Disclaimer: This is to the best of my recollection
Our security certificate provider, SSL247, informed me that wildcard security certificates:
- Only cover subdomains one level down, not the root domain.
- Can be installed on unlimited servers (also PCs?), unless they're provided by Symantec (if I recall correctly).
In simple terms, the full resolution was to:
- On the RDS server, open RemoteApp Manager and change the RDG from
internal.domain.com to remote.internal.domain.com.
On the Internet domain domain.com's authoritative name servers, create the DNS Resource Record (RR):
remote.internal.domain.com 3600 IN A <public IP address>
On the router, create firewall and NAT rules to allow and forward port TCP 443 to the RDG server.
- On the RDG server, open IIS Manager and create a Certificate Signing Request (CSR) for
*.internal.domain.com
- Submit the CSR to the trusted, third-party CA and wait for issuance.
- On the RDG server, open IIS Manager, complete the CSR thereby installing the wildcard security certificate, and export the wildcard security certificate with its private key to a PFX file.
- On the RDG server, open RDG Manager and configure the security certificate, Connection Authorization Policies (CAPs), and Resource Authorization Policies (RAPs).
- On the RDS server, open MMC > Certificates and import the PXF file thereby installing the wildcard security certificate.
- On the RDS server, open RDS Host Configuration and reconfigure the connection "RDP-Tcp" changing the security certificate.
In actuality, our resolution was a lot more complicated.
Our original setup was as follows:
- Role RDG installed on server
server-01.internal.domain.com running Windows Server 2012 R2 Essentials.
- Role RDS installed on server
server-02.internal.domain.com running Windows Server 2008 R2 Standard.
Long story short (ask for clarification if required), this setup just did not work. Despite using the domain administrative user account and all settings (RDG, CAPs, RAPs, NPS, etc) being configured as low / open as possible, external RDP failed consistently with the following errors:
Remote Desktop can't connect to the remote computer "server-02.internal.domain.com" for one of these reasons:
1) Your user account is not authorized to access the RD Gateway "remote.internal.domain.com"
2) Your computer is not authorized to access the RD Gateway "remote.internal.domain.com"
3) You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)
Log Name: Microsoft-Windows-TerminalServices-Gateway/Operational
Source: Microsoft-Windows-TerminalServices-Gateway
Date: 2016/06/30 15:47:33
Event ID: 201
Task Category: (2)
Level: Error
Keywords: Audit Failure,(16777216)
User: NETWORK SERVICE
Computer: server-01.internal.domain.com
Description:
The user "%domainAdministrativeUserAccount%", on client computer "%ourPublicIPAddress%", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".
I heavily researched this scenario and these errors and found a fair amount of resources but none resolved the problems.
I had our Network Operations Center (NOC) investigate and they concluded that the problem was caused by the use of Essentials.
I moved the role RDG from server #1 to server #2 (I realise this is nearly pointless), updated the network, and it worked pretty much instantly.
Oh, well. At least it works.
Best Answer
Option 1: On target machine (where you generated the request) open Certificates MMC, select root node, right-click, all tasks -
Automatically Enroll and Retrieve certificatesoption.Option 2: if certificate autoenrollment policy is enabled in Group Policies, run the following command in an elevated command prompt: