none
Certificate RD Gateway, Broker and RDSH - Multiple login and certificate errors RRS feed

  • Question

  • Hello,

    First, please my apologies if this question was asked before...

    I have read more than 80 posts over the internet to find a suitable response but nothing really clear for the moment...

    This one seems to be the most interesting: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn781533(v=ws.11)

    I have a question concerning certificates for RDS 2016.

    My customer configuration is:

    - 1 RDS Broker (RDB.customer.domain.com)

    - 1 RDS Gateway and RD WebAccess (RDGW.customer.domain.com)

    - 1 licensing server (RDL.customer.domain.com)

    - 4 RDS SH servers (RDSH01 to 04.customer.domain.com)

    The servers are in the domain: "customer.domain.com".

    The customer's domain is: "main.domain.com".

    The RD Web access must be accessed from the customer domain (from main.domain.com=>customer.domain.com using a VPN) and from the internet with the alias "https:\\test.domain.com"

    There is no relationship between domains "customer.domain.com" and "main.domain.com".

    My customer asked me for a SHA256 certificate created with MMC (right clic on "certificates", "personnal", "certificates", "Advanced Operations", "Create Custom Request", etc...) because it was not possible with IIS (only SHA1 possible).

    That is what I have done, creation of the CSR with CN=test.domain.com (and O=xxxxxx, OU=xxxxxx, L=xxxxx, S=xxxxx, C=xx)without specifying the Subject Alternative Name.

    When the Certificate was signed with the customer's CA, I put the certificate into the edit propertied of the RDS, enabling SSO but I always have multiple login when trying to connect from the Internet (https:\\test.domain.com).

    On the certificate, the Issuer is: "CA of the customer", issued to "CN=test.domain.com, O=xxxxxx, OU=xxxxxx, L=xxxxx, S=xxxxx, C=xx, subject alternative name : test.domain.com (I think this will not work for SSO).

    I have read that I have to put on the CSR, a SAN (Subject Alternative Name) with DNS=*.customer.domain.com.

    So, my 2 questions are:

    how can I create the CSR to avoid multiple login ask and certificate errors...

    Is this example correct?

    CN=test.domain.com

    O=xxxxxx

    OU=xxxxx

    L=xxxxx

    S=xxxx

    C=XX

    DNS=*.customer.domain.com (alternative name)

    Can I use only 1 certificate for Broker, GW, RDWebAccess, RDSH?

    Thank you for your support!

    Damien.

    Monday, July 15, 2019 3:33 PM

Answers

  • HI
    3:If I ask for a wildcard certificate with CN "test.domain.com" (that points to the internet RD Web Access https://test.domain.com) and DNS "*.customer.domain.com" (that contains *.customer.domain.com the name of the domain in which Serv1, Serv2 and Serv3 are), can I use this wildcard certificate for the 3 servers? Will it work?

    for your condition ,you need public CA certificate for your RDS environment.I am not sure why you don't use https://test.customer.domain.com as external url for server 1(with RDS Gateway and RD WebAccess role) .if you can do that ,the below wildcard certificates will match all your rds role.
    so Wildcard Certificates need to include:
    subject name : common name -- *.customer.domain.com
    alternative name: DNS—        *.customer.domain.com

    "The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers in the collection.  The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to.  If you have users connecting externally, this needs to be an external name (needs to match what they connect to).  If you have users connecting internally to RDweb, the name needs to match the internal name.  For Single Sign On, again the subject name needs to match the servers in the collection."
    https://techcommunity.microsoft.com/t5/Ask-The-Performance-Team/Certificate-Requirements-for-Windows-2008-R2-and-Windows-2012/ba-p/375448

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, July 25, 2019 3:57 AM
    Moderator

All replies

  • hi

    1 The RD Web access must be accessed from the customer domain (from main.domain.com=>customer.domain.com using a VPN) and from the internet with the alias "https:\\test.domain.com"
    1.1 where are your RDS domain users who want to remote access RDSH servers in ? only in main.domain.com ?or in both main.domain.com and customer.domain.com?
    1.2 did your customer have below needs ?
     RDS users need to remote access to RDSH server from internet by using the computer in workgroup or android device .

    2 "There is no relationship between domains "customer.domain.com" and "main.domain.com"
    did you mean there is no tust relationship between domains "customer.domain.com" and "main.domain.com" ?

    3 My customer asked me for a SHA256 certificate created with MMC (right clic on "certificates", "personal", "certificates", "Advanced Operations", "Create Custom Request", etc...) because it was not possible with IIS (only SHA1 possible).
    In general ,there are 3 RDS role(RDCB,RDweb,RDgateway) need certificate.
    did you want to create self sign SHA256 certificate for 3 rds role with  or did you want to create internal SHA256 certificate(published by internal CA) for 3 rds role  ?
    

