none
RDS Farm Certificate(s)

    Question

  • Goal: Set up a two server farm, published apps (no desktops), use gateway and web access externally

    Info: Single Forest/Domain, All three internal servers, ISA 2006 SP1, internal Windows CA

    I have deployed this many times with varying certificate configuration and just wanted someone else opinion about the proper certificate requirments.

    Server1 - Windows 2008 R2
    Remote Desktop Licensing
    Remote Desktop Connection Broker
    Remote Desktop Gateway
    Remote Desktop WebAccess

    Server2 - Windows 2008 R2 (RDSFARM1)
    Remote Desktop Session Host

    server3 - Windows 2008 R2 (RDSFARM1)
    Remote Desktop Session Host

    AD domain name: domain.com
    External DNS name: domain.com

    theoretical DNS names for this example:
    rdg.domain.com = gateway DNS name
    rds.domain.com = Remote Desktop WebAccess DNS name
    rdsfarm1.domain.com = farm DNS name

    Would like to leverage a SAN cert for the external certificate.

    How many internal certificates are needed and which ones?
    How many external certificates are needed and which ones?
    What DNS names need to be made available externally?
    Can the same cert be used for signing and server auth?  If so, what name common name would you use?
    Can one SAN cert be used for the entire configuration?  If so, what entries need to be included? what would be in the common name field?

    If there is a document that describes the required certs with an example, I would be very interested in seeing it.

    Thanks

    Thursday, February 11, 2010 3:29 PM

Answers

  • Hi,

    SAN cert can be used for server authentication. For detailed information, please refer to the following article:

    Certificates with Multiple SAN Entries May Break ISA Server Web Publishing
    http://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    I know this sounds like overkill but I want to make 100% sure I understand.  I know what certs are required and I understand what a SAN cert is.  What is unclear is:  Can all the certs for RDS be combined into one SAN cert? 

    I understand for your comment "You will need several different kinds of certificates." that multiple certs can be created but that is not my desire.

    If I understand you correctly I can place all three of these names (maybe more) on the SAN cert and ONLY use the SAN cert for RDS.  Would there be any benefit to put the RD Session Host server FQDN and NETBIOS name in the cert like in Exchange?

    1.  rds.domain.com (RD Web Access) - common name
    2.  rdg.domain.com (RD Gateway)
    3.  rdsfarm.domain.com (RDS Farm Name)

    If I have a standalone RD Session Host server, would I also need:

    4.  netbiosname.domain.com
    5.  netbiosname (maybe?)

    I might have a farm and a standalone

    BTW...I am or will be using ISA 2006 SP1 or UAG


    Thanks

    Not sure if anyone really cares but I thought I would give an update.

    I got tired of waiting for an answer so I cut a SAN certificate with:

    rds.domain.com (Web Access and common name)
    rdg.domain.com (RD Gateway)
    rdsfarm.domain.com (Farn name)
    netbiosname.domain.com (standalone server)

    I implemented the certificate in the RDS deployment for RD Web Access, RD Gateway and Server Authentication and all is well.

    The internal non-domain joined Windows Embedded clients no longer prompt for authentication or get CRL errors.  The ISA/UAG server is not installed yet so I am unable to test external users at this time.
    I also removed the custom RDP settings in RemoteApp Console and set them back to default:.  I didn't feel adding those settings were the appropraiate way since it enabled legacy RDP encryption and avoided SSL.  Even if I had the non-domain joined Windows Embedded machines go through the gateway I still recieved the CRL errors.  The Windows Embedded are on the local LAN they just aren't joined to the domain.

    enablecredsspsupport:i:0
    authentication level:i:0


    default:

    authentication level:i:2


    • Marked as answer by TKC Global Saturday, February 27, 2010 8:40 PM
    Friday, February 26, 2010 11:18 PM

All replies


  • After reading the following I have come to believe that I cannot use a SAN cert for server auth.

