none
use existing SAN certificate for RDS

    질문

  • I have an existing SAN certificate that I use for Exchange Activesync.  Can I use this same certificate for RDS?

    Thanks

    2013년 9월 24일 화요일 오후 5:16

답변

  • Hi,

    Thanks for the reply.

    Firstly, let’s have a look at the difference between Self Signed certificate and Certificate Authority.

    Self-signed certificate The certificate has signed by its owner. Self-signed certificates generally utilized for testing local servers. The web browser will show a pop-up, that the web site certificate is self-signed. Such certificates are not signed by the Certificate authority. Self-signed certificate deliver a little security to data that flows in the tunnel between browser and server hence anyone with awful motive can harm a server. This certificate has no relation with the identity of the person or organization. Signed certificate is an authorized certificate issued by trustworthy certificate authority. The Secure Socket Layer is utilizing to encrypt the data between the web server and client’s browser. When client visits site it shows in address bar about the authenticity of website. It boosts confidence of customer. The information flows in tunnel is secure. The most common certified authorities are SymantecThawteRapidSSLGeoTrust etc. Both certificates provide encrypted technology but authority only verified Signed certificate.

    Quote from Difference between Self Signed SSL & Certificate Authority

    Thus, I suggest use CA. Do you have CA in your domain?

    Meanwhile, regarding certificate for RDS, we can refer to the following:

    Minimum Certificate Requirements for Typical RDS implementation

    http://blog.kristinlgriffin.com/2010/08/minimum-certificate-requirements-for.html

    Configuring Remote Desktop certificates

    http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

    Obtain a Certificate for the Remote Desktop Gateway Server

    http://technet.microsoft.com/en-us/library/cc725949.aspx

    Install the Remote Desktop Gateway Server Root Certificate on the Remote Desktop Services Client

    http://technet.microsoft.com/en-us/library/cc754076.aspx

    In addition, if you need assistance on CA side, it is recommended to post questions in our Security forum.

    Hope this helps.


    Best Regards
    Jeremy Wu

    2013년 9월 29일 일요일 오전 6:16
    중재자
  • I decided to delete all the certs on the RDS server except for the self-signed and start over.

    From the RDS server, certificate MMC\personal, requested a new certificate, chose the Remotedesktopcomputer template, pointed to the farm name for the Common Name, added the DNS names of the 2 farm servers.

    I then applied the cert to the RD Connection and the RemoteApp Mgr.

    This removed the second logon box, so I am declaring it done.

    Thanks again for your help!

    2013년 9월 30일 월요일 오후 9:06

모든 응답

  • Hi,

    Thank you for your question.

    I think the SAN certificate you have cannot be used for RDS. Please refer to:

    Configuring Remote Desktop certificates

    http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

    Hope this helps.


    Best Regards
    Jeremy Wu

    2013년 9월 25일 수요일 오후 3:51
    중재자
  • I have worked out that I only need an internal cert.  Under RemoteApp Manager – Digital Signature Settings, if I check the box to enable using a cert, I am presented with 2 choices…..the self-signed cert and one that was generated by my enterprise CA.  I did not manually create the one from my CA.  How did it get created?

    Also, which one should I choose?

    Thanks

    2013년 9월 25일 수요일 오후 8:38
  • Hi,

    Thanks for the reply.

    Firstly, let’s have a look at the difference between Self Signed certificate and Certificate Authority.

    Self-signed certificate The certificate has signed by its owner. Self-signed certificates generally utilized for testing local servers. The web browser will show a pop-up, that the web site certificate is self-signed. Such certificates are not signed by the Certificate authority. Self-signed certificate deliver a little security to data that flows in the tunnel between browser and server hence anyone with awful motive can harm a server. This certificate has no relation with the identity of the person or organization. Signed certificate is an authorized certificate issued by trustworthy certificate authority. The Secure Socket Layer is utilizing to encrypt the data between the web server and client’s browser. When client visits site it shows in address bar about the authenticity of website. It boosts confidence of customer. The information flows in tunnel is secure. The most common certified authorities are SymantecThawteRapidSSLGeoTrust etc. Both certificates provide encrypted technology but authority only verified Signed certificate.

    Quote from Difference between Self Signed SSL & Certificate Authority

    Thus, I suggest use CA. Do you have CA in your domain?

    Meanwhile, regarding certificate for RDS, we can refer to the following:

    Minimum Certificate Requirements for Typical RDS implementation

    http://blog.kristinlgriffin.com/2010/08/minimum-certificate-requirements-for.html

    Configuring Remote Desktop certificates

    http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

    Obtain a Certificate for the Remote Desktop Gateway Server

    http://technet.microsoft.com/en-us/library/cc725949.aspx

    Install the Remote Desktop Gateway Server Root Certificate on the Remote Desktop Services Client

    http://technet.microsoft.com/en-us/library/cc754076.aspx

    In addition, if you need assistance on CA side, it is recommended to post questions in our Security forum.

    Hope this helps.


    Best Regards
    Jeremy Wu

    2013년 9월 29일 일요일 오전 6:16
    중재자
  • Thanks for hanging in there with me, maybe more details will help.  Here is my current configuration:

    I have 1 RDS server running all roles except RDS Gateway. I do not need that piece.

    All clients are internal (even though some are non-domain) so I am trying to use a cert created by my enterprise CA.

    I created a certificate called FARM based off an enterprise CA cert template called RemoteDesktopComputer.  This cert is supposed to be for my RDS farm.

     The cert appears in the Personal/Certificates folder on the RDS server.

    I am able to point the RD Connection to the FARM cert, but the FARM cert is not listed as a choice when I try to enable Digital Signature under RemoteApp Manager.  The only certs that appear are the self-signed and some client/server cert that I have no idea where it came from.

    What am I missing?  I have tried to apply the posts you have provided, plus a lot more research, but nothing matches my setup. 

    Thanks again for your help.

    2013년 9월 30일 월요일 오후 6:45
  • I decided to delete all the certs on the RDS server except for the self-signed and start over.

    From the RDS server, certificate MMC\personal, requested a new certificate, chose the Remotedesktopcomputer template, pointed to the farm name for the Common Name, added the DNS names of the 2 farm servers.

    I then applied the cert to the RD Connection and the RemoteApp Mgr.

    This removed the second logon box, so I am declaring it done.

    Thanks again for your help!

    2013년 9월 30일 월요일 오후 9:06
  • Hi,

    Thanks for the update.

    And I am glad to be able to help you.

    Cheers!


    Best Regards
    Jeremy Wu

    2013년 10월 1일 화요일 오후 3:45
    중재자