Solved

SSL certificates for Windows 2012 RDS environment.

Posted on 2016-08-09
5
152 Views
Last Modified: 2016-08-14
I am trying to create a seamless login experience for my Windows 2012 RDS environment.

Currently, in my collection broker security settings, I am using "Negotiate" under security layer, and I have "Allow connections only from computers running Remote Desktop with Network Level Authentication" checked.  

When I purchase a SSL certificate for the RD Connection Broker Enable Single Sign On and Publishing role services, can I just use a single cert such as mybrokerserver.mydomain.com?  

As for the RD Web Access role service and RD Gateway, can I use another single cert such as remote.mydomain.com?

Using a wildcard probably makes more sense here, but we want to use an already existed Go Daddy UCC and add additional websites.  

Please advise if you have an idea of what I should get.  

Thanks.
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41750259
add your gateway address i.e. remote.domain.com and every server that has a connection broker or will be connected to i.e. server1.domain.com server2.domain.com, wks1.domain.com
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41750637
Ideally you need cert for all servers part of RDS deployment

I don't know how big your environment, wild card cert can be useful if you have so many servers in deployment or if you already have existing one because it is very expensive as compared to UCC cert

Ideally you should get one UCC cert for connection broker, RD gateway, session hosts and web access
If your internal and external domain name is same, then you don't need any other modifications in config other than getting UCC cert, however if that is not the case, you need to make few changes in RDS deployment config
Such as use redirected server name for RDS collections to hide certificate errors - redirected server name is nothing but the name in certificate which points to RD connection broker - this step is required because RDS session host FQDN do not match one in provided in cert
Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”

Open in new window

- remote.domain.com is rd connection broker FQDN

Another alternative could be you can rename RDS deployment name through PowerShell - script
In above script - Set-RDPublishedName "remote.contoso.com" - where remote.domain.com is RD connection broker FQDN - note that this FQDN must be resolvable from intranet dns and internet public dns

Check below blog post so that you will come to know what I mean
https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
0
 

Author Comment

by:nav2567
ID: 41750955
We use split dns so our external and internal domains have the same name.

I need to get a UCC cert for each of the component in my farm:

     remote.mydomain.com
     myconnectionbrokerserver.mydomain.com
     myrdshost1.mydomain.com
     myrdshost2.mydomain.com

The first one is a WEB site for people to access which I know how to generate a CSR in IIS.

As for the other three, do I go to MMC on each server and generate a CSR from the Certificate>personal folder?  Request a cert and import it in there?

As for the most important part, which cert do I use to specify in the RD Connection Broker - Enable SSO and RD Connection Broker - Publishing under manage certificates in my connection broker server?

Please advise again.  

Thanks.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41754341
most CA's allow you to use 1 generated CSR and allow you to add the additional names.  Download and install the new certificate on the machine that created the CSR, export the certificate with the private key and import it into the other servers.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 41754577
SAN certificate is innovated so that you can generate CSR request from only one server with all hostnames. Infact only that machine have certificate private key which is generated when you raise request, hence you have to install it on same machine

Later on you need to export it with private key and import on other servers
If you try to install cert on another server directly, it won't have private key

keep remote.domain.com as your cert common name (CN) - This should be hostname of RD connection broker
other names should come as alternate names (Subject alternative names - DNS names)

Ultimately system checks if provided hostname is part of cert (either CN or SAN entry)

Logon to any RDS server or other server (2008 and above) and generate CSR with all hostnames
follow below article to generate CSR
http://www.entrust.net/knowledge-base/technote.cfm?tn=8924
Ensure that cert will be installed on same server 1st from where you generate CSR
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve DNS query failed errors for Exchange
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question