none
Trying to SSL my RDS . . .but certificate isn't available in RD Session Host

    질문

  • I've installed my SSL certificate via the MMC to the Local Computer's Personal store, but it is not available from the Remote Desktop Session Host Configuration. When I click "Select" under the General tab, I get the message:

    "There are no certificates installed on this Remote Desktop Session Host server."

    The certificate's CN matches the name clients will connect to, the EKU is "server authentication", the certificate is not expired, it shows association with its private key, Network Service has full permissions on the private key . . .what am I missing here?

    Environment: Single 2008r2 DC and RDS box, RD connections all work fine (except missing the TLS/SSL of course).

    Two things that might or might not matter:  (1) My certificate has a 6 digit SN, but the directions for CertUtil repair referenced an 8 digit SN. I see other certificates with 1, or 2 digit SN's, so who knows.  (2) When generating my certificate request, I chose "Signature" for private key type. Should I have chosen "Exchange"?





    • 편집됨 CSFA 2012년 6월 20일 수요일 오후 1:38
    2012년 6월 20일 수요일 오전 2:06

답변

  • To be able to use a certificate in a RD Session Host server, that certificate needs to have the Server Authentication policy. When you create the certificate request, I recommend you always use the same machine where the certificate is going to be installed. When you issue the certificate form an internal CA or Commercial CA choose a Web Certificate, because this one has the Server Authentication policy; in your case you should have choosen Exchange.


    Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7

    My Blog: www.vkernel.ro/blog

    • 답변으로 표시됨 CSFA 2012년 6월 22일 금요일 오후 8:02
    2012년 6월 22일 금요일 오전 7:55

모든 응답

  • Any ideas? I'll give anything a shot. Thanks.
    2012년 6월 22일 금요일 오전 4:34
  • To be able to use a certificate in a RD Session Host server, that certificate needs to have the Server Authentication policy. When you create the certificate request, I recommend you always use the same machine where the certificate is going to be installed. When you issue the certificate form an internal CA or Commercial CA choose a Web Certificate, because this one has the Server Authentication policy; in your case you should have choosen Exchange.


    Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7

    My Blog: www.vkernel.ro/blog

    • 답변으로 표시됨 CSFA 2012년 6월 22일 금요일 오후 8:02
    2012년 6월 22일 금요일 오전 7:55
  • Thanks for the reply Adrian, the EKU is already set to "Server Authentication" and the request was generated on the same machine where the cert. if installed.

    As far as Exchange vs. Signature, how certain are you about that? The reason I ask is, I've done some more research on it and it seems like the only difference is the exchange type is exportable (http://msdn.microsoft.com/en-us/library/ff648498.aspx).

    However, since that's my only lead so far, I'll give it a shot and see if it makes a difference.

    2012년 6월 22일 금요일 오후 7:08
  • Adrian, it worked !

    Thanks!

    I made several changes when I did the request this time:

    • Under the Extensions tab, I checked "Include Symmetric algoritm"
    • Under the Private Key tab, I changed the CSP to "Microsoft RSA . . ." (the last choice)
    • Under the same tab, I changed Key Type to "Exchange"

    2012년 6월 22일 금요일 오후 8:01