    "We suspect you used SAN certificates during your RDS deployment, which contain at least the internal and external FQDN of your RDS environment. And you have a single certificate for your RD Session Host, as RDP connection security still not support SAN certificates."
    http://msmvps.com/blogs/wssra/archive/2010/01/14/publishing-remote-desktop-service-with-forefront-tmg-2010.aspx

    Here is my new proposal for a SAN cert and internal CA certs:

    SAN Cert:

    rdsgateway.domain.com (gateway FQDN) - Used by external users
    rds.domain.com (Web Access FQDN) - Used by both internal and external users

    Does this need any other SAN entries?  Do I need any netbios names in the SAN cert like I do for exchange?  If so, I assume I would need the FQDN and NETBIOS name of the gateway and web access server?  Well at elast the web access servers.

    Internal CA cert 1:

    common name: rdsfarm1.domain.com

    This will be imported into all farm servers (server1 and server2) and used for server auth.


    Lets say I want to have a farm and two standalone servers available in Web Access:

    Internal CA cert 2:
    common Name: server3.domain.com
    This will be imported into server3 and used for server auth.

    Internal CA cert 3:
    common name: server4.domain.com
    This will be imported into server4 and used for server auth.

    If the Remote Desktop Session Host servers are not in a farm I assume they need their own individual internal CA cert like the examples above?

    The only thing left is the certificate for signing the apps.  Should the SAN cert or one of the above internal CA certs be used for signing or would it be best to have another cert just for signing?

    Thursday, February 11, 2010 11:15 PM
  • Bueller? ... Bueller?
    Friday, February 12, 2010 2:22 PM
  • Hi,

    Sorry for the delay of response.

    You will need several different kinds of certificates.

    1. RDS Gateway Certificate

    It needs external DNS name which can be resolved publicly. For more information:

    Introduction to TS Gateway Certificates
    http://blogs.msdn.com/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx

    Certificate requirements for TS Gateway
    http://technet.microsoft.com/en-us/library/cc754252(WS.10).aspx#BKMK_ObtainCertTSGateway

    2. RDS Web Access server certificate for SSL

    3. RDS Session Host Server Authentication certificate

    Its name does not need to be external accessible if all remote desktop access from external clients go though TS Gateway. The subject name in certificate should be the same as the name used in client connection.

    Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks
    http://blogs.msdn.com/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx

    In Windows Server 2008 R2, it also has an option to create a Kerberos identity for the farm for providing server authentication on intranet scenarios. For extranet, the customer should use certificate.

    Creating Kerberos Identity for RD Session Host Farms
    http://blogs.msdn.com/rds/archive/2009/05/20/creating-kerberos-identity-for-rd-session-host-farms-part-i-using-the-remote-desktop-services-provider-for-windows-powershell.aspx

    4.  RemoteApp certificate

    If you are already using an SSL certificate for terminal server or TS Gateway connections, you can use the same certificate to sign .rdp files.

    TS RemoteApp Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, February 18, 2010 8:16 AM
    Moderator
  • Dear All,

     

    My name Jos Munnik and I’m working for a company in the Netherlands where we are implementing an SBC envirionment. I’ve read your article on www.virtualizationadmin.com about “Enable Single Sign-On for Windows Server 2008 Terminal Services”.

     

    Source: http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/enable-single-sign-on-sso-windows-server-2008-terminal-services.html

     

    When following this great guideline and implemented it in our new environment I stumbled with an big issue. When connection directly to an Remote Desktop Server SSO work perfect. Only in our case we are connecting to an Remote Desktop Session Host Farm implemented with an clustered connection Broker and DNS-Round-Robin.

     

    DELEGATION OF CREDENTIALS IS NOT POSSIBLE TO THIS HOST. (BECAUSE THE HOST DOES NOT REALLY EXIST)

     

    When I was investigation this problem I figured out that it isn’t possible to delegate the users credentials to the farm address. After research I found an article to enable an Kerberos Identity for the RD Session Host Farm.

     

    Source: http://blogs.msdn.com/rds/archive/2009/05/20/creating-kerberos-identity-for-rd-session-host-farms-part-i-using-the-remote-desktop-services-provider-for-windows-powershell.aspx

     

    Only we cannot use this configuration because we run our Connection Broker as a node in a Failover Cluster.

     

    Important! Kerberos identity is not supported if the Connection Broker runs as a node in a Failover Cluster.

     

    My question to you is do you know if this problem is solved when we use certificates to authenticate (SSO)?

