Jesse,
RDP v8.0 (Server 2012) introduced DTLS support as a requirement, which is why you now a certificate error on clients that connect to a 2012 or greater RDS Collection. Windows 7 Embedded Standard makes this difficult, as there has not been an RDP 8.x client deployed for embedded systems made available by Microsoft. However you mentioned these are HP thinclients, you're in luck! HP has released an RDP 8.1 update for Windows Embedded Standard in May 2014! http://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=vc_139248_1&swEnvOid=4089 - 32 bit ftp://ftp.hp.com/pub/softpaq/sp65501-66000/sp65849.html - 64 bit documentation ftp://15.216.110.26/ftp1/pub/softpaq/sp65501-66000/sp65849.exe - 64 bit download (please verify the MD5 checkum of this file with that from the ftp.hp.com html document!) As for creating/deploying this certificate You can create a cert with SAN using powershell and the 'New-SelfSignedCertificate' module on a Windows Server 2012/r2 or Windows 8/8.1 box ensuring all of the server names are in the certificate. https://technet.microsoft.com/en-us/library/hh848633.aspx Then you can use PsExec and the Windows 7 certutil command to import it, make sure you import it to the COMPUTER certificate store and not the user! https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx https://technet.microsoft.com/en-us/library/cc732443.aspx But really if you can domain join these clients that would be really helpful overall and make the certificate portion a much easier thing :) Nathan Shelby Director of Systems Engineering – Quote Wizard <https://quotewizard.com/> [email protected] / 206-753-2626 Malo Periculosam Libertatem Quam Quietum Servitium On Thu, Oct 29, 2015 at 1:00 PM, Jesse Rink <[email protected]> wrote: > Thanks for the info.. a few followups. > > > > My clients are HP Thin Clients with Win 7 Embedded, so I don’t think they > run RDP 8.1 .? Can you verify that? Also, I’m curious the reason why you > recommend to run RDP 8.1 > > > > The thing is. With the RDS Farm from 2008 R2 (which I’m going to retire > those boxes), there is NO certificate warning when logging in via RDP. You > enter your credentials, but are not prompted for a certificate… With the > 2012 R2 RDS farm, I’m getting that certificate error. Did something > change in the way 2008 R2 vs 2012 R2 handles that? Or is it that my HP > Thin Clients w/ Win7 Embedded don’t have the RDP 8.1? > > > > As for getting a certificate that might not be easy, from a 3rd party > place like GoDaddy or someone else because the customer’s internal domain > name is ceo.com and we don’t OWN that public domain. So the only way to > do certs would be to do an internal CA, but the Win 7 Thin Clients WON’T > trust those certificates if they’re generated internally because the Win 7 > clients are not domain-members – ugh. Make sense, or do I need to explain > clearer? (hard to explain in email…) > > > > Last… if I –could- get a 3rd party certificate (wildcard or UCC), where > is the certificate ‘request’ even generated, is that done through the RDS > tool on 2012 R2 – obviously I can’t get a certificate without the .req file > first… (I find the RDS 2012 R2 so radically different than pre-2012 and > I’m having trouble locating stuff.) > > > > Thank you so much for all your help and answers Nathan. > > > > Jesse Rink > > Source One Technology, Inc. > > HP Partner > > 262 993 2231 > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Nathan Shelby > *Sent:* Wednesday, October 28, 2015 5:21 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Any RDS 2012 gurus here? > > > > Jesse, > > > > Yes if you'd like for your users to not be prompted as to warning you will > need to setup certificates. Otherwise the RDP session offers the user a > computer self-signed certificate that is untrusted and by design alerts the > user that this computer could be a security risk. > > > > If possible make sure your clients are running RDP 8.1. Then ensure your > collection is using TLS to verify identity (done in the Session Collection > Properties in 2012R2), and only to allow from computers with NLA. Then also > verify that the cert for your collection is either a wilcard for *.domain > or is a UCC cert that includes RDSFARM.domain as the subject name and > RDHOST01.domain, RDSHOST02.domain, RDSHOST03.domain as subject alternative > names and when added you check the box for 'allow certificate to be added > to the trusted root ca certificate store on the destination computers' > > > Nathan Shelby > Director of Systems Engineering – Quote Wizard <https://quotewizard.com/> > [email protected] / 206-753-2626 > Malo Periculosam Libertatem Quam Quietum Servitium > > > > On Wed, Oct 28, 2015 at 2:23 PM, Jesse Rink <[email protected]> > wrote: > > Trying to figure out what I’m doing wrong. > > > > I have (3) 2012 R2 RDS Session Host servers > > RDSHOST01 – 10.10.10.5 > > RDSHOST02 – 10.10.10.6 > > RDSHOST03 – 10.10.10.7 > > > > …all 3 server part of a Server Farm (I think it’s called a Collection on > 2012+) with a single RDS Connection Broker responsible for splitting up > traffic between the RDS Session Host servers. No RDS Gateway is involved > (I do not require external connections to RDS). > > > > I have a (3) DNS A records for the following for Round Robin: > > Host: RDSFARM with IP 10.10.10.5 > > Host: RDSFARM with IP 10.10.10.6 > > Host: RDSFARM with IP 10.10.10.7 > > > > When I RDP into RDSFARM, I get prompted for credentials. I enter my > domain user credentials and receive the usual pop-up message that says, > “The identity of the remote computer cannot be verified. Do you want to > connect to it anyway?” And it shows my server name on the certificate. I > click YES and I get logged in. > > > > Now, logging into to RDSFARM again, the Session Broker will try to send me > to a different server, so in that case, I get the “The identity of the > remote computer cannot be verified. Do you want to connect to it anyway?” > prompt TWICE. The first time it shows one server name, the SECOND time, it > will show a different server room. So I know it’s the Session Broker > redirection causing the double prompt. > > > > The question is, why am I prompted twice? Do I have to use/setup > certificates on my 2012 RDS environment? I am NOT using RD Web, or RD > Gateway, so I figured I would be okay, but… I’m unsure. > > > > > > > > Jesse Rink > > Source One Technology, Inc. > > HP Partner > > 262 993 2231 > > > > >
