locked
RDS Certificate Warnings RRS feed

  • Question

  • Recently spun up an RDS deployment with both VDI and RemoteApp collections. Users connect through an external Gateway/WebAccess server from personal home computers. The external domain is domain.org and the internal is some.thing.different.org. The entire deployment has had a publicly-trusted *.domain.org certificate applied through the Deployment Properties and everything is working fine except for 2 prompts. These don't prevent connections and I didn't think much of them, but users being what they are I am now getting pressure to eliminate them as they are "unsightly"...

    1. When initially launching the RemoteApp a prompt is presented with the details of the connection, asking the user to confirm. I assume this is normal and nothing we can do about it, but if there is a way to eliminate it that would be good.

    2. Once the connection has started and is redirected to the CB server they receive the second prompt stating the certificate doesn't match the internal domain name. This is the more important one to eliminate as it "looks worse".

    My thought would be that one of the deployment's certs need to be replaced with a wildcard for the internal domain name. Alternatively we could create an internal DNS zone with the external domain name, create records for each server with different names and reconnect the servers in the deployment using those names so they are used when establishing the connections path rather than the actual server name. If anyone can help point the way that would be appreciated, I unfortunately don't have a lot of experience with either RDS or certificate management.

    Friday, March 27, 2015 12:57 AM

Answers

  • Hi Reavos,

    For the first window it’s like default window which only ask you for connecting to the specific RemoteApp to that location. In regards to other thing I can suggest you to enable RD Web SSO so that you don’t get any other prompt can connect directly to the RemoteApp. But for that there are certain condition which need to take care for. 

    You need to enable the policy setting “Allow delegating default credentials” and pass the “FQDN name of RDCB server (with a “TERMSRV/” prefix). Also need to check below points, in order for Web SSO to work:
    1. The connection in RemoteApp and Desktop Connections must have an ID. By default, it is set to the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.
    2. RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (1.3.6.1.5.5.7.3.1).
    3.Client operating systems must trust the certificate with which the RemoteApp programs are signed.

    Introducing Web Single Sign-On for RemoteApp and Desktop Connections 
    http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

    Hope it helps!

    Thanks.

    Dharmesh Solanki

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 30, 2015 1:54 AM

All replies

  • Hi Reavos,

    For the first window it’s like default window which only ask you for connecting to the specific RemoteApp to that location. In regards to other thing I can suggest you to enable RD Web SSO so that you don’t get any other prompt can connect directly to the RemoteApp. But for that there are certain condition which need to take care for. 

    You need to enable the policy setting “Allow delegating default credentials” and pass the “FQDN name of RDCB server (with a “TERMSRV/” prefix). Also need to check below points, in order for Web SSO to work:
    1. The connection in RemoteApp and Desktop Connections must have an ID. By default, it is set to the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.
    2. RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (1.3.6.1.5.5.7.3.1).
    3.Client operating systems must trust the certificate with which the RemoteApp programs are signed.

    Introducing Web Single Sign-On for RemoteApp and Desktop Connections 
    http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

    Hope it helps!

    Thanks.

    Dharmesh Solanki

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 30, 2015 1:54 AM
  • Hi,

    Thanks for posting in Windows Server Forum.

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up.

    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.

    Thanks for your Support & understanding.

    Regards.


    Dharmesh Solanki

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, April 7, 2015 1:57 AM