none
Local FQDN shown when connecting to Session Host through RD-Gateway RRS feed

  • Question

  • Hello,

    I'm in the process of deploying remote desktop services for our company to see if it's viable for our situation.
    I've got everything working. The only thing that's bugging me is that the local FQDN is show when connecting to a full desktop session host.
    I've set the "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\<Collection>\RemoteDesktops\<Collection>\ShowInPortal" to 1 to show the Remote Desktop Connection shortcut in RD Web Access.

    > Server certificates are all published in the RDS deployment properties. (We have bought a wildcard certificate from a trusted CA.)
    - RDCB SSO: Trusted & OK
    - RDCB Publishing: Trusted & OK
    - RD Web Access: Trusted & Error (All services are on single server with HA)
    - RD Gateway: Trusted & OK

    > RD Gateway specific certificates are also uploaded through the RD Gateway Manager.
    > RD Connection Broker HA DNS RR is set to remote.domain.com in the deployment properties.
    > RD Gateway server name is also configured to remote.domain.com in the deployment properties.
    > RD Gateway HA is configured with NLB on the second NIC of each server, with cluster name also set to remote.domain.com.

    I've configured the Gateway RAP to only allow connection to the RD Server Farm through the DNS RR name, being remote.domain.com, which we have also configured in our local DNS server to point to the RDCB.

    Now, when I try to connect through RD Gateway, I sometimes get the below error.
    Remote Desktop can't connect to the remote computer "remote.domain.com" for one of these reasons:
    1) Your user account is not listed in the RD Gateway's permission list
    2) You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format (for example computer1.fabrikam.com or 157.60.0.1).
    Contact your network administrator for assistance.

    I don't get this error when I open a RemoteApp in the same session.
    When I add the farm members (using local server name) individually to the network resources, this works, but then I get the certificate mismatch. (This is also specified on the Network resources tab: Note: if you are using a Remote Desktop Session Host server farm, the name of the farm and the name of each member must be specified in the computer group.)

    Name mismatch
    Requested remote computer: servername.domain.local
    Name in the certificate from the remote computer: *.domain.com

    I've searched the internet for days now, but haven't found a solution yet. Or I must be doing something wrong.
    Need to note that I've also tried adding the servers to the network resources using a different DNS name (rds01.domain.com, rds02.domain.com), but that doesn't seem to do anything. Then I get the error again (Remote Desktop can't connect...)

    Hope I'm missing something here, cause I don't want local server name or IP to be visible.

    Thursday, August 11, 2016 8:37 AM

Answers

  • The issue seems to be resolved after changing the local server certificate thumbprint.

    Get certificate thumbprint using powershell:
    Get-Childitem Cert:\LocalMachine\My

    Set new thumbprint on server:
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"



    • Edited by H_Dennis Monday, August 22, 2016 11:07 AM
    • Marked as answer by H_Dennis Monday, August 22, 2016 12:48 PM
    Monday, August 22, 2016 11:05 AM

All replies

  • Hi,

    Thanks for your post.

    > RD Connection Broker HA DNS RR is set to remote.domain.com in the deployment properties.
    > RD Gateway server name is also configured to remote.domain.com in the deployment properties.

    >>>I suggest you configure the different name for them.

    When I add the farm members (using local server name) individually to the network resources, this works, but then I get the certificate mismatch. (This is also specified on the Network resources tab: Note: if you are using a Remote Desktop Session Host server farm, the name of the farm and the name of each member must be specified in the computer group.)

    >>>Try to configure specify computer that users could connect to through remote desktop gateway.

    https://technet.microsoft.com/en-us/library/cc732204%28v=ws.11%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, August 15, 2016 4:15 AM
    Moderator
  • Hi Jay,

    Thanks for your reply!

    I've changed the public DNS settings to 'portal.domain.com'. Also applied these changes to the deployment config of the Remote Desktop Services and NLB.
    The farm name (CB HA) is still configured as 'remote.domain.com'.

    I'm not sure what you mean with the second part. I've already configured the local resources in the Gateway Manager. I've set it to server1, server2 and remote.domain.com. So I'm not sure what I'm still supposed to do.

    Tested the above, with different names and it still shows the internal server name on the cert mismatch.

    Kind regards,
    Dennis

    Tuesday, August 16, 2016 9:09 AM
  • Why do you have to do this?

    I've set the "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\<Collection>\RemoteDesktops\<Collection>\ShowInPortal" to 1 to show the Remote Desktop Connection shortcut in RD Web Access.

    Just un-publish the apps and check the Show in RD Web option in order to get the Desktop Icon shown. You have to use that icon in order to connect to the broker first and then the broker will redirect you to a session host.

    Having both RemoteApp and Desktop on the same collection is not supported.

