January, 2014

  • Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services

    Good morning AskPerf!  Kiran here with a question for you:  Why do we need certificates?  Well, certificates are used to sign the communication between two machines.  When a client connects to a server, the identity of the server that is receiving the connection and in turn, information from the client, is validated using certificates.

    This is done to prevent possible man-in-the-middle attacks.  When a communication channel is setup between the client and the server, the authority that issues/generates the certificate is vouching for the server to be authentic.

    So, as long as the client trusts the server it is communicating with, the data being sent to and from the server is considered secure.  This brings me to the next question:

    What type of certificate is required for RDS?

    The following blog contains information regarding the type of certificates and how you can create them using the Internal CA of the domain.


    Basic requirements for Remote Desktop certificates:

    1. The certificate is installed into computer’s “Personal” certificate store.
    2. The certificate has a corresponding private key.
    3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" ( Certificates with no "Enhanced Key Usage" extension can be used as well.

    As the function it performs suggests, we need a ‘Server Authentication’ certificate.  This certificate can be generated using the ‘Workstation Authentication’ template (if required).

    Here is the exact process: 

    1. Open CERTSRV.MSC and configure certificates.
    2. Open Certification Authority.
    3. In the details pane, expand the instructor computer name.
    4. Right-click Certificate Templates and select Manage. Right-click Workstation Authentication and click Duplicate Template.
    5. On the General tab, change the Template display name to Client-Server Authentication and check Publish certificate in Active Directory.
    6. On the Extensions tab, click Application Policies then Edit. Click Add then select Server Authentication. Click OK until you return to the Properties of New Template dialog.
    7. Click the Security tab. For Domain Computers, click the checkbox to ‘Allow Autoenroll’. Click OK. Close the Certificate Templates Console.
    8. In the certsrv snap-in, right-click Certificate Templates and select New then Certificate Template to Issue.
    9. Select Client-Server Authentication and then click OK.

    This will be visible when viewing the certificate in the ‘Certificates’ MMC snap-in, as below:


    When you open the certificate, the ‘General’ tab will also contain the purpose of this certificate to be ‘Server Authentication’ as seen below:


    Another way to validate this, would be to go to the ‘Details’ section of the certificate and look at the ‘Enhanced Key Usage’ property:


    The easiest way to get a certificate, if you control the client machines that will be connecting, is to use Active Directory Certificate Services.  You can request and deploy your own certificates and they will be trusted by every machine in the domain. 

    If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA.  Examples including, but not limited to: GoDaddy, Verisign, Entrust, Thawte, DigiCert

    Now that you know what type of certificate you need, let’s talk about the contents of the certificate.

    In Windows 2008/2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, next to the connection broker and finally to the server that will host your session.

    In Windows 2012, you connect to the Connection Broker and it routes you to the collection by using the collection name. 

    The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers in the collection.  The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to.  If you have users connecting externally, this needs to be an external name (needs to match what they connect to).  If you have users connecting internally to RDweb, the name needs to match the internal name.  For Single Sign On, again the subject name needs to match the servers in the collection.

    For our example, let’s consider my RDS deployment to contain the following machines:

    RDSH1.RENDER.COM                 Session Host with Remote Apps configured

    RDSH2.RENDER.COM                 Session Host with Remote Apps configured

    RDVH1.RENDER.COM                Virtualization host with VDI VMs configured

    RDVH2.RENDER.COM                Virtualization host with VDI VMs configured

    RDCB.RENDER.COM                   Connection Broker

    RDWEB.RENDER.COM               RDWeb and Gateway server

    When my client connects internally, he will enter the FQDN of the server that hosts the web page, i.e,: RDWEB.RENDER.COM.

    The name of the certificate needs to be this name, of the URL that the user will initiate the connection to.  But we need to remember that the connection does not just end here.  The connection then flows from the web server to one of the session hosts or virtualization hosts and also the connection broker.

