The SSL cert for our RDS Web Gateway expires end of July.
I have already got a replacement SSL for the next year.
However, even though it is the same cert (same subject no SANs) I get a Remote Desktop server is temporarily unavailable error when connecting externally (internal users are fine).
The certificate is correct, is installed fine, with the Private key attached, I have added it to IIS on the Web Gateway server and added to the bindings for SSL (there are no other rogue SSL bindings, I have checked).
I have added it to the SSL settings in RD Manager.
And also added it to the 4 instances in RD Deployment (2x Broker, 1x Web Access, 1x Gateway)
Also added to ISA which handles the auth pass though and DUO 2fa.
Basically, exactly the same as before. (rolled back RD server from backups to double check all settings).
Can get to the Webpage, new certificate displays correctly, passes through the auth via DUO and loads the applications page fine.
However trying to launch any app brings up a:
“Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable.”
Interestingly, a domain admin CAN connect to the apps, but no standard user can.
To prevent disruption of service, I rolled everything back to the old certificate and it works fine – except on the laptop where I tested the new certificate.
A standard user can now no longer access the applications, but again an admin can. I even tried completely removing the user profile and reloading, and still get the same error – the same user can access it from any other laptop fine.
Another user who launched RD INTERNALLY while I was testing the new cert, now also gets the same error even after the rollback.
So it’s not a profile issue, seems to be something on the individual computer – like the new cert is still in place preventing the application loading – but I’ve been through all certificate stores on the machine and can’t see it added to any store, nor does a “Clear SSL State” work in IE.
I googled lots on the error, and other than checking that the private key is attached (it is) there are lots of examples of the error with no solutions attached.
Any help greatly appreciated.
EDIT:
Going through the rolled back currently working server (with expiring certificate) I noticed that the SSL Certificate part of RD Manager has no certificate installed:
Current RDWeb server
No idea how this was managed (I inherited this RD server from a previous admin).
The Certificate IS installed in RD Deployment (2x Broker, 1x Web Access, 1x Gateway).
If I try and install the new Certificate ONLY to the Deployment area then it autopopulates the RD Manager above with the new SSL.
What I'm thinking is, because ISA is actually serving the web page and handling auth, the client sees the SSL served by ISA and can access a C.A to verify the Cert. But when ISA hits the RDWeb server – if it has that Cert installed in RDManager – ISA itself has no access to go and verify with a C.A – thus causing the problem.
So – How can I try add the Cert to the Deployment WITHOUT adding it to RD Manager?
Thanks.
Best Answer
After reading much documentation found out what I had done wrong. I had broken everything by manually adding the new Cert to IIS myself on the RDWeb server. No idea why this broke everything.
The correct method apparently is to just add the Certificate to the Deployment Configuration via Server Manager (to each of RDWeb, Gateway, Broker etc) and this auto-populates IIS with the new Certificate.
Once done this way, all ways fine.
I still have an issue with clients that had connected when the setup was in fault. Seems to be something in their DUO profile - am working with DUO to resolve, will update with more once I have it.
Thanks.
Edit:
Well, got nowhere with DUO finding what had killed this client, but a rebuild resolved the issue anyway, so definitely something clientside and not related to DUO or the RD Profile.