Thanks for the info.. a few followups. My clients are HP Thin Clients with Win 7 Embedded, so I don’t think they run RDP 8.1 .? Can you verify that? Also, I’m curious the reason why you recommend to run RDP 8.1
The thing is. With the RDS Farm from 2008 R2 (which I’m going to retire those boxes), there is NO certificate warning when logging in via RDP. You enter your credentials, but are not prompted for a certificate… With the 2012 R2 RDS farm, I’m getting that certificate error. Did something change in the way 2008 R2 vs 2012 R2 handles that? Or is it that my HP Thin Clients w/ Win7 Embedded don’t have the RDP 8.1? As for getting a certificate that might not be easy, from a 3rd party place like GoDaddy or someone else because the customer’s internal domain name is ceo.com and we don’t OWN that public domain. So the only way to do certs would be to do an internal CA, but the Win 7 Thin Clients WON’T trust those certificates if they’re generated internally because the Win 7 clients are not domain-members – ugh. Make sense, or do I need to explain clearer? (hard to explain in email…) Last… if I –could- get a 3rd party certificate (wildcard or UCC), where is the certificate ‘request’ even generated, is that done through the RDS tool on 2012 R2 – obviously I can’t get a certificate without the .req file first… (I find the RDS 2012 R2 so radically different than pre-2012 and I’m having trouble locating stuff.) Thank you so much for all your help and answers Nathan. Jesse Rink Source One Technology, Inc. HP Partner 262 993 2231 From: [email protected] [mailto:[email protected]] On Behalf Of Nathan Shelby Sent: Wednesday, October 28, 2015 5:21 PM To: [email protected] Subject: Re: [NTSysADM] Any RDS 2012 gurus here? Jesse, Yes if you'd like for your users to not be prompted as to warning you will need to setup certificates. Otherwise the RDP session offers the user a computer self-signed certificate that is untrusted and by design alerts the user that this computer could be a security risk. If possible make sure your clients are running RDP 8.1. Then ensure your collection is using TLS to verify identity (done in the Session Collection Properties in 2012R2), and only to allow from computers with NLA. Then also verify that the cert for your collection is either a wilcard for *.domain or is a UCC cert that includes RDSFARM.domain as the subject name and RDHOST01.domain, RDSHOST02.domain, RDSHOST03.domain as subject alternative names and when added you check the box for 'allow certificate to be added to the trusted root ca certificate store on the destination computers' Nathan Shelby Director of Systems Engineering – Quote Wizard<https://quotewizard.com/> [email protected]<mailto:[email protected]> / 206-753-2626 Malo Periculosam Libertatem Quam Quietum Servitium On Wed, Oct 28, 2015 at 2:23 PM, Jesse Rink <[email protected]<mailto:[email protected]>> wrote: Trying to figure out what I’m doing wrong. I have (3) 2012 R2 RDS Session Host servers RDSHOST01 – 10.10.10.5 RDSHOST02 – 10.10.10.6 RDSHOST03 – 10.10.10.7 …all 3 server part of a Server Farm (I think it’s called a Collection on 2012+) with a single RDS Connection Broker responsible for splitting up traffic between the RDS Session Host servers. No RDS Gateway is involved (I do not require external connections to RDS). I have a (3) DNS A records for the following for Round Robin: Host: RDSFARM with IP 10.10.10.5 Host: RDSFARM with IP 10.10.10.6 Host: RDSFARM with IP 10.10.10.7 When I RDP into RDSFARM, I get prompted for credentials. I enter my domain user credentials and receive the usual pop-up message that says, “The identity of the remote computer cannot be verified. Do you want to connect to it anyway?” And it shows my server name on the certificate. I click YES and I get logged in. Now, logging into to RDSFARM again, the Session Broker will try to send me to a different server, so in that case, I get the “The identity of the remote computer cannot be verified. Do you want to connect to it anyway?” prompt TWICE. The first time it shows one server name, the SECOND time, it will show a different server room. So I know it’s the Session Broker redirection causing the double prompt. The question is, why am I prompted twice? Do I have to use/setup certificates on my 2012 RDS environment? I am NOT using RD Web, or RD Gateway, so I figured I would be okay, but… I’m unsure. Jesse Rink Source One Technology, Inc. HP Partner 262 993 2231
