RDS 2012 R2 and Remote Desktop Collection: Change “Remote Computer” value

rdsrdwebremote-desktop-services

Somewhere along the line, I went down the rabbit hole trying to avoid a SAN certificate and get away with a single certificate that would cover the RDWeb/Gateway/host of the single-server deployment of Remote Desktop Services/RDWeb/Gateway/Session Host (RDS01)

Now, I have no idea how I changed the Remote Computer parameter to remote.contoso.com, which is the same as the gateway, but cannot be resolved/proxied. **

What's weird is that I'm sure I've fixed this, but after a reboot, it seems to not be persisting.

Looking for canonical ways that this could be changed (Powershell/Registry entr(ies), configuration file(s), etc.) with the end-game being to get it back to "normal": where a simple QuickCollection for Remote Desktop sessions would take the fully-qualified hostname of the Session Host and auto-generate that as the Remote Computer in Remote Desktop shortcut/file on the RDWeb website.

** or its possibly a hairpin NAT issue; not 100% why the single server stack cannot proxy onto itself as that hostname, because I do have split DNS enabled, so you can from another host RDP to remote.contoso.com from within the same network as RDS01. Perhaps it's some loopback safety measure?

Best Answer

This appears to be persisting. ProTip Kids: make notes!

Set-RDSessionCollectionConfiguration –CollectionName <your collection> -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:RDS01.corp.contoso.com”

Related Solutions

RDP – Configure Custom SSL Certificate for RDP on Windows Server 2012 and Later

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

UPDATE: Here's a generalized Powershell solution that grabs and sets the thumbprint of the first SSL cert in the computer's personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct cert. I've left my original answer intact below this for reference.

# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

In order to get the thumbprint value

Open the properties dialog for your certificate and select the Details tab
Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
Remove all the spaces from the string. You'll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It's not visible in Notepad.
This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or if PowerShell is your thing, you can use this instead:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Note: the certificate must be in the 'Personal' Certificate Store for the Computer account.

Microsoft Remote Desktop Services – Android

I am getting similar issues and here is what I think:

With Server 2008 R2 , you could set the Internet Facing IP as the Remote Session Host (rather than the internal server name which is not being resolved from the internet), but this feature seems to be gone in 2012 R2...

Related Topic