locked
Renew RDS Certificates RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    A while back, we've created a GPO that deploys certificates to machines so they can be used over Remote Desktop Services (RDS) - a model of the guide can be found here. Everything went smooth and the machines automatically enrolled for the correct certificate type and had this assigned to corresponding connection inside the RDS Session Host Configuration. Now that the former certificates are expiring, we're seeing an issue whereas a new certificate is successfully issued for the machines, but it's not selected in the RDS Session Host Configuration.

    What would be the extra step required to complete the process ?


    Monday, March 7, 2016 3:30 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Unless there is a mis-match between the name of the certificate it will have issues, I would try to renew manually using CSR through IIS and see the request file.

    Regards, Jimmy Microsoft Certified Cloud Specialist MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    • Proposed as answer by Wendy Jiang Monday, March 21, 2016 9:32 AM
    • Marked as answer by Elaine Jing Thursday, April 7, 2016 9:45 AM
    Monday, March 7, 2016 3:56 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    It seems that the renewal through the GPO mechanism has some issues

    Hi,
    In order to verify it, I would also suggest you have a try to renew manually using CSR through IIS as Jimmy said.

    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Thursday, April 7, 2016 9:21 AM
    • Marked as answer by Elaine Jing Thursday, April 7, 2016 9:45 AM
    Tuesday, March 15, 2016 8:43 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Unless there is a mis-match between the name of the certificate it will have issues, I would try to renew manually using CSR through IIS and see the request file.

    Regards, Jimmy Microsoft Certified Cloud Specialist MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    • Proposed as answer by Wendy Jiang Monday, March 21, 2016 9:32 AM
    • Marked as answer by Elaine Jing Thursday, April 7, 2016 9:45 AM
    Monday, March 7, 2016 3:56 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    The certificate is renew based on the GPO without any issues. It's only that it's not assigned in the RDS Session Host Configuration as the active certificate.
    Monday, March 7, 2016 3:59 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Please verify that the new certificate is installed in the personal cert of the computer account (Computer\Personal store) . If it is not there, you could import it into the correct location. Then please check if it is visible in the RDS Session Host Configuration.

    The certificate for RDS must be installed into computer’s “Personal” certificate store. Please check this article regarding certificate requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services

    https://blogs.technet.microsoft.com/askperf/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services/

    Here is a similar issue discussed in the following the thread, you could have a look:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5a437521-c5a5-4de7-bc30-dcbcdf671376/error-applying-certificate-to-rdptcp-connection-in-session-host-config?forum=winserverTS

    Regards,

    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 9, 2016 5:40 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Wendy, the GPO automatically creates the certificate in the Personal store of each machine in its scope when the previous certificate has expired. The only missing "step" is that the new certificate isn't automatically selected against the RDS Session Host Configuration. This happened automatically at the time when the GPO was originally scoped, and the RDP certificates were brand new. It seems that the renewal through the GPO mechanism has some issues - which I'm not sure how can be overcome, without avoid manual actions.
    Wednesday, March 9, 2016 7:48 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    It seems that the renewal through the GPO mechanism has some issues

    Hi,
    In order to verify it, I would also suggest you have a try to renew manually using CSR through IIS as Jimmy said.

    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Thursday, April 7, 2016 9:21 AM
    • Marked as answer by Elaine Jing Thursday, April 7, 2016 9:45 AM
    Tuesday, March 15, 2016 8:43 AM