How can I work around problems with certificate configuration in Remote Desktop Services?
- by Michael Steele
I am setting up a Remote Desktop Services farm, and am having trouble configuring certificates for it to use. A demonstration of the problem I'm seeing can be found in Step #4.
At this point I am convinced that there are problems with the user interface, and am looking for ways around them. Is there any way to configure certificates in Remote Desktop Services so that the settings hold and are reflected in the GUI? If not, is there any way for me to verify that the settings are correct?
Step #1 - Create certificate to be used.
I've configured a certificate to use with RD Web Access. The certificate is stored with in the Certificates MMC on my RD Connection Broker, and I am configuring the farm from that computer.
I found by letting RD Web Access generate its own certificate that the following properties are required:
Enhanced Key Usage
Server Authentication
Client Authentication
This may not be required, but the self-signed certificate includes it.
Key Usage
Digital Signature
Key Agreement
Subject Alternative Name
DNS Name=domain.com
Detour about self-signed certificate generation
As a quick detour, I was able to work around a problem with creating self-signed certificates using powershell. The documentation for the New-RDCertificate cmdlet gives the following example:
PS C:\> $password = ConvertTo-SecureString -string "password" -asplaintext -force
New-RDCertificate -Role RDWebAccess -DnsName "test-rdwa.contoso.com" -Password $password -ConnectionBroker rdcb.contoso.com -ExportPath "c:\test-rdwa.pfx"
Typing this into the shell will result in an error message claiming that a function, Get-Server cannot be found. Prior to using New-RDCertificate, you must import the RemoteDesktop Module with Import-Module RemoteDesktop.
Step #2 - Observe out-of-box behavior
The first time you visit the Deployment Properties dialog box by navigating to Server Manager - Remote Desktop Services - Collections and selecting "Edit Deployment Properties" from the "TASKS" dropdown list in the "COLLECTIONS" grouping, you will see the following screen:
This window is misleading because the level field is listed as "Not Configured". If I understand correctly all three of the role services are using a self-signed certificate. For the RD Web Access role this can be verified by visiting the website:
The certificate being used also appears in the Certificates MMC:
Step #3 - Assign new certificate
The Deployment Properties dialog box will allow me to select my existing certificate. The certificate must be placed within the local computers Certificates MMC in the "Personal" certificate store. The private key will need to be exportable, and you will need to provide the password. I temporarily exported my certificate to a file named temp.pfx with a password, and then imported it into Remote Desktop Services from there.
Once this is done the GUI will indicate that it is ready to accept the new configuration.
Once I click the "Apply" button, the GUI indicates success.
This can be verified by visiting the RD Web Access web site a second time. There is no certificate error.
Step #4 - The GUI fails to maintain its state
If the GUI is closed and reopened, all of these settings appear to be lost.
Actually, the certificate I configured is still being used. I am able to continue accessing the RD Web Access site without any certificate errors.
Oddly, if I use the "Create new certificate..." button to generate a self-signed certificate this window will update to an "Untrusted" level. This setting will then be maintained through the opening and closing of the Deployment Properties dialog box.
Is there anything I can do to have my settings appear to stick? I feel like something is wrong when the GUI claims I haven't fully configured certificates.