     

    -      If this problem can be tackled with Certificates do you know an where to find an guidline how to configure this with certificates ?

    -      Do we need Subject Alternative Name Certificates for this configuration ? with the farm name included ?

     

     

    Additional Infrastructure Information:

     

    New SBC project;

     

    -      10 Remote Desktop Session Hosts (Windows Server 2008 Enterprise R2)

    o    Configured as joined in an Farm

    -      Connection Broker runs as a node in a Failover Cluster

    o    http://technet.microsoft.com/en-us/library/cc753891.aspx

    o    Round Robin (because of best practice)

    -      2 Remote Desktop WebAccess / Gateways

    o    Load Balanced with NLB unicast 2 Nics in every machine.

     

    If you have an better idea about this configuration please let us know.

     

     

    Waiting for your answers.

     

    With Kind Regards,

    Tuesday, February 23, 2010 3:09 PM
  • Hi TKC Global,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Jos, please initial a new thread for your problem to avoid confusion.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, February 24, 2010 3:09 AM
    Moderator
  • Thank you for your reply i've created a new threat;

    http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/deb31355-5553-4ac2-a41b-32e332bd0835

    With Kind Regards,

    Jos Munnik

    Wednesday, February 24, 2010 10:03 AM
  • Hi TKC Global,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Jos, please initial a new thread for your problem to avoid confusion.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Sorry, I did not see the response until today. 

    3. RDS Session Host Server Authentication certificate

    Its name does not need to be external accessible if all remote desktop access from external clients go though TS Gateway. The subject name in certificate should be the same as the name used in client connection.

    All users will access RDS externally from Web Access.  If I configure application settings in IIS7 under RDWeb/Pages and configure the property DefaultTSGateway, won't all internal and external users use the gateway since both internal and external both use the same Web Access server?  How can external users use the gateway in Web Access and internal users bypass the gateway when using Web Access.  The external users could be any home PC of which we have no control. 

    There are three total servers,  one server with Web Access and Gateway with 2 farm servers.

    SAN cert - rds.domain.com and rdg.domain.com
    internal cert - rdsfarm1.domain.com


    Thanks


    Wednesday, February 24, 2010 9:25 PM
  • Hi TKC Global,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Jos, please initial a new thread for your problem to avoid confusion.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Sorry, I did not see the response until today. 

    3. RDS Session Host Server Authentication certificate

    Its name does not need to be external accessible if all remote desktop access from external clients go though TS Gateway. The subject name in certificate should be the same as the name used in client connection.

    All users will access RDS externally from Web Access.  If I configure application settings in IIS7 under RDWeb/Pages and configure the property DefaultTSGateway, won't all internal and external users use the gateway since both internal and external both use the same Web Access server?  How can external users use the gateway in Web Access and internal users bypass the gateway when using Web Access.  The external users could be any home PC of which we have no control. 

    There are three total servers,  one server with Web Access and Gateway with 2 farm servers.

    SAN cert - rds.domain.com and rdg.domain.com
    internal cert - rdsfarm1.domain.com


    Thanks


    I guess when it comes down to it all I really need to know is:

    1.  Can I put rds.domain.com (web access), rdg@domain.com (gateway), and rdsfarm1.domain.com (server auth) in a commercial cert where rds.domain.com is the common name?  This cert would be used for web access, gateway and server auth.  I would ONLY use this one cert.  Is this possible?

    If yes,

    2.  Can a SAN cert be used for server authentication?  I read that a SAN cert cannot be used for server authentication.  Is this true?


    Thanks
    Wednesday, February 24, 2010 10:10 PM
  • Hi TKC Global,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Jos, please initial a new thread for your problem to avoid confusion.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Sorry, I did not see the response until today. 

    3. RDS Session Host Server Authentication certificate

    Its name does not need to be external accessible if all remote desktop access from external clients go though TS Gateway. The subject name in certificate should be the same as the name used in client connection.

    All users will access RDS externally from Web Access.  If I configure application settings in IIS7 under RDWeb/Pages and configure the property DefaultTSGateway, won't all internal and external users use the gateway since both internal and external both use the same Web Access server?  How can external users use the gateway in Web Access and internal users bypass the gateway when using Web Access.  The external users could be any home PC of which we have no control. 