    The certificate can be common on all of these servers.  This is why we recommend that the Subject Alternate Name of the certificate contain the names of all the other servers that are part of the deployment.

    In short, the certificate for my environment would be as follows:

    Type: Server Authentication



    This is all you need as long as you have 5 or less servers in the deployment. But we have a problem when we have more servers in the deployment. This is because, by design, the SAN (Subject Alternate Name) on a certificate, can only contain 5 server names. If you have more of them, you will have to get a wildcard certificate issued to cover all the servers in the deployment. Here my certificate changes as follows:

    Type: Server Authentication



    We still do encounter some challenges when it comes to the following scenario. Note, that this is true only when you have external users that access the deployment.

    External name: RDWEB.RENDER.com

    Internal Name: RDWEB.RENDER.local

    Here, if you get a certificate with RDWEB.RENDER.COM in the name, the certificate errors still do appear.  This is because the certificate is supposed to validate a server with the FQDN: ‘RDWEB.RENDER.COM’.  However, your server is ‘RDWEB.RENDER.LOCAL’ and the ‘.com’ to ‘.local’ magic only happens at your public firewall/router using port forwarding (most common scenario).

    In such scenarios, we previously recommended that the name on the certificate contains the ‘.com’ name and the SAN contains the ‘.local’ name.

    Recently, all public certificate providers are stopping issuing certificates with ‘.LOCAL’ in them. Starting with Windows 8 and Windows Server 2012, we no longer need the external and internal names to be contained in the certificate.

    In scenarios where you have external clients connecting in and you have a private internal domain suffix (DOMAIN.LOCAL), you can get a certificate from a Public CA with the external (RDWEB.DOMAIN.COM) name and bind it to the RD Web Access and RD Gateway roles, because these are the only roles that are exposed to the internet.  For RD Connection Broker – Publishing and RD Connection Broker – Enable Single Sign On, you can make use of an internal certificate with the ‘DOMAIN.LOCAL’ name on it.  This however, as mentioned earlier, will only work with clients connecting through RDC 8.0 or above.

    The RD Gateway and Remote Desktop Client version 8.0 (and above) provides the external users with a secure connection to the deployment. Once connected to the deployment, the internal certificate with the ‘.local’ name will take care of Remote App signing (publishing) and Single Sign-On.

    Now, lets look at where we configure the certificate we have:

    Open the Server Manager on the Connection Broker server and Click on Remote Desktop Services in the left-most pane.

    Once here, you will see your deployment shown as in the illustration below. Click on Tasks and select “Edit Deployment Properties”


    This will bring up the property sheet of the deployment. Select the Certificates option in the left pane:


    Now, as discussed earlier, you can select the certificate that was created using the ‘Select Existing Certificate’ button on the bottom of the screen.

    Just point it to the ‘.pfx’ file and allow it to import the certificate for the role.

    You can use a single certificate for all the roles, if your clients are internal to the domain only, by generating a simple wildcard certificate (*.RENDER.LOCAL) and binding it to all the roles.

    Note, that even if you have multiple servers that are part of this deployment, the Server Manager will import the certificate to all the servers in the deployment, place them in the trusted root of the machines and bind them to the respective roles.

    -Kiran Kadaba

  • The case of “Above normal” priority

    Good morning AskPerf!  If you’ve used Task Manager, you may have noticed that it allows setting an “instance-based priority”.  This is an option where you can choose to boost or reduce the priority of any process, whereby adjusting the amount of CPU attention the process receives.  But honestly, how many times have you used this feature for any business apps on your Workstations or Servers?  The answer is probably not much.  The default CPU scheduling algorithm is adequately designed to distribute CPU among running processes in most scenarios.

    So recently, one of our customers reported the following anomaly they saw in Task Manager:


    About 70% of the running processes would launch as Normal, and within few seconds the priority would change to Above normal automatically.  This would happen for many arbitrary processes, and would not allow a fair CPU scheduling for LOB applications.

