Windows – How install SSL certificate for RDS on windows server 2016

remote-desktop-servicessslwindowswindows-server-2012-r2windows-server-2016

I installed windows server 2016 for a small company, so I don't need to have domain controller on this installation and for RDS I only need RD Licensing and RD Session Host roles. But only with that roles theres is no Remote Desktop Gateway which is used in many tutorials to install SSL certificate on terminal server (like here: https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/).

So to conclude, I just don't have interface of Remote Desktop Gateway to install SSL certificate.

Is there any workaround to deal with it and install SSL cert on my RDS?

Best Answer

Finally I found solution!

First of all, name of the server had to be changed by adding DNS suffix. For example, if you want to connect to the server by srv.example.com address, your server name should be "srv" and DNS suffix "example.com". It can be done in computer properties.
Then setup licensing in "RD Licensing Manager"
Now issue certificate to domain name srv.example.com (i.e. in Let's encrypt)
Convert let's encrypt cert files into windows one via: openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem (Linux command) if you issued certificate with help of acme.sh, you command should look like: openssl pkcs12 -export -out certificate.pfx -inkey yourdomain.com.key -in yourdomain.com.cer -certfile fullchain.cer
Install converted certificate to personal store at the computer level. Not at user level
Then with this command display the thumbprint of the certificate, copy it to a text file or something similar: Get-ChildItem "Cert:\LocalMachine\My"
This is a variable to set the WMI path to the RD Session Host RDP listener (Where the certificate needs to be changed): $PATH = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices)
Finally this is the command to change the active certificate on the RDP listener: Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash="thumbprint"} The "thumbprint" above, is the value you noted earlier, just insert it between the ".
Well done! Now you have RDP server with custom SSL cert without installing RD Gateway Credits

Related Solutions

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

UPDATE: Here's a generalized Powershell solution that grabs and sets the thumbprint of the first SSL cert in the computer's personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct cert. I've left my original answer intact below this for reference.

# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

In order to get the thumbprint value

Open the properties dialog for your certificate and select the Details tab
Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
Remove all the spaces from the string. You'll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It's not visible in Notepad.
This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or if PowerShell is your thing, you can use this instead:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Note: the certificate must be in the 'Personal' Certificate Store for the Computer account.

RDS, RDWeb, and RemoteApp: How to use public certificate for launching apps on session host

This PowerShell worked: tell the Session Collection to add a alternate address for Session Host connections. This is also what you would do for a Session Host farm with round robin.

Once I ran this, launching apps from RDWeb would give a single prompt that now matches the three settings without warnings:

Publisher: remote.domain.com
Remote computer: remote.domain.com
Gateway server: remote.domain.com

Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty "use redirection server name:i:1 `n alternate full address:s:remote.domain.com"

Depending on any other Custom RDP Properties, the above command may be different because you have to include them all in one command with a linefeed between each.

Background Info:

Adding custom RDP settings: http://social.technet.microsoft.com/wiki/contents/articles/15719.adding-custom-rdp-properties-in-windows-server-2012-vdi-rds-environments.aspx

Using this setting for HA: http://microsoftplatform.blogspot.com/2012/04/rd-connection-broker-ha-and-rdp.html

Best Answer

Related Solutions

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

RDS, RDWeb, and RemoteApp: How to use public certificate for launching apps on session host

Related Topic