    There are three total servers,  one server with Web Access and Gateway with 2 farm servers.

    SAN cert - rds.domain.com and rdg.domain.com
    internal cert - rdsfarm1.domain.com


    Thanks


    I guess when it comes down to it all I really need to know is:

    1.  Can I put rds.domain.com (web access), rdg@domain.com (gateway), and rdsfarm1.domain.com (server auth) in a commercial cert where rds.domain.com is the common name?  This cert would be used for web access, gateway and server auth.  I would ONLY use this one cert.  Is this possible?

    If yes,

    2.  Can a SAN cert be used for server authentication?  I read that a SAN cert cannot be used for server authentication.  Is this true?


    Thanks

    "A revocation check could not be performed for the certificate"

    With my current configuration, the recommendation to resolve the above issue on non-domain joined thin clients (Windows Embedded) and external machines is to use legacy RDP encryption as per the following URL.  Internal domain-joined computers work fine.  So using a SAN cert for gateway and web access and an internal CA cert for the farm name for server auth does not appear to be an optinal solution as CredSSP causes a CRL failure because the CDP cannot be resolved.  The two solutions below are really not feasable for non-domain joined PCs.  Am I expected to have everyone that wants to use Web Access from home import a reg key or use legacy RDP encryption and avoid SSL?  It would appear that using an internal CA cert for server auth is not the optinal solution.  If SAN certs cannot be used for server auth then I assume the optinal solution would be to use a commercial SAN cert for Web Access and Gateway and use another individual commercial cert for the farm name used server auth.  Tjis way the farm/server auth cert will have an externally resolvable CDP.  Am I missing anything?  ...and again, can a SAN cert be used for server auth?  I hope so...

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/91c05025-f18a-4839-973f-42fceaf66a77

     

    This is not a bug and this is not something that will be changed.
    Since CredSSP the "revocation check could not be performed" error has become non-continuable.
    The two solutions available are the following:

    1. The DWORD key: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors can be added to:

    System\\CurrentControlSet\\Control\\LSA\\CredSSP and given a non-zero value(1).

    2. Create an RDP file with the following properties. This would make RDP clients use legacy RDP encryption and avoid SSL:

    enablecredsspsupport:i:0
    authentication level:i:0


    We also see this issue when the CRL is published on the CA and the CA is offline, in that case, publish the CA to AD if it's AD integrated.



    BTW...I am using the gateway with web access and see the connection in the gateway when testing as recommended here below.  I have followed these steps and I am using the RD Connection Broker mode.

    http://blogs.msdn.com/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

    Web SSO with RD Gateway

    Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.

    The configuration of Web SSO for RD Gateway assumes that:

    • an RD Gateway is deployed
    • a ‘Connection Authorization Policy’ is set to use password for the users connecting
    • and the RD Gateway server is used by RemoteApp programs

    More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.

    The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.

    Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.

    1. On the RD Session Host server, open RemoteApp Manager. To open RemoteApp Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
    2. In the Actions pane of RemoteApp Manager, click RD Gateway Settings. (Or, in the Overview pane, next to RD Gateway Settings, click Change.)
    3. Select the Use these RD Gateway server settings.
    4. In the Server name box, click the FQDN of the RD Gateway server.
    5. In the Logon box, select the Ask for password (NTLM).
    6. Select the Use the same user credentials for RD Gateway and RD Session Host server check box.
    7. Click OK to close the RemoteApp Deployment Settings dialog box.

    Thanks

    Thursday, February 25, 2010 1:46 AM
  • Hi,

    SAN cert can be used for server authentication. For detailed information, please refer to the following article:

    Certificates with Multiple SAN Entries May Break ISA Server Web Publishing
    http://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, February 25, 2010 7:28 AM
    Moderator
  • Hi,

    SAN cert can be used for server authentication. For detailed information, please refer to the following article:

    Certificates with Multiple SAN Entries May Break ISA Server Web Publishing
    http://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    I know this sounds like overkill but I want to make 100% sure I understand.  I know what certs are required and I understand what a SAN cert is.  What is unclear is:  Can all the certs for RDS be combined into one SAN cert? 

