none
Generate certificate request withou having IIS roles? RRS feed

  • Question

  • Hi, i have a setup with remote desktop session host and remote desktop connection broker running on one server, the remote desktop gateway and remote desktop web access is running on a different server. To use single sign on i need to have a certificate on the server running remote desktop session host and remote desktop connection broker services, correct? But i dont have IIS roles on that server, thats only on the server running gateway and web access.

    I have certificate on the server running desktop gateway and that works okey.

    Thursday, January 24, 2013 1:24 PM

Answers

  • Hi,

    If using the MS enterprise CA,the accessible way is to use iis to request the cert.So,i suggest you request the cert thru remote desktop web access server,and then export/import to your remote desktop session host server.

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, January 25, 2013 6:03 AM
    Moderator
  • You can't use that cert. All i meant above is based on you have been installing your internal CA.So active directory certificate services role is a MUST.Then you can request the wildcard cert to your CA.
    Alternatively,I suggest you request the wildcard cert from 3rd party CA.That is more common and easiest way.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Tuesday, January 29, 2013 8:08 AM
    Moderator
  • > Hi, on the web access server i have a RapidSSL certificate, its not a wildcard certificate, could i export and use that? or do i need ta add the active directory certificate services role?

    What you need are correct certificates regardless of the way they have been acquired. They need to have a correct subject name (wildcard certs are fine too), correct EKU/key usage and be valid (in terms of PKI) - i.e. be in theirs validity period (dates), if crl distribution points are specified in them - they need to be reachable and certs can not be revoked etc. What is most important - they have to be trusted by your clients (ie terminal clients). If you do not have your own PKI / CA right now it might be easiest to get an external certificate (like Verisign or RapidSSL) - I would personally go for a wildcard cert, but it depends on your security needs (wildacard might be considered dangerous by some). From the other side - wildarcd certs for TS Gateway require RDC 6.1 or better (most ppl should be fine with that, but... ;) )

    If you do get a cert form the publicly trusted CA (ie trusted by your clients), the only thing you should watch out for is using correct subject names in your configuration.

    For more information, see:

    http://technet.microsoft.com/en-us/library/cc754252.aspx#BKMK_ObtainCertTSGateway (section: "Certificate requirements for TS Gateway")

    http://blogs.msdn.com/b/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx

    http://technet.microsoft.com/en-us/magazine/hh921957.aspx

    http://technet.microsoft.com/en-us/magazine/hh987041.aspx

    Regards,

    Pawel Mazurkiewicz
    Tuesday, January 29, 2013 9:55 AM

All replies

  • Hi,

    If using the MS enterprise CA,the accessible way is to use iis to request the cert.So,i suggest you request the cert thru remote desktop web access server,and then export/import to your remote desktop session host server.

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, January 25, 2013 6:03 AM
    Moderator
  • Hi,

    If using the MS enterprise CA,the accessible way is to use iis to request the cert.So,i suggest you request the cert thru remote desktop web access server,and then export/import to your remote desktop session host server.

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Hi, on the web access server i have a RapidSSL certificate, its not a wildcard certificate, could i export and use that? or do i need ta add the active directory certificate services role?


    • Edited by Buffelen Friday, January 25, 2013 8:12 AM
    Friday, January 25, 2013 7:34 AM
  • You can't use that cert. All i meant above is based on you have been installing your internal CA.So active directory certificate services role is a MUST.Then you can request the wildcard cert to your CA.
    Alternatively,I suggest you request the wildcard cert from 3rd party CA.That is more common and easiest way.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Tuesday, January 29, 2013 8:08 AM
    Moderator
  • > Hi, on the web access server i have a RapidSSL certificate, its not a wildcard certificate, could i export and use that? or do i need ta add the active directory certificate services role?

    What you need are correct certificates regardless of the way they have been acquired. They need to have a correct subject name (wildcard certs are fine too), correct EKU/key usage and be valid (in terms of PKI) - i.e. be in theirs validity period (dates), if crl distribution points are specified in them - they need to be reachable and certs can not be revoked etc. What is most important - they have to be trusted by your clients (ie terminal clients). If you do not have your own PKI / CA right now it might be easiest to get an external certificate (like Verisign or RapidSSL) - I would personally go for a wildcard cert, but it depends on your security needs (wildacard might be considered dangerous by some). From the other side - wildarcd certs for TS Gateway require RDC 6.1 or better (most ppl should be fine with that, but... ;) )

    If you do get a cert form the publicly trusted CA (ie trusted by your clients), the only thing you should watch out for is using correct subject names in your configuration.

    For more information, see:

    http://technet.microsoft.com/en-us/library/cc754252.aspx#BKMK_ObtainCertTSGateway (section: "Certificate requirements for TS Gateway")

    http://blogs.msdn.com/b/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx

    http://technet.microsoft.com/en-us/magazine/hh921957.aspx

    http://technet.microsoft.com/en-us/magazine/hh987041.aspx

    Regards,

    Pawel Mazurkiewicz
    Tuesday, January 29, 2013 9:55 AM