RDS 2008R2 certificate mismatch
Current environment: 1x RD Connection Broker 2x RD Session Hosts The farm is set up and working with DNS round-robin. The issue I'm having is that we're using "myserver.domainname.com" to connect to the farm. So when we try to connect we get a name mismatch on the certificate. I've tried issuing a web certificate with a Subject Alternative Name (SAN) and storing it in the Computer/Personal certificate store but the RDP-Tcp Properties doesn't detect the certificate. I've spent many hours online reading many articles trying to work this out, but it's doing my head in. Any help would be appreciated. Cheers, Ryan.
December 15th, 2010 1:52am

I actually don't understand what you are using the dns round-robin for? You should have 3 names actually - broker.domain.com, rds1.domain.com and rds2.domain.com, each resolving to its own IP address. So where do you see the use of the DNS load balancing? The clients should use "broker.domain.com" with their MSTSC clients, so the broker should have this exact name in its own certificate. Then, the broker redirects its clients individually to the real name of each rds1.domain.com or rds2.domain.com, so each of the RDS Hosts should have also another certificate of its own which would contain its own respective name. This way, normal Kerberos authentication would work for all the three and the clients will authenticate the RDS Hosts by using Kerberos instead of the SSL certificate which will also render their certificate names unimportant at all (as a side effect). ondrej.
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2010 11:35am

Ondrej, I've set up the environment as per the documentation on TechNet, specifically http://technet.microsoft.com/en-us/library/cc772506.aspx. I suppose, the end result I want is to have: 8x RD Session Hosts 1x RD Connection Broker 1x RD Gateway - for external access We plan on using App-V for presenting applications. Currently, if I try and RDP to the connection broker, it connects me to the connection broker instead of redirecting me to the Session Host Farm. Hence why I was using Round-robin. I've configured every Session Host with the appropriate farm settings and added them to the Session Broker Computers group on the Connection Broker. Any suggestions or better documentation? Cheers, Ryan.
December 16th, 2010 3:27am

ok then, I understand now. thats is a correct design. so then we are back on track troubleshooting why the certificate is not vissible through the RDS Host console. Is that the fact you say, that you are not able to assign the manually created certificate using the console? Is the certificate really placed in LOCAL COMPUTER's certificate Personal store? When you open the certificate, does it have its private key - the note on the first tab saying "you have private key"? Does the certificate contain "Server Authentication"? How did you manage to get the certificate into the computer store? Didn't you drag-drop it from a user's personal store? ondrej.
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2010 12:45pm

Ondrej, I managed to get the certificate working with SAN's and Private Key. I had to reconfigure the certificate template so that I could manually request one from the web interface and export with the private key. The issue I'm now facing is that when trying to connect from Win7 Embedded (HP Thin Client) I receive the error "A revocation check could not be performed for the certificate". I'm not receiving this on Win7 Pro machines. I've joined the thin Client to the domain to pick up the Group Policies pertaining to certs, I've tried importing the CA's cert to the Computer > Trusted Root CA's container, and still the same error. Any other suggestions? Cheers, Ryan.
December 20th, 2010 2:46am

Hi, then you need to test the CRL. open the server's certificate properties and find the CRL Distribution Point field. There may be several URLs/Paths - such as LDAP:// or HTTP://. Your HP Thin Client will probably need to see valid HTTP:// path there. This you can also paste into your web browser and try to download the .CRL file yourself to validate it can be downloaded and you will also see efectivenes/expiration dates inside. If the file cannot be downloaded or the dates are invalid, then the HP This Client will probably not be able to check the revocation as it is your case. You then need to go into CA properties to repair the conditions on the Extensions tab and the REISSUE the certificate. ondrej.
Free Windows Admin Tool Kit Click here and download it now
December 20th, 2010 9:51am

Ondrej, The thin client can access the HTTPS CRL no worries, all certificates are currently valid. Perhaps I'm exporting/importing the certificate incorrectly... From the Certificate Services website I click "Download a CA certificate,certificate chain, or CRL" > "Download CA certificate (DER)" > Save. I then fire up the Certificates MMC and connect to the Computer container and import the certificate to the "Trusted Root CA" folder. After doing so I still receive HTTPS warnings on the Certificate Services website as it's unable to verify the trusted CA, which makes me think something is missing from the certificate. Cheers, Ryan.
December 21st, 2010 2:37am

Any ideas? Cheers, Ryan.
Free Windows Admin Tool Kit Click here and download it now
December 29th, 2010 12:55am

Bump
January 10th, 2011 12:45am

still having the issue? sorry, I was quite busy for the months and probably no notification must have come to my inbox. ondrej.
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2011 8:57pm

Ryan, Are you using a single tiered PKI environment? Some devices and operations need to validate the entire certificate chain and it will fail if a piece is missing. This issue could occur, for instance if you have a two tiered environment and the issuing authority is missing from the machine. You should be able to tell if this is the case by opening up the certificate error message and inspecting the certificate path. If there is a red 'x' or a missing step, then try to add the missing link to the local machine in the 'Intermediate Certificate Authorities'. HTHfr3dd
March 28th, 2011 7:41pm

I managed to get this working using SANs. In terms of the CRLs, please see this thread: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9fcecc80-86ad-4b9e-9356-65b0420691ef
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2011 2:43am

Hi Ondrej, that is actually incorrect. You do not connect to the session broker, you conect to the RDS server which queries the session broker, which then redirects you to the appropriate RDS server. Thus the need for DNS round robin or some sort of load balancing mechanish, so that not just 1 server get all logins, but the actual login load gets balnced. To Aswer the question regarding the cert needed, you would have to put the DNS round robin name as the Subject name for the cert and the 2 rds servers fqdn as the Subject alternative Names. For the thin clients / windows embedded PC's, you would need to obtain the root CA cert from the Certificate server and install this as a trusted CA (this hsould happen automatically when you join a PC to your domain, but since you can't join embedded, you'll need to manually install the cert) To do That: (Open MMC, select certificates, select Computer Account, browse to Trusted CA's, right click & select Import) When you request the cert from the CA (If your CA is configured with Web services, browse to http://yourserver/certsrv) download the CA certificate chain rather than the CA cert, sav this on the Embedded XP / 7 Client & folow the import procedure.
July 13th, 2011 12:18pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics