22 July 2011

RDS Certificate usage and renewal steps

Remote Desktop Services relies heavily on certificates.  As a result I recommend install the certs on all the servers before you even start, this allows you to select the cert without having to remember to go back and fix it later.  Certificate expire though and as such you need to renew them or replace them periodically.

If your certificates are not correctly installed or assigned you might have issue with access and single sign on SSO.  I have run into so many issues regarding certs I have actually given up keeping track.

These are the steps to successfully implement a certificate swap or update.

The Environement
1 x Server configured as RDWEB, RDCB, RDGW - (RDS01)
2 x RDSH servers in NLB for most applications - (RDS02 & RDS03 NLB name RDS)
1 x RDSH server for non NLB applications - (RDS04)

What certificate to use
You need to use a multi-domain certificate or SAN certificate.  The names vary form CA to CA but it is a single certificate that is valid for multiple names.  This enables all the different rules to use a single certificate and this has proven to be the best way to proceed.

You need to register you Multi-domain certificate with at least the following names


  • RDWEB
  • RDGW
  • RDS
  • RDS04


Where to install the certificates
Since you are using a multi-domain certificate you install the same certificate on all the RDS servers.  In addition if you are publishing your RDS environement to the Internet through TMG (Forefront Threat Management Gateway) you need to install it on all the array members.  You then need to assign the certificate to the RDS publishing Listener network object.

For steps export and import the certificate on the servers check http://fixmyitsystem.com/2011/02/exporting-and-importing-ssl-certificate.html

Assigning the certificate to the various roles
Now that the certificates are on all the servers you need to use them.  The various roles and componenets need to be configured correctly.

RD Gateway 

  • From the RD Gateway Manager console
  • Highlight the RDGW server name 
  • Click properties from the actions pane
  • Select the SSL Certificates tab
  • Select the option "Select an existing certificate..."
  • Click Import Certificate
  • Select the certificate
  • Click import
  • You will be prompted to restart the RDGW service


RD Web

  • From the IIS manager console
  • Select Default Web Site
  • Click Binding from the Actions pane
  • Select HTTPS
  • Click Edit
  • From the SSL certificate drop down select the certificate

RD Connection Broker

  • From the Remote Desktop Connection Manager
  • In the status pane under Virtual desktop : Resources and Configuration
  • On the line Digital certificate click Specify
  • On the Digital Signature tab
  • Check Sign with Digital Certificate
  • Click the Select Button
  • Click on the certificate to use
RD Session Hosts PART I
The following needs to be done on every session host
  • From the MMC console
  • Add the certificates snap in
  • Select Computer account
  • Expand Personal - Certificates
  • Open the RDS SAN certificate
  • From the details tab select the Thumbprint field
  • Copy and paste the value into notepad
  • Delete all the spaces
  • You should now have a string 40 characters long
  • Copy the following script and save it as RDconfig.js
var strComputer = ".";
var strNamespace = "\\root\\CIMV2\\TerminalServices";
var wbemChangeFlagUpdateOnly = 1;
var wbemAuthenticationLevelPktPrivacy = 6;
var Locator = new ActiveXObject("WbemScripting.SWbemLocator");
Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;
var Service = Locator.ConnectServer (strComputer, strNamespace);
var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");
if (WScript.Arguments.length >= 1 )
{
    TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);
}
else
{
     TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";
}
TSSettings.Put_(wbemChangeFlagUpdateOnly);
  • On the RDSH server open a command prompt as administrator
  • Execute the script with the 40 character thumbprint string as the parameter
For more details on this step check 


RD Session Hosts PART II
The following needs to be applied to all the RDSH servers.  This can be done directly on each or exported via the console.

  • From RemoteApp Manager Console
  • Next to Digital Signature Setting click Change
  • Check Sign with digital certificate
  • Click the Change button
  • Select the correct certificate

  • Click Export RemoteApp setting 
  • Select Export the RemoteApp... to another RD Session Host server
  • Specify the name of the other RDSH server
  • Repeat for all the hosts in the RDCB farm

Updating TMG
If you are publishing to the outside world through TMG you will need to update the listener being used with the new certificate.

  • From the TMG management Console
  • Expand to the Firewall Policy
  • Open the rule used for publishing RDS
  • From the Listener tab click Properties
  • From the certificates tab click select certificate
  • Choose the new certificate

Conclusion
Configuring or updating an expired certificate for RDS can be a tricky exerciser especially if you miss a certificate setting.  Troubleshooting can also be frustratingly difficult.  Plan your environement with grwoth in mind.  This should then allow you to request certificates with additional SANs should you need them.  I would also recommend getting them with a 2 year validity, this in itself will save you some cash and effort. 

No comments:

Post a Comment