    Monday, August 22, 2016 8:40 AM
  • Hello,

    Because it is sometimes easier to work in a full desktop session on the server instead of using the published apps individually?

    I have already set that registry key to 1. The Desktop icon is visible besides the published apps. Connecting with that icon/link, gives me the mismatch (http://imgur.com/a/JjWZv). It happens when remote desktop connection is preparing the remote computer.
    You say publishing both the apps and the desktop icon is not supported? Why is that?

    I don't think unpublishing all the apps will do something about the certificate mismatch to be honest.

    Kind regards,
    Dennis

    Monday, August 22, 2016 9:29 AM
  • When you use the remoteapp do you get an error?
    Monday, August 22, 2016 9:33 AM
  • I do get the same error when trying to launch a RemoteApp now.
    Monday, August 22, 2016 9:46 AM
  • OK , so now , your certificates look good , you need to connect to the ha broker in order to get redirected.

    As I said before RemoteApps and Desktops are not supported for the same collection. You have to have either RemoteApps or Desktops , not both as users open multiple sessions on the same server or even worse split in two.

    You have to use the remote desktop connection broker in order to get redirected , the certificates will be OK once you use that name and not the session host name.

    You can either construct an RDP file using the broker and collection name or let the RD create the file for you in the  web access page, once you un publish all of the remoteapps the show this collection in RDWeb will be available for you to select. Then by clicking on the RDWeb icon you should get no errors.

    Monday, August 22, 2016 10:14 AM
  • The issue seems to be resolved after changing the local server certificate thumbprint.

    Get certificate thumbprint using powershell:
    Get-Childitem Cert:\LocalMachine\My

    Set new thumbprint on server:
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"



    • Edited by H_Dennis Monday, August 22, 2016 11:07 AM
    • Marked as answer by H_Dennis Monday, August 22, 2016 12:48 PM
    Monday, August 22, 2016 11:05 AM
  • I have used this script with success. This will fix your problem

    https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

    Monday, August 22, 2016 2:33 PM
  • The issue seems to be resolved after changing the local server certificate thumbprint.

    Get certificate thumbprint using powershell:
    Get-Childitem Cert:\LocalMachine\My

    Set new thumbprint on server:
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"



    Dennis,

    I was having this same exact problem you described (in Windows Server 2016), but I'm not quite understanding your solution.  It turns out the reason mine wasn't working when using a public DNS name for the HA CB cluster was because I forgot to add the public DNS name to the Resource Authorization Policies on each RDG server (by adding it to the RDG_RDConnectionBrokers group).  Once I finally realized I had to add it there, I stopped getting the "can't connect to the remote computer" error... but I'm still getting certificate warnings about the RD SH server, because in Server 2016, there seems to be no way to configure an "alternate" DNS name for a SH server, and so I have to choose between using my domain CA certificate, which external users don't trust, or using my public CA certificate, which is for .com, not .local, which then doesn't match the server name.  So how did you solve that problem?  There are others in different threads who complain about this issue as well, but no one has explained how to change the DNS name the RemoteApp CB server points to, so that it matches the external certificate (.com instead of .local).  Hopefully since you were able to solve this yourself, there's hope in me solving my issue soon, too! :)  Thanks in advance for your help.

    Regards,

    Maximillian C.




    Sunday, December 10, 2017 9:59 PM
  • The issue seems to be resolved after changing the local server certificate thumbprint.

    Get certificate thumbprint using powershell:
    Get-Childitem Cert:\LocalMachine\My

    Set new thumbprint on server:
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"



    Dennis,

    I was having this same exact problem you described (in Windows Server 2016), but I'm not quite understanding your solution.  It turns out the reason mine wasn't working when using a public DNS name for the HA CB cluster was because I forgot to add the public DNS name to the Resource Authorization Policies on each RDG server (by adding it to the RDG_RDConnectionBrokers group).  Once I finally realized I had to add it there, I stopped getting the "can't connect to the remote computer" error... but I'm still getting certificate warnings about the RD SH server, because in Server 2016, there seems to be no way to configure an "alternate" DNS name for a SH server, and so I have to choose between using my domain CA certificate, which external users don't trust, or using my public CA certificate, which is for .com, not .local, which then doesn't match the server name.  So how did you solve that problem?  There are others in different threads who complain about this issue as well, but no one has explained how to change the DNS name the RemoteApp CB server points to, so that it matches the external certificate (.com instead of .local).  Hopefully since you were able to solve this yourself, there's hope in me solving my issue soon, too! :)  Thanks in advance for your help.

    Regards,

    Maximillian C.




    Did you ever find a solution to this, I am facing the same issue where my internal session host servers are .local.

    Thanks,

    Erik


    Thursday, August 9, 2018 10:08 PM