Install Certificate For Remote Desktop Connection

Posted on by
Remote Desktop Certificate Error

Hi, I hope you can advise me. I am familiar with RDS (based on Windows Server 2008 R2). I just started with RDS (based on Windows Server 2012). I find the certificate requirements and DNS requirements somewhat confusing. I can't find any clear information about this on the internet and I also noticed more people are having the same questions. Allow me to explain my scenario.

Configuring certificates in 2012/R2 Remote. There are multiple ways to install certificates in Remote Desktop. In the certificate to make this connection. To use the Connect to Computer feature in Remote Web Workplace, users must have Remote Desktop Connection. Install Root Certificate on a Remote Computer.

I have the following setup: RDS01 = RD Licensing Server + RD Connection Broker + RD Web Access RDSH01 = RD Session Host RDSH02 = RD Session Host (currently not available yet. Only RDSH01 at this time!) RDSH03 = RD Session Host (currently not available yet. Only RDSH01 at this time!) I can easily install and configure all server roles. But here it comes. In Windows Server 2008 R2 you are able to configure a farm DNS name. In Windows Server 2012 you can’t as far as I can see. With Windows Server 2008 R2 you would then need to create several A-records (round-robin) that point to each RD Session Host.

For this to work you would also need to have a Computer Certificate on each RD Session Host where the subject name matches the farm DNS name. But how does this work with Windows Server 2012? Do you still need to configure a separate farm DNS name and import certificates on every RD Session Host which matches the subject name? I can only import a certificate (.pfx). Which by the way I find very unhandy you can’t select an already existing certificate from the certificate store. I notice when I import a certificate it is only imported on the RD Connection Broker. I understand the certificate for signing the RDP files and Web Access.

But what about the RD Connection Broker? Also the certificate configuration is globally? What if you have multiple collections, no certificate requirements per collection? Maybe I am missing something because the currently de RDSH01 is the only RD Session Host operational.

Can someone shine a light on this. Boudewijn Plomp, BPMi Infrastructure & Security. In Windows Server 2012, there is no equivalent to the setting in Windows Server 2008 R2 RD Session Host Configuration as it is not needed anymore. Which is why I wanted to make sure that you weren't seeing something unexpected based on how you have your certificates configured. Are you seeing any prompts that you don't think you should be seeing? Is SSO not working?

Please let me know. You don't have to use a SAN certificate, that is just one of the ways to do it. If you don't use a wildcard, then you have to use SAN in the certificate.

Hannotate Font Download. What Remote Desktop cares about is that it's a Server Authentication certificate, the FQDN is either in the Subject Name, or SAN, and that the certificate is trusted. As for the inability to install a certificate that is already in the store on the Broker, I have heard that feedback several times before and I agree it would be nice if it allowed you to do that.

Keygen Antidote 8 V22 more. The reason it doesn't is simply one of design. Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging. You don't define farm names in DNS and connect to a farm name in a 2012 deployment. You connect to the Connection Broker and it routes you to the collection by using the collection name. This is as you have noticed a fundamental difference between 2012 and everything prior. The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.

Cummins Isx Tuning Software. So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers in the collection. The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to. If you have users connecting externally, this needs to be an external name (needs to match what they connect to).

If you have users connecting internally to RDweb, the name needs to match the internal name. For Single Sign On, again the subject name needs to match the servers in the collection.

The easiest way to do this if you control the client machines that will be connecting is to use Active Directory Certificate Services. You can request and deploy your own certificates and they will be trusted by every machine in the domain. If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA. The reason why the Certificates are a global setting is because it was designed as a centralized management solution, allowing you to deploy certificates to every RDS server in your deployment from one place, using one UI. You no longer need to install the certificate on each server and then repeat the same process in each UI on each server to configure the certificates. In Windows Server 2012, you need only export the certificate with the private key and then use the RDMS UI on the Connection Broker to deploy it to ALL servers. Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging.