2012 R2 RDS Domain CA Cert Install on Broker and Session Hosts

Currently supporting for client a 2012 R2 RDS Farm which has domain based CA. Looking to setup certs necessary to setup PKI cert for 2012 R2 RDS Broker as well as for all Session Hosts. Can someone please verify steps required to use domain CA to issue certificates for RDS Broker as well as for all 2012 R2 RDS Session Hosts via RDS Farm/Collection configs first and then thru GPO. Farm will only be used internally.
Vincent DAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
RDS certificate needs to be deployed on all RD session host servers including RD Web access and session broker servers

This is one time activity and no need to deploy certificates on session host collection or through GPO

If this is only for internal purpose and if you already have Windows Internal CA (AD integrated / standalone) you can request wild card certificate and then install it on all RDS servers including broker, RdWeb and session host servers
Check below steps
https://robbieroberts.wordpress.com/2014/04/04/creating-a-wildcard-webserver-certificate-with-your-internal-microsoft-ca/
https://technet.microsoft.com/en-us/library/cc984453.aspx
0
Vincent DAuthor Commented:
I was hoping to not use a wildcard cert. What about using cert that matches 2012 R2 RDS collection/farm name like rdsfarm.contoso.com? It would be the name users would type into RDP client
0
Vincent DAuthor Commented:
Hi Mahesh,

Read the comment from the article you posted. See below...

"Doesn’t this circumvent your PKI? Why have an internal CA if you hand out a wildcard? I guess you could revoke it but only if your revocation mechanisms are working."

Using a wildcard isn't a good idea in production environment. Besides using third party certs are way more secure but this site insists on using domain based CA. Therefore what I need help on is how to issue AD Domain CA certificates to broker/web access server as well as to numerous session host servers.

ie. certs based on following names

rdsbroker.contoso.com (hosts all RDS roles except license and session host)
sessionhost1.contoso.com
sessionhost2.contoso.com
sessionhost3.contoso.com
sessionhost4.contoso.com

etc etc...
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

David Johnson, CD, MVPOwnerCommented:
Besides using third party certs are way more secure but this site insists on using domain based CA not necessarily true.. they all use the same algorithms. the only difference is the root certificate is NOT included by the operating system into the trusted root store.  Once that is done everything works exactly the same.  PKI with private certificate authorities is a thriving business.
The problem(s) are:
People depending upon the defaults, next, next, next. done installation of a CA.. it will fail as the ODSP/AIA/CRL locations will be wrong.
Outside of the domain will not trust the internal CA, you will have to add a procedure that will allow them to install the public key of the Root CA.  They may or may not have access to the AIA/CRL/ODSP web servers.

Request a certificate with a Subject Alternative Name that has all the server names included
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
0
MaheshArchitectCommented:
Wild card certificate is best suitable if your environment is internal because it will be free of cost from internal CA
Instead of generating number of certs wild card is easy option

The standalone certs or wild card, both will be generated with same procedure from internal CA
 In order to install certs on all RDS deployment check below blog

http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vincent DAuthor Commented:
Hi Mahesh,

Your doc insists we "Logon to a Windows 2008 R2 or Windows 7 domain member". Is there a problem with following steps by using 2012 R2 and opening certs management console via "mmc"?
0
Vincent DAuthor Commented:
Do either of you guys know of a book that will fully teach how Microsoft PKI works?
0
David Johnson, CD, MVPOwnerCommented:
0
MaheshArchitectCommented:
Win7 and 2008 certificate MMC steps will be applicable to 2012 r2 as well.
0
Vincent DAuthor Commented:
OK. I used domain CA to issue RemoteDesktopAuthority cert with Server Authentication Policy selected. I installed new cert into every server Personal cert store. Do I now need to use WMI script to use cert thumbprint to update WMI settings on every server to use correct cert?
0
MaheshArchitectCommented:
For RD Session host you do require to run wmi command as stated in ryan blog
0
MaheshArchitectCommented:
I hope you requested and installed wildcard from internal CA, otherwise you have to secure every hostname in RD  deployment by requesting certificate for every server
0
Vincent DAuthor Commented:
Hi Guys,

Think I am in last step. Trying to change session host server from default cert to new cert using WMI command below in elevated Powershell prompt (ie. run as admin)

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=‎"Thumbprint of new Cert"

Get error in Powershell that shows

Updating property(s) of '\\Servername\root\CIMV2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"'
ERROR:
Description = Invalid parameter
0
MaheshArchitectCommented:
Remove all spaces in certificate thumbprint and then enter command again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.