    4 Can I use only 1 certificate for Broker, GW, RDWebAccess, RDSH?
    yes. you can. In general ,there are 3 RDS role(RDCB,RDweb,RDgateway) need certificate.
    we can use Wildcard Certificates which are published by internal CA or public CA for 3 roles .
    Wildcard Certificates need to include:
    subject name : common name -- *.customer.domain.com
    alternative name: DNS—              *.customer.domain.com
    did your customer want to use certificate published by public CA  or certificate published by internal CA  ?

    5 if you
    have the certificate(s) purchased from a public authority or issued from an internal CA.
    you can refer below document to configure certificate.
    Configuring certificates in 2012/R2 Remote Desktop Services (RDS) https://www.vkernel.ro/blog/configuring-certificates-in-2012r2-remote-desktop-services-rds

    Please Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.



    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Tuesday, July 16, 2019 3:12 PM
    Moderator
  • HI
    Is there any progress on your question?

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 9:57 AM
    Moderator
  • Hi Andy,

    Thank you for your reply!!!!

    Sorry for the delay... Below are my replies.

    1.1: Users from main.domain.com and customer.domain.com are separated, registred on their own AD and for RDS connection, they will use another login on the AD of customer.domain.com domain. So, one login in the first AD (when they log on their laptops) and another login in the second AD (when they access to https://test.domain.com via RD Web Access).

    1.2: RDS users must have an access on the site https://test.domain.com, using the customer.domain.com users from their own laptops on the domain main.domain.com (hope this is clear :) ).

    2: You are right, no trust relationship between the 2 different domains.

    Users for "main.domain.com" will connect on https://test.domain.com (RD Web Access) and will use "customer.domain.com" users to connect on RDSH servers.

    3: The certificate will not be self-signed and will be trusted by a public CA.

    4: The servers and roles are dispatched like this
    - 1 server with RD Web Access and RD Gateway     (Serv1)
    - 1 server with RD Broker                                     (Serv2)
    - 1 server with RD Licence                                     (Serv3)

    If I ask for a wildcard certificate with CN "test.domain.com" (that points to the internet RD Web Access https://test.domain.com) and DNS "*.customer.domain.com" (that contains *.customer.domain.com the name of the domain in which Serv1, Serv2 and Serv3 are), can I use this wildcard certificate for the 3 servers? Will it work?
    The certificate will be published by a public CA.

    5: that is what I have done but the certificate I purchased previously only contain as the CN: "test.domain.com" and DNS: "test.domain.com" (instead of *.customer.domain.com", that was my mistake I think)...

    Usually, I don't have problem with certificate understanding, but I think this is different in that cas, as I have different servers.

    Hope to be clear :)

    Thanks again for your support!

    Damien.

    Tuesday, July 23, 2019 7:29 AM
  • HI
    3:If I ask for a wildcard certificate with CN "test.domain.com" (that points to the internet RD Web Access https://test.domain.com) and DNS "*.customer.domain.com" (that contains *.customer.domain.com the name of the domain in which Serv1, Serv2 and Serv3 are), can I use this wildcard certificate for the 3 servers? Will it work?

    for your condition ,you need public CA certificate for your RDS environment.I am not sure why you don't use https://test.customer.domain.com as external url for server 1(with RDS Gateway and RD WebAccess role) .if you can do that ,the below wildcard certificates will match all your rds role.
    so Wildcard Certificates need to include:
    subject name : common name -- *.customer.domain.com
    alternative name: DNS—        *.customer.domain.com

    "The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers in the collection.  The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to.  If you have users connecting externally, this needs to be an external name (needs to match what they connect to).  If you have users connecting internally to RDweb, the name needs to match the internal name.  For Single Sign On, again the subject name needs to match the servers in the collection."
    https://techcommunity.microsoft.com/t5/Ask-The-Performance-Team/Certificate-Requirements-for-Windows-2008-R2-and-Windows-2012/ba-p/375448

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, July 25, 2019 3:57 AM
    Moderator
  • Hello Andy,

    Thank you again for you reply :)

    So, my customer wants to connect to https://test.domain.com even if our domain is "customer.domain.com".

    I made a few tests and when using a test self-signed wildcard with CN=test.domain.com and SAN(DNS)=*.customer.domain.com it works without having a lot of password.

    So, I guess I can use this method with the CA to create the wildcard certificate.

    I will do few tests next week and keep you informed.

    Thanks again :))))

    Damien.

    Friday, July 26, 2019 1:37 PM
  • ok, thanks for your reply. I hope everything goes well .

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, July 27, 2019 5:42 AM
    Moderator
  • Hello Andy,

    Everything is now fine using the SAN :)

    So, the https://test.domain.com with SAN(DNS)=*.customer.domain.com works fine on... Internet Explorer and Edge.

    My problem now, is that Google Chrome and Firefox always ask for passwords as I have seen that SSO is not compatible with them because of ActiveX...

    I have seen that I could use those 2 Web navigator using HTML5.

    I will now check how to configure it for Chrome and Firefox :)

    Thanks again for your support!

    Damien.

    • Marked as answer by DamienS Tuesday, July 30, 2019 5:29 PM
    • Unmarked as answer by DamienS Tuesday, July 30, 2019 5:29 PM
    Tuesday, July 30, 2019 5:29 PM