    I understand for your comment "You will need several different kinds of certificates." that multiple certs can be created but that is not my desire.

    If I understand you correctly I can place all three of these names (maybe more) on the SAN cert and ONLY use the SAN cert for RDS.  Would there be any benefit to put the RD Session Host server FQDN and NETBIOS name in the cert like in Exchange?

    1.  rds.domain.com (RD Web Access) - common name
    2.  rdg.domain.com (RD Gateway)
    3.  rdsfarm.domain.com (RDS Farm Name)

    If I have a standalone RD Session Host server, would I also need:

    4.  netbiosname.domain.com
    5.  netbiosname (maybe?)

    I might have a farm and a standalone

    BTW...I am or will be using ISA 2006 SP1 or UAG


    Thanks
    Thursday, February 25, 2010 3:18 PM
  • Hi,

    SAN cert can be used for server authentication. For detailed information, please refer to the following article:

    Certificates with Multiple SAN Entries May Break ISA Server Web Publishing
    http://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    I know this sounds like overkill but I want to make 100% sure I understand.  I know what certs are required and I understand what a SAN cert is.  What is unclear is:  Can all the certs for RDS be combined into one SAN cert? 

    I understand for your comment "You will need several different kinds of certificates." that multiple certs can be created but that is not my desire.

    If I understand you correctly I can place all three of these names (maybe more) on the SAN cert and ONLY use the SAN cert for RDS.  Would there be any benefit to put the RD Session Host server FQDN and NETBIOS name in the cert like in Exchange?

    1.  rds.domain.com (RD Web Access) - common name
    2.  rdg.domain.com (RD Gateway)
    3.  rdsfarm.domain.com (RDS Farm Name)

    If I have a standalone RD Session Host server, would I also need:

    4.  netbiosname.domain.com
    5.  netbiosname (maybe?)

    I might have a farm and a standalone

    BTW...I am or will be using ISA 2006 SP1 or UAG


    Thanks

    Not sure if anyone really cares but I thought I would give an update.

    I got tired of waiting for an answer so I cut a SAN certificate with:

    rds.domain.com (Web Access and common name)
    rdg.domain.com (RD Gateway)
    rdsfarm.domain.com (Farn name)
    netbiosname.domain.com (standalone server)

    I implemented the certificate in the RDS deployment for RD Web Access, RD Gateway and Server Authentication and all is well.

    The internal non-domain joined Windows Embedded clients no longer prompt for authentication or get CRL errors.  The ISA/UAG server is not installed yet so I am unable to test external users at this time.
    I also removed the custom RDP settings in RemoteApp Console and set them back to default:.  I didn't feel adding those settings were the appropraiate way since it enabled legacy RDP encryption and avoided SSL.  Even if I had the non-domain joined Windows Embedded machines go through the gateway I still recieved the CRL errors.  The Windows Embedded are on the local LAN they just aren't joined to the domain.

    enablecredsspsupport:i:0
    authentication level:i:0


    default:

    authentication level:i:2


    • Marked as answer by TKC Global Saturday, February 27, 2010 8:40 PM
    Friday, February 26, 2010 11:18 PM
  • who did you buy your certificate from?  I'm struggling with the whole certificate jazz, could really use some help.
    Wednesday, May 19, 2010 3:32 PM
  • Hi TKC Global,

     

    I stumbled on your postings (and frustration) about the SSL stuff in RDS 2008 R2. Ain't Citrix does this better/easier ?

    Anyway, have you managed to get thing going ? What I am not sure about is the cert used on the RD Connection Broker. External users get login prompts for the connection broker. I read somewhere that the cert on the broker that signs the RDP file and the cert on the session hosts should be the same, hence, a wil card cert or a SAN cert.

    I have a wild card cert, but I keep getting the login prompts for the broker. I am now testing with a SAN cert with all roles in it.

    What I also have is a split DNS. I do not need to worry about internal/external names. I use external names all the way (they map internally to internal IP addresses).

    If you have the broker working, I am interested.

    BR,

    Ronald

     

    Monday, August 02, 2010 2:18 PM
  • Hi Ronald1971

    I am in the same situation. Have you resolved this?

    Thanks,

    TKE402

    Thursday, October 11, 2012 6:17 PM