Hi – It’s me, Al
Blog post updated: July 19th 2017
Remote Desktop Services (RDS) on Windows Server 2012 R2 is now on market since a while. Let’s have a look at the 2012 R2 Certificate configuration (for a Lab).
First we have to create a template on the internal Certificate Authority (CA). We use a Workstation Authentication Template for that. Open your CA Manager – Cartificate Templates – Manage
Duplicate the “Workstation Authentication” Template.
Change the Template Display Name to a friendly name like “RDS Connection Broker Template ” and also Change the validity period to 5 years
Make sure the Private Key is exportable as this is needed from the Connection Broker Server itself.
Depending on the security in your organization, change the template security. Probably you have to add the Connection Broker Servers to allow the enrollment of the certificates. Best is to use an Active Directory Security Group.
As soon you have created the template, you have to request the certificate using the certificate mmc from one of the Connection Broker Server. If you have only one or two Connection Brokers, it’s maybe easier to add the Subject Alternate Names to the Certificate.
In a lasrger envoirnment it is recommended to use a wildcard certificate issued by your corporate CA. We will request a wildcard certfificate also for the lab environment.
Open the certificate mmc from a RD Connection Broker Server. Go to Personal – Certificates – All Tasks – Advanced Operations – Create Custom Request … . The Request Wizard will Launch
Select Active Directory Enrollment Policy – Next
Select the “RDS Connection Broker Template ” (or whatever you called it) which we have created earlier in the Deployment. Leave the request format default.
Change the following properties on the “Subject” tab:
Subject Name: “Common Name” add your Domain
Change the following properties in the “Private Key” tab:
Private Key: Select “Make private Key exportable”
Apply the Settings and finish the Custom request.
Now you have to export the certificate for your Connection Broker Server. Open the certificate MMC (local computer) from your Connection Broker Server – navigate to Certificates – Personal – select the newly created certificate – All Tasks – Export
Go trough the wizard and use the following options:
Private key = Export
PFX = Standard Options
Save as: PFX
Go to your RDS Deployment – Select “Edit Deployment” – Select “Certificates”
“Select existing cerificate” and use you’re previous saved *.pfx file. Enter the password you gave and select the option to save the certificate in to the Trusted Root store. Apply this Settings for each Connection Broker Publishing and SSO. You have to do this for each role service seperate.
All your Connection Broker Certificates should now be in a Trusted state:
For the Web faced roles such as “Web Access” and “Gateway”, we recommend to use a 3d Party public cerificate authority (GoDaddy, StartSSL, etc.)
Hope this helps. Let me know if you have any questions.