    So how do you drill it down?  Well, we need to check some basic settings first.  Any process on Windows platform can have one of the following priorities at a given time:

    • Realtime
    • High
    • Above normal
    • Normal
    • Below normal
    • Low


    Per MSDN these priorities correspond to following classes:


    A process always launches with its Base Priority (default) – which can be decided by the app developer – else will inherit to default NORMAL_PRIORITY_CLASS.

    If you are a developer, to adjust your process’ priority from Base Priority (to newer priority), you can use the SetPriorityClass function.  That is exactly what happens for a running process’s instance when you opt to adjust its priority from Task Manager.  So we followed that route and begin investigating who is calling this SetPriorityClass() function on affected machine.  We used our best friend XPERF (rather WPR, the latest version of it) with stackwalk enabled.


    1. Start WPR
    2. Launch a process (say, notepad.exe)
    3. Wait for few seconds till the priority gets raised from “Normal” to “Above normal”
    4. Stop WPR capture
    5. Load the output ETL file in WPA (Windows Performance Analyzer, tool that comes with WPR installation)

    In WPA, we focused on the stack flow for the process in question (notepad.exe in our example), and found below the stack where we see wsrm.exe calling SetPriorityClass() function. You can see this stack using just our public symbols (path: http://msdl.microsoft.com/download/symbols).

    Line #




    All Count



    |    |    |- wsrm.exe!CCPUManager::UpdatePriorities





    |    |    |    wsrm.exe!CCPUManager::UpdatePriorities





    |    |    |    wsrm.exe!CCPUManager::UpdatePriorities





    |    |    |    |- wsrm.exe!CProcess::SetPriorityClass





    |    |    |    |    KernelBase.dll!SetPriorityClass



    From screenshot of Windows Performance Analyzer:


    So now we know what is causing the priorities to be bumped up, but why?

    Windows Server Resource Manager (wsrm.exe) is a great tool to manage server processor and memory usage with standard or custom resource policies.  If you find yourself in a similar situation, chances are that you need to review the WSRM configuration and policies in your environment.  Or, you can simply disable WSRM if you are not using it.  This blog discusses more about WSRM policies and configuration.

    Additional Resources

    Scheduling Priorities


    BONUS: Task Scheduler launches tasks by default in Below normal priority.  To change the priority of a task, you would have to edit its xml file (<Priority>7</Priority>), and re-import it.  More info:  TaskSettings.Priority property

  • RDP to Azure VM fails with "No Remote Desktop License Servers available"

    You can use mstsc /admin to work around the following licensing error when attempting to connect with RDP to an Azure VM: The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license. Please ...read more
  • SQL Server Configuration Manager error "Invalid class [0x80041010]" on Visual Studio gallery image VM

    If you are using the Visual Studio 2013 Gallery image for MSDN subscribers to create an Azure VM and try running SQL Server Configuration Manager without taking additional configuration steps first, you may see the following error message: Cannot connect ...read more
  • Windows 8.1 preview build reboots every 2 hours

    Today’s blog is regarding the expiration of the Windows 8.1 preview build which occurred yesterday January 15th, 2014.  If you installed the Windows 8.1 preview build and have not upgraded to 8.1 RTM you may notice that your machine is rebooting itself every 2 hours and you should also be getting the following notification when you login


    For more information on this and how to update to the final RTM build take a look at the following page: 

    Update from Windows 8.1 Preview to Windows 8.1

    Scott McArthur
    Senior Support Escalation Engineer

  • Popular new features in Windows 8.1

    We are very excited, as are many of you, about our latest OS. Windows 8.1 is readily available across the globe. We thought of listing some of the top/new features it brings to the table. Here is a small list of some of the more popular new features:

    Your favorite Start button on taskbar


    We heard you and the Start button is back! It makes the task bar look familiar and provides ease of access to the Start screen from the desktop.

