Jesse, Yes if you'd like for your users to not be prompted as to warning you will need to setup certificates. Otherwise the RDP session offers the user a computer self-signed certificate that is untrusted and by design alerts the user that this computer could be a security risk.
If possible make sure your clients are running RDP 8.1. Then ensure your collection is using TLS to verify identity (done in the Session Collection Properties in 2012R2), and only to allow from computers with NLA. Then also verify that the cert for your collection is either a wilcard for *.domain or is a UCC cert that includes RDSFARM.domain as the subject name and RDHOST01.domain, RDSHOST02.domain, RDSHOST03.domain as subject alternative names and when added you check the box for 'allow certificate to be added to the trusted root ca certificate store on the destination computers' Nathan Shelby Director of Systems Engineering – Quote Wizard <https://quotewizard.com/> [email protected] / 206-753-2626 Malo Periculosam Libertatem Quam Quietum Servitium On Wed, Oct 28, 2015 at 2:23 PM, Jesse Rink <[email protected]> wrote: > Trying to figure out what I’m doing wrong. > > > > I have (3) 2012 R2 RDS Session Host servers > > RDSHOST01 – 10.10.10.5 > > RDSHOST02 – 10.10.10.6 > > RDSHOST03 – 10.10.10.7 > > > > …all 3 server part of a Server Farm (I think it’s called a Collection on > 2012+) with a single RDS Connection Broker responsible for splitting up > traffic between the RDS Session Host servers. No RDS Gateway is involved > (I do not require external connections to RDS). > > > > I have a (3) DNS A records for the following for Round Robin: > > Host: RDSFARM with IP 10.10.10.5 > > Host: RDSFARM with IP 10.10.10.6 > > Host: RDSFARM with IP 10.10.10.7 > > > > When I RDP into RDSFARM, I get prompted for credentials. I enter my > domain user credentials and receive the usual pop-up message that says, > “The identity of the remote computer cannot be verified. Do you want to > connect to it anyway?” And it shows my server name on the certificate. I > click YES and I get logged in. > > > > Now, logging into to RDSFARM again, the Session Broker will try to send me > to a different server, so in that case, I get the “The identity of the > remote computer cannot be verified. Do you want to connect to it anyway?” > prompt TWICE. The first time it shows one server name, the SECOND time, it > will show a different server room. So I know it’s the Session Broker > redirection causing the double prompt. > > > > The question is, why am I prompted twice? Do I have to use/setup > certificates on my 2012 RDS environment? I am NOT using RD Web, or RD > Gateway, so I figured I would be okay, but… I’m unsure. > > > > > > > > Jesse Rink > > Source One Technology, Inc. > > HP Partner > > 262 993 2231 > > >
