How can I work around problems with certificate configuration in Remote Desktop Services?

I am setting up a Remote Desktop Services farm, and am having trouble configuring certificates for it to use. A demonstration of the problem I’m seeing can be found in Step #4.

At this point I am convinced that there are problems with the user interface, and am looking for ways around them. Is there any way to configure certificates in Remote Desktop Services so that the settings hold and are reflected in the GUI? If not, is there any way for me to verify that the settings are correct?

Step #1 – Create certificate to be used.

I’ve configured a certificate to use with RD Web Access. The certificate is stored with in the Certificates MMC on my RD Connection Broker, and I am configuring the farm from that computer. certificate

I found by letting RD Web Access generate its own certificate that the following properties are required:

  • Enhanced Key Usage
    • Server Authentication
    • Client Authentication
      • This may not be required, but the self-signed certificate includes it.
  • Key Usage
    • Digital Signature
    • Key Agreement
  • Subject Alternative Name
    • DNS Name=domain.com

Detour about self-signed certificate generation

As a quick detour, I was able to work around a problem with creating self-signed certificates using powershell. The documentation for the New-RDCertificate cmdlet gives the following example:

PS C:> $password = ConvertTo-SecureString -string “password” -asplaintext -force New-RDCertificate -Role RDWebAccess -DnsName “test-rdwa.contoso.com” -Password $password -ConnectionBroker rdcb.contoso.com -ExportPath “c:test-rdwa.pfx”

Typing this into the shell will result in an error message claiming that a function, Get-Server cannot be found. Prior to using New-RDCertificate, you must import the RemoteDesktop Module with Import-Module RemoteDesktop.

Step #2 – Observe out-of-box behavior

The first time you visit the Deployment Properties dialog box by navigating to Server Manager -> Remote Desktop Services -> Collections and selecting “Edit Deployment Properties” from the “TASKS” dropdown list in the “COLLECTIONS” grouping, you will see the following screen: enter image description here

This window is misleading because the level field is listed as “Not Configured”. If I understand correctly all three of the role services are using a self-signed certificate. For the RD Web Access role this can be verified by visiting the website: certificate error

The certificate being used also appears in the Certificates MMC: certificates MMC showing the RD Web Access certificate

Step #3 – Assign new certificate

The Deployment Properties dialog box will allow me to select my existing certificate. The certificate must be placed within the local computers Certificates MMC in the “Personal” certificate store. The private key will need to be exportable, and you will need to provide the password. I temporarily exported my certificate to a file named temp.pfx with a password, and then imported it into Remote Desktop Services from there.

Once this is done the GUI will indicate that it is ready to accept the new configuration. ready to accept certificate

Once I click the “Apply” button, the GUI indicates success. enter image description here

This can be verified by visiting the RD Web Access web site a second time. There is no certificate error. enter image description here

Step #4 – The GUI fails to maintain its state

If the GUI is closed and reopened, all of these settings appear to be lost. settings are lost

Actually, the certificate I configured is still being used. I am able to continue accessing the RD Web Access site without any certificate errors.

Oddly, if I use the “Create new certificate…” button to generate a self-signed certificate this window will update to an “Untrusted” level. This setting will then be maintained through the opening and closing of the Deployment Properties dialog box.

Is there anything I can do to have my settings appear to stick? I feel like something is wrong when the GUI claims I haven’t fully configured certificates.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

WhatsApp chat
%d bloggers like this: