings, I do not receive any cert prompts. This is because the cert is coming from the gateway, which is a trusted GoDaddy SSL cert.
However, internally, I am getting prompted with the local session host certs, since RDP is not going through the gateway. I know if I deployed each session hosts certs to all domain computers internally this would not prompt, but I believe there has to be another way. I am hoping someone has another option for me. I am wondering if there is a way to present the SSL cert to clients instead of the local session host name's cert. Thanks in advance.
rds.png
Windows Server 2012Microsoft Legacy OSRemote Access
Last Comment
Cliff Galiher
Round-robin DNS is all-but-dead for RDS in 2012. Let the connection broker do what it is supposed to do and load balance for you. That's the (current) source of your certificate issues.
ASKER
A quick update, I forgot to set the "Connect and do not warn me" setting in advanced tab of RDP client. This eliminates the individual cert prompts, but I am still prompted originally when connecting via the gateway server. See attached. I may need to install the SSL cert somewhere else on the gateway server?
rds2.png
rds2.png
ASKER
Thank you Cliff. If I point the RDP client to the name of the broker, I am RDPing directly in to the broker server, not the session hosts.
Correct. That is by design. The remote desktop client has also been updated to include a collection name which matches a collection you've created in your deployment topology. This property is passed to the connection broker and the connection broker will redirect you to the least loaded (session-wise) session host.
If you simply point RDC to the connection broker, no collection name is specified and so the connection is assumed to be local.
RDP files published via RDWA include this property, which RDC and other remote desktop apps published by Microsoft (Windows Store, Apple store, etc) know how to process and pass along. This is why RDWA is now considered a core component and is included in a default deployment.
Alternately, you can save and manually add this property to a .rdp file.
You *cannot* specify this property in the RDC GUI. The GUI was not enhanced to include it, and likely never will be. Microsoft is no longer relying heavily on the RDC GUI as an end-user tool and so is spending very few resources enhancing it.
If you simply point RDC to the connection broker, no collection name is specified and so the connection is assumed to be local.
RDP files published via RDWA include this property, which RDC and other remote desktop apps published by Microsoft (Windows Store, Apple store, etc) know how to process and pass along. This is why RDWA is now considered a core component and is included in a default deployment.
Alternately, you can save and manually add this property to a .rdp file.
You *cannot* specify this property in the RDC GUI. The GUI was not enhanced to include it, and likely never will be. Microsoft is no longer relying heavily on the RDC GUI as an end-user tool and so is spending very few resources enhancing it.
ASKER
Thank you for clarifying. I am not using web access, so where would I pull the settings to save the .rdp file I can distribute to clients? For example, I have a Collections named "Remote Desktops" that includes the 4 session hosts. I obviously can not use "Remote Desktops" in the computer name in RDP GUI as you stated, so I am lost as to where I would get settings to use. Thank you.
ASKER
Cliff, I did find this article: http://tech.jesseweeks.me/2013/07/configuring-custom-rdp-shortcuts-for.html but when configuring the RDP icon as directed in article I am getting an error when trying to connect, attached.
rds3.JPG
rds3.JPG
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
That error occurs in instances where you didn't specify a valid collection name. Or when you tried to edit a "signed" .rdp file. Like any signed file, edits cause the signature to be unmatched. This is also by design to prevent Man-in-the-Middle (MitM) attacks, and is not unique to RDP. Files you create and save from RDC itself are unsigned. But if you grabbed an .rdp file from another source (such as an older 2008 deployment) it may have a signature and cannot be edited in this manner.
ASKER
Cliff, I have verified collection name is identical to the one shown in Server manager and it still fails. I also have created a new RDP file, so it should be unsigned.
My issue with rdwa is that I can not publish both Apps and desktops together. I know the workaround is to publish mstsc.exe, but still I will be directing this with the /v parameter to round robin DNS entries again. I will continue to work on getting the published RDP client to work. Doesn't the broker save the RDP configuration for individual collections somewhere in the registry, if I recall?
My issue with rdwa is that I can not publish both Apps and desktops together. I know the workaround is to publish mstsc.exe, but still I will be directing this with the /v parameter to round robin DNS entries again. I will continue to work on getting the published RDP client to work. Doesn't the broker save the RDP configuration for individual collections somewhere in the registry, if I recall?
Not in the registry. In a database. That's why the RDCB installs (or requires in the case of an HA deployment) a SQL instance. And getting those won't help you. I haven't seen your specific deployment so I can't say what mistake specifically you might be hitting. I *can* tell you that I have used the .rdp edit successfully and it does work as intended. I also fully understand why round-robin was deprecated and should not be used (changes to the initial connection process from 2008 R2.) It *does* work when done properly. Beyond that, there is just no good way for me to troubleshoot this issue in a forum.