Solved

SSL certificates for Windows 2012 RDS environment.

Posted on 2016-08-09
5
71 Views
Last Modified: 2016-08-14
I am trying to create a seamless login experience for my Windows 2012 RDS environment.

Currently, in my collection broker security settings, I am using "Negotiate" under security layer, and I have "Allow connections only from computers running Remote Desktop with Network Level Authentication" checked.  

When I purchase a SSL certificate for the RD Connection Broker Enable Single Sign On and Publishing role services, can I just use a single cert such as mybrokerserver.mydomain.com?  

As for the RD Web Access role service and RD Gateway, can I use another single cert such as remote.mydomain.com?

Using a wildcard probably makes more sense here, but we want to use an already existed Go Daddy UCC and add additional websites.  

Please advise if you have an idea of what I should get.  

Thanks.
0
Comment
Question by:nav2567
  • 2
  • 2
5 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41750259
add your gateway address i.e. remote.domain.com and every server that has a connection broker or will be connected to i.e. server1.domain.com server2.domain.com, wks1.domain.com
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41750637
Ideally you need cert for all servers part of RDS deployment

I don't know how big your environment, wild card cert can be useful if you have so many servers in deployment or if you already have existing one because it is very expensive as compared to UCC cert

Ideally you should get one UCC cert for connection broker, RD gateway, session hosts and web access
If your internal and external domain name is same, then you don't need any other modifications in config other than getting UCC cert, however if that is not the case, you need to make few changes in RDS deployment config
Such as use redirected server name for RDS collections to hide certificate errors - redirected server name is nothing but the name in certificate which points to RD connection broker - this step is required because RDS session host FQDN do not match one in provided in cert
Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”

Open in new window

- remote.domain.com is rd connection broker FQDN

Another alternative could be you can rename RDS deployment name through PowerShell - script
In above script - Set-RDPublishedName "remote.contoso.com" - where remote.domain.com is RD connection broker FQDN - note that this FQDN must be resolvable from intranet dns and internet public dns

Check below blog post so that you will come to know what I mean
https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
0
 

Author Comment

by:nav2567
ID: 41750955
We use split dns so our external and internal domains have the same name.

I need to get a UCC cert for each of the component in my farm:

     remote.mydomain.com
     myconnectionbrokerserver.mydomain.com
     myrdshost1.mydomain.com
     myrdshost2.mydomain.com

The first one is a WEB site for people to access which I know how to generate a CSR in IIS.

As for the other three, do I go to MMC on each server and generate a CSR from the Certificate>personal folder?  Request a cert and import it in there?

As for the most important part, which cert do I use to specify in the RD Connection Broker - Enable SSO and RD Connection Broker - Publishing under manage certificates in my connection broker server?

Please advise again.  

Thanks.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41754341
most CA's allow you to use 1 generated CSR and allow you to add the additional names.  Download and install the new certificate on the machine that created the CSR, export the certificate with the private key and import it into the other servers.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 41754577
SAN certificate is innovated so that you can generate CSR request from only one server with all hostnames. Infact only that machine have certificate private key which is generated when you raise request, hence you have to install it on same machine

Later on you need to export it with private key and import on other servers
If you try to install cert on another server directly, it won't have private key

keep remote.domain.com as your cert common name (CN) - This should be hostname of RD connection broker
other names should come as alternate names (Subject alternative names - DNS names)

Ultimately system checks if provided hostname is part of cert (either CN or SAN entry)

Logon to any RDS server or other server (2008 and above) and generate CSR with all hostnames
follow below article to generate CSR
http://www.entrust.net/knowledge-base/technote.cfm?tn=8924
Ensure that cert will be installed on same server 1st from where you generate CSR
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now