question

OlafChristianOlsenSkaug-1193 avatar image
0 Votes"
OlafChristianOlsenSkaug-1193 asked LeilaKong-MSFT commented

Azure WVD doesn't publish correct ssl cert on connection using WVD client

We're trying to deploy a Windows 10 multi session image with VPN to Azure and direct line of sight to both AADDS and to the session hosts, but when we try to connect using the WVD client and published apps the connection gets terminated after the SSL cert is negotiated.
We've tried adding a trusted certificate to the session hosts, but it is not picked up by the service so that it sends the untrusted auto generated certificate no matter what we do. We've even tried deleting the certificate, but it's for some reason auto regenerated.

The documentation and roadmap states that Windows Hello works with WVD as long as it has a direct line of sight to the session host and to AADDS, which is has.

Please clarify how this can be achieved, because we've literally tried everything. And now I'm hoping it's not something super obvious. (Yes we put the cert in the same storage location, and tried short path).

Any help will be very much appreciated!

Current setup:
Azure AD
Azure AD DS
Azure WVD Windows 10 Multi Session Image
Azure VPN (with exposed routes to AADDS and Session Hosts, as well as DNS published to client)

/Olaf

remote-desktop-servicesazure-vpn-gatewayazure-ad-domain-services
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.

1 Vote 1 ·
LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered OlafChristianOlsenSkaug-1193 commented

Hello @OlafChristianOlsenSkaug-1193 ,

What certificate do you add to the session host? What's the exact error message of certificate?
Either of AADDS network or Azure VPN will work for WVD environment. How did you configure your Azure VPN (with exposed routes to AADDS and Session Hosts, as well as DNS published to client)?


For your reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
https://docs.microsoft.com/en-us/answers/questions/99723/azure-vpn-p2s-failed-azure-auth.html
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems
https://docs.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support


Best regards,
Leila


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You're not reading what I'm writing.
We have routes to alle the endpoints, we DO get a response when pinging the endpoints. We've tried every kind of certificate, but which is then not picked up by the rd gateway, so the incorrect cert is being picked up.

So simply:
What kind of cert do you expect on the session host? What location is it supposed to be in?


/Olaf

0 Votes 0 ·
LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered OlafChristianOlsenSkaug-1193 commented

Hello @OlafChristianOlsenSkaug-1193 ,

I don't quite understand your scenario. We generally use RDS or Azure certificate rather than session host certificate. Is there any error message related to the SSL cert? Based on what we read, this won't work as Kerberos authentication without KDC proxy would require that the clients are joined to the same domain as the session hosts. This is not possible with AAD DS.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm checking out the KDC proxy approach now. I'll get back to you when I've tried it.

0 Votes 0 ·
LeilaKong-MSFT avatar image LeilaKong-MSFT OlafChristianOlsenSkaug-1193 ·

Thanks for your cooperation.

0 Votes 0 ·

https://docs.microsoft.com/en-us/azure/virtual-desktop/key-distribution-center-proxy
Followed all the steps here. Does the KDC proxy need to be publicly exposed for the RDP client to find it? Or is this a forwarded setting the the session host picks up on? The docs only say that it's "supposed to be" publicly available, so one would have to use a propper public cert. But is this the case here?

Thanks,
Olaf

0 Votes 0 ·
LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered LeilaKong-MSFT commented

Hello @OlafChristianOlsenSkaug-1193 ,

1.Yes. It is required to be public available and needs a public certificate. This is the case here If you want to setup Kdc proxy.
2.We still don’t understand why you want to use vpn to connect to WVD? Kdc proxy is for customers that use smart cards.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1: Done
2: We were under the impression that we needed a firect line of sight to the AADDS and SHs. We were also under the impression that Windows Hello for Business exposes itself as a smart card when using Windows Hello for Business since it has no password, like smart cards.

We might be incorrect or misinformed regarding the Windows Hello for Business.

I guess I only have one final question then, will this work in a cloud-only environment using the Windows Remote Desktop app (MSRDC) with published applications and Windows Hello? Or is WVD Multi Session setups only available using an IaaS DC and IaaS RDS Farm?

Olaf

0 Votes 0 ·
LeilaKong-MSFT avatar image LeilaKong-MSFT OlafChristianOlsenSkaug-1193 ·

Hello @OlafChristianOlsenSkaug-1193 ,

To connect to Wvd, no vpn is needed.
You don’t need line of sight to AAD DS.
AAD DS is supported for WVD but won’t work with hello for business.
To connect to WVD using Username & PW, you can just do that without Vpn.
For WHfB, it is only supported with certificate trust and needs a CA to issue certs to the devices and also requires IaaS DC.

Supported authentication methods: https://docs.microsoft.com/en-us/azure/virtual-desktop/authentication

0 Votes 0 ·
LeilaKong-MSFT avatar image LeilaKong-MSFT OlafChristianOlsenSkaug-1193 ·

and to add, WHfB with WVD only works with Hybrid deployments today, Cloud only will be supported in the future

0 Votes 0 ·