locked
Certificates for RDS RemoteApp RRS feed

  • Question

  • In a RDS RemoteApp farm enviornment several certificates are required for different purpose.  On session host servers there are at least two, certificate for the farm and certificatge for digial signing.  How do you guys manage renewing certificates on the serverif there are hundreds of servers in a farm?  They share the same certificate so renewing process itself is easy but how do you guys handle the need to log on to each server and install the certificate and updating the settings to use the new certificate?
    Friday, September 3, 2010 6:17 PM

Answers

  • Hi,

    You can use scripting to set the certificates.  For example, let's walk through setting the certificate for the RDP-Tcp listener on a single RDSH server:

    1. Import the certificate into the local Computer account's Personal store:

    certutil -p <password> -importpfx \\server\share\certificate.pfx

    2. Select the certificate as the one to be used by the listener (hash is the thumbprint of the cert):

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"

    Now that you know the basic procedure you can write a script that will update hundreds of servers remotely.  For example, you could use psexec to execute the above commands from another computer on the LAN.

    It is not essential to have all servers in a farm have an rdp signing certificate set.  The only ones that must have the rdp signing certificate configured are those servers that will serve as a source for RD Web Access.  In a large environment you may choose not to have all servers be a source for RDWeb.  Regardless you can set the certificate to be used for rdp signing using similar scripting techniques if you need to.

    One thing you did not mention is what to do about configuring all of the RemoteApps on hundreds of servers.  This is something that will need to be set on every RDSH if you are using RemoteApps.  You can use scripting for this too.

    For a large environment it is critical to plan things out beforehand so that you are able to manage your servers over time with a reasonable amount of effort.

    Please see the documentation below for information on the method/properties/etc. that you can use to configure your servers using scripting.

    Remote Desktop Services WMI Provider Reference

    http://msdn.microsoft.com/en-us/library/aa383515(v=VS.85).aspx

    Remote Desktop Services Provider for Windows PowerShell

    http://technet.microsoft.com/en-us/library/ee791871(WS.10).aspx

    Thanks.

    -TP

    • Proposed as answer by TP []MVP Saturday, September 4, 2010 2:45 AM
    • Marked as answer by Dyl8n Thursday, September 9, 2010 8:18 PM
    Saturday, September 4, 2010 2:45 AM

All replies

  • Hi,

    You can use scripting to set the certificates.  For example, let's walk through setting the certificate for the RDP-Tcp listener on a single RDSH server:

    1. Import the certificate into the local Computer account's Personal store:

    certutil -p <password> -importpfx \\server\share\certificate.pfx

    2. Select the certificate as the one to be used by the listener (hash is the thumbprint of the cert):

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"

    Now that you know the basic procedure you can write a script that will update hundreds of servers remotely.  For example, you could use psexec to execute the above commands from another computer on the LAN.

    It is not essential to have all servers in a farm have an rdp signing certificate set.  The only ones that must have the rdp signing certificate configured are those servers that will serve as a source for RD Web Access.  In a large environment you may choose not to have all servers be a source for RDWeb.  Regardless you can set the certificate to be used for rdp signing using similar scripting techniques if you need to.

    One thing you did not mention is what to do about configuring all of the RemoteApps on hundreds of servers.  This is something that will need to be set on every RDSH if you are using RemoteApps.  You can use scripting for this too.

    For a large environment it is critical to plan things out beforehand so that you are able to manage your servers over time with a reasonable amount of effort.

    Please see the documentation below for information on the method/properties/etc. that you can use to configure your servers using scripting.

    Remote Desktop Services WMI Provider Reference

    http://msdn.microsoft.com/en-us/library/aa383515(v=VS.85).aspx

    Remote Desktop Services Provider for Windows PowerShell

    http://technet.microsoft.com/en-us/library/ee791871(WS.10).aspx

    Thanks.

    -TP

    • Proposed as answer by TP []MVP Saturday, September 4, 2010 2:45 AM
    • Marked as answer by Dyl8n Thursday, September 9, 2010 8:18 PM
    Saturday, September 4, 2010 2:45 AM
  • Hi,

    How's everything going? We've not heard back from you in a few days and wanted to check the current status of the issue. If you need further assistance, please do not hesitate to respond back.

    Thanks.

    Thursday, September 9, 2010 8:00 PM
  • I have not had a chance to test this but the proposed method looks good.  Thanks for the quick response.
    Thursday, September 9, 2010 8:19 PM