Thoughts from the EPS Windows Server Performance Team
Useful Microsoft Blogs
Good morning AskPerf! Kiran here with a question for you: Why do we need certificates? Well, certificates are used to sign the communication between two machines. When a client connects to a server, the identity of the server that is receiving the connection and in turn, information from the client, is validated using certificates.
This is done to prevent possible man-in-the-middle attacks. When a communication channel is setup between the client and the server, the authority that issues/generates the certificate is vouching for the server to be authentic.
So, as long as the client trusts the server it is communicating with, the data being sent to and from the server is considered secure. This brings me to the next question:
What type of certificate is required for RDS?
The following blog contains information regarding the type of certificates and how you can create them using the Internal CA of the domain.
Basic requirements for Remote Desktop certificates:
As the function it performs suggests, we need a ‘Server Authentication’ certificate. This certificate can be generated using the ‘Workstation Authentication’ template (if required).
Here is the exact process:
This will be visible when viewing the certificate in the ‘Certificates’ MMC snap-in, as below:
When you open the certificate, the ‘General’ tab will also contain the purpose of this certificate to be ‘Server Authentication’ as seen below:
Another way to validate this, would be to go to the ‘Details’ section of the certificate and look at the ‘Enhanced Key Usage’ property:
The easiest way to get a certificate, if you control the client machines that will be connecting, is to use Active Directory Certificate Services. You can request and deploy your own certificates and they will be trusted by every machine in the domain.
If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA. Examples including, but not limited to: GoDaddy, Verisign, Entrust, Thawte, DigiCert
Now that you know what type of certificate you need, let’s talk about the contents of the certificate.
In Windows 2008/2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, next to the connection broker and finally to the server that will host your session.
In Windows 2012, you connect to the Connection Broker and it routes you to the collection by using the collection name.
The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to. So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers in the collection. The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to. If you have users connecting externally, this needs to be an external name (needs to match what they connect to). If you have users connecting internally to RDweb, the name needs to match the internal name. For Single Sign On, again the subject name needs to match the servers in the collection.
For our example, let’s consider my RDS deployment to contain the following machines:
RDSH1.RENDER.COM Session Host with Remote Apps configured
RDSH2.RENDER.COM Session Host with Remote Apps configured
RDVH1.RENDER.COM Virtualization host with VDI VMs configured
RDVH2.RENDER.COM Virtualization host with VDI VMs configured
RDCB.RENDER.COM Connection Broker
RDWEB.RENDER.COM RDWeb and Gateway server
When my client connects internally, he will enter the FQDN of the server that hosts the web page, i.e,: RDWEB.RENDER.COM.
The name of the certificate needs to be this name, of the URL that the user will initiate the connection to. But we need to remember that the connection does not just end here. The connection then flows from the web server to one of the session hosts or virtualization hosts and also the connection broker.
The certificate can be common on all of these servers. This is why we recommend that the Subject Alternate Name of the certificate contain the names of all the other servers that are part of the deployment.
In short, the certificate for my environment would be as follows:
Type: Server Authentication
SAN: RDSH1.RENDER.COM; RDSH2.RENDER.COM; RDVH1.RENDER.COM; RDVH2.RENDER.COM; RDCB.RENDER.COM
This is all you need as long as you have 5 or less servers in the deployment. But we have a problem when we have more servers in the deployment. This is because, by design, the SAN (Subject Alternate Name) on a certificate, can only contain 5 server names. If you have more of them, you will have to get a wildcard certificate issued to cover all the servers in the deployment. Here my certificate changes as follows:
We still do encounter some challenges when it comes to the following scenario. Note, that this is true only when you have external users that access the deployment.
External name: RDWEB.RENDER.com
Internal Name: RDWEB.RENDER.local
Here, if you get a certificate with RDWEB.RENDER.COM in the name, the certificate errors still do appear. This is because the certificate is supposed to validate a server with the FQDN: ‘RDWEB.RENDER.COM’. However, your server is ‘RDWEB.RENDER.LOCAL’ and the ‘.com’ to ‘.local’ magic only happens at your public firewall/router using port forwarding (most common scenario).
In such scenarios, we previously recommended that the name on the certificate contains the ‘.com’ name and the SAN contains the ‘.local’ name.
Recently, all public certificate providers are stopping issuing certificates with ‘.LOCAL’ in them. Starting with Windows 8 and Windows Server 2012, we no longer need the external and internal names to be contained in the certificate.
In scenarios where you have external clients connecting in and you have a private internal domain suffix (DOMAIN.LOCAL), you can get a certificate from a Public CA with the external (RDWEB.DOMAIN.COM) name and bind it to the RD Web Access and RD Gateway roles, because these are the only roles that are exposed to the internet. For RD Connection Broker – Publishing and RD Connection Broker – Enable Single Sign On, you can make use of an internal certificate with the ‘DOMAIN.LOCAL’ name on it. This however, as mentioned earlier, will only work with clients connecting through RDC 8.0 or above.
The RD Gateway and Remote Desktop Client version 8.0 (and above) provides the external users with a secure connection to the deployment. Once connected to the deployment, the internal certificate with the ‘.local’ name will take care of Remote App signing (publishing) and Single Sign-On.
Now, lets look at where we configure the certificate we have:
Open the Server Manager on the Connection Broker server and Click on Remote Desktop Services in the left-most pane.
Once here, you will see your deployment shown as in the illustration below. Click on Tasks and select “Edit Deployment Properties”
This will bring up the property sheet of the deployment. Select the Certificates option in the left pane:
Now, as discussed earlier, you can select the certificate that was created using the ‘Select Existing Certificate’ button on the bottom of the screen.
Just point it to the ‘.pfx’ file and allow it to import the certificate for the role.
You can use a single certificate for all the roles, if your clients are internal to the domain only, by generating a simple wildcard certificate (*.RENDER.LOCAL) and binding it to all the roles.
Note, that even if you have multiple servers that are part of this deployment, the Server Manager will import the certificate to all the servers in the deployment, place them in the trusted root of the machines and bind them to the respective roles.
Great info with apt clarity.. thank you
I wonder if Windows 7 with RDP client updated to v8 or v8.1 will also Work?
Can you please describe how to create a SAN certifictae? I have problem with that. Do you have to request it from one of the session host servers, or the RD webaccess server? I have 2 RDwebaccess servers, 6 session hosts server and no GW server. My clients are internal domain connected. When I request a certificate it gets issued to the computer I make the request and if I sign my remote apps I keep getting the prompt whether I want to trust the RD server. It also causes the SSO to not functioning. Also I only can use the computer template. I read another article where it was nmentiond to use a webserver template as SAN certificate. Thanks //Nico
I can also mention that my servers are running Windows 2008 R2, so I cannot follow the instruction on the the section regarding the Edit Deployment properties, as it applies to Windows 2012.Is there any correspondence to that in Windows 2008?Thanks again. //Nico