RDS Session Host self-signed certificates are about to expire. Will this prevent users connecting?
We have a Remote Desktop farm comprising a session broker / gateway (RDSM) and three session hosts (RDS01, RDS02, RDS03), all using Server 2016 Standard, which was set up by a previous IT provider.
We have a third-party wildcard certificate (*.domain.co.uk) assigned to the gateway which is fine. However, clients connect internally using an RDP shortcut (distributed by group policy to user desktops) using the local name of the broker (rdsm.company.local).
RDSM has several certificates (issued by "CompanyEnvCa") for "RDSM.company.local", one of which expired in May 2019, with the remaining three expiring this coming Saturday or Sunday (two are using the template "Client-Server Authentication", the other "RemoteDesktopComputer"). The session hosts each have a local certificate (RDS01.company.local, etc.) of which one is set to expire this Saturday (the others are next July).
If we edit the deployment properties from Server Manager, the "Certificates" section shows "Not Configured" for all role services.
Once the certificates have expired, will clients be prevented from connecting? If so, how do we renew them?
We have a third-party wildcard certificate (*.domain.co.uk) assigned to the gateway which is fine. However, clients connect internally using an RDP shortcut (distributed by group policy to user desktops) using the local name of the broker (rdsm.company.local).
RDSM has several certificates (issued by "CompanyEnvCa") for "RDSM.company.local", one of which expired in May 2019, with the remaining three expiring this coming Saturday or Sunday (two are using the template "Client-Server Authentication", the other "RemoteDesktopComputer"). The session hosts each have a local certificate (RDS01.company.local, etc.) of which one is set to expire this Saturday (the others are next July).
If we edit the deployment properties from Server Manager, the "Certificates" section shows "Not Configured" for all role services.
Once the certificates have expired, will clients be prevented from connecting? If so, how do we renew them?
You can always connect, it's only that the RDP client will warn you before connecting about the cert issue (which you may already have anyway, since it's self signed, if there's no domain wide CA server).
ASKER
That's great. Shouldn't we renew the certificates anyway though?
It saves about 2 mouse clicks, and less questions for/from the users, yes. The connection is more trusted also (with a real certificate that is, not a self signed one)
ASKER
But to use a real certificate we'd need to have all users replace their RDP shortcut, as the URL would be different, right?
The URL would reflect the correct FQDN as it's requested on the cert.
If it already was, then no need to replace any shortcut.
If it already was, then no need to replace any shortcut.
ASKER
The FQDN on the shortcut is "RDSM.company.local", which can't be used with a third party cert, as that would need to be "rdsm.domain.co.uk". We could do that, but we'd rather not have to replace the shortcuts.
How do we go about renewing the self-signed certs on the broker and hosts? It looks like it was previously done using the CA on one of the domain controllers (CompanyEnvCa). Thanks.
How do we go about renewing the self-signed certs on the broker and hosts? It looks like it was previously done using the CA on one of the domain controllers (CompanyEnvCa). Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Figured it out from there, thanks. Actually had to run following commands for each certificate on each server:
certutil /store My
[copy serial number]
certreq -Enroll -cert [serial number of cert] -machine renew
certutil /store My
[copy serial number]
certreq -Enroll -cert [serial number of cert] -machine renew