    Start screen customization

    Customization for the Start screen using group policies and PowerShell is now available.

    Group policies allow you to specify the Start screen layout and prevent configuration changes. The layout specifications must be stored in an XML file that is generated with the Export-StartLayout PowerShell cmdlet. This XML file can be made available locally or from a UNC path.

    The policies for the Start screen layout are available under:

    • Computer Configuration | Administrative Templates | Start Menu and Taskbar
    • User Configuration | Administrative Templates | Start Menu and Taskbar

    NOTE we will provide greater detailed steps in a later blog

    Roam your favorite apps on 8.1 devices

    Another highly requested feature. Since last October, you can roam your installed applications on Windows 8 and Windows 8.1 to as many as 81 Windows devices. Earlier, when we launched Windows 8, the number was restricted to just five devices. This is limited to Windows Store apps only. More details can be found here:


    Boot directly to the desktop

    You can now bypass the Start screen and log on directly to the desktop. To configure it, launch Task Bar Properties > Navigation > “When I sign in or close all apps on a screen, go to the desktop instead of Start”.


    You can also use the Start Screen customization policy to deploy this to a group of users.

    Drag App to another display

    You can now drag and drop Metro Style apps across monitors. Drag and drop works for both full screen and snapped apps! So if you are like me with multiple monitors, check out how Windows 8.1 can increase productivity:


    Multi-snap views

    This is my personal favourite as I can do multiple things at the same time. I watch my stocks, video call on skype, and still work on my desktop! Not enough? You can even adjust the width of each snap-in to suit your need. Now that’s super cool. It is not limited to three, but here is a screenshot to present the idea. Try it out!


    NOTE we will provide greater detailed steps in a later blog

    NFC has been enabled (for printing)

    One of the best implementations of NFC on the Windows Platform is NFC tap-to-connect printers, which is introduced in Windows 8.1. We have detailed post on it here:


    In-box Support for 3D printing

    We debut in-box support for 3D printing in Windows 8.1. Another superb thing to discuss. Most of the functionality and details are posted here:


    Great "Search" capabilities

    With Windows 8.1 you will fall in love with Windows Search, or what I call “Super Search”. You can now search virtually everywhere from just one place. Hit ‘Windows Key + S’ or select ‘Search’ from the Windows charms bar. You can opt to search the web, files on your local storage, settings or ALL of these places simultaneously.


    Search results for “Morgan Freeman”


    New layout for the Windows Store

    New look, better visuals to review the screenshots and rating of applications.


    All Apps screen

    At Start screen now you can click on the small down arrow to quick change the view to “All Apps”.


    All installed apps on “All Apps” screen can be sorted by name (default), install date, mostly used, categories (game, production, utilities, etc).


    Wireless Display (Miracast support)

    We tested with several Miracast receivers and among others, these work great in bringing Windows 8.1 to the big screen (wirelessly): ActionTec, ScreenBeam Pro and Netgear Push2TV (PTV3000). Some good details here:


    Download and Install updates for Store Apps automatically

    The feature can now be turned on/off using group policy located at Computer Configuration | Administrative Templates | Windows Components | Store | “Turn off Automatic Download and install of updates”.


    Let us know in comments below your favorite features in Windows 8.1, or if you have any questions around these features.

    -Deepak Kumar

  • Unable to create Storage Pool in Windows Server 2012 R2 Azure VM

    UPDATE Mar. 10: This issue is now resolved. The fix has been fully deployed to all Windows Azure hosts. There is no action needed within the VM itself, as the fix was on the Windows Azure hosts. We recently determined the Storage Spaces feature in ...read more
  • Debugging a Windows 8.1 Store App Crash Dump

    Quality reports on the App Summary page Microsoft provides triage dumps of your Windows Store application’s crashes and hangs through the Quality section of the App Summary page on the Dev Center - Windows Store apps portal.   Back in June 2012, ...read more