question

StephanG avatar image
0 Votes"
StephanG asked StephanG answered

RDS 2019 Gateway - Problem adding certificate - says network problem

Hi everyone,

i am deploying a brand new RDS19 farm at the moment.
But the RDS Gateway does not take my certificate.

Setup
Broker to complete configuration - Account is admin on both servers.
Getting error after some time:
119413-image.png



But:
System Log on Gateway says - "SSL Certificate Settings created by an admin process for endpoint : 0.0.0.0:443 ."
And the certificate is there!
The certificate is signed by internal PKI. With Servername in CN, and DNS FQDN + external DNS in SubjectAlternateNames.
Firewall says "no drops" - corp and Windows.

I have the same setup with 2012 R2 - and it is working there.

Any hints where to search next?

BR
Stephan

remote-desktop-services
image.png (11.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephanG avatar image
0 Votes"
StephanG answered

Ok last word from me.

Consider the following when trying this solution:
Using a "Webapplication Firewall" can cause problems ;) use NAT instead
If you install the NPS MFA Extension - it will trigger on every authentication at this Server - install an extra one -> Uservoice for better scoping: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36157615-control-what-nps-policies-are-forced-for-secondary
Register every NPS server always - If it is an NPS server on Win2019 - you need to add the firewall rules manually.

Working now - i am happy. Now i need to migrate my existing session hosts to this Broker and inplace update them


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephanG avatar image
0 Votes"
StephanG answered

The time i wrote it - it finished.
It seems that the Gateway needs to connect to a writeable DC during this phase. I only had a read only accessible in the DMZ.
Allowed the traffic temporary - and done.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephanG avatar image
0 Votes"
StephanG answered

Well not there yet.

After this i get the error
119327-image.png



Which is normally a cert issue (like it seems).
So my question - i have an external and internal DNS.
I have an official wildcard for the external - and from my PKI the certificates for the internal.

In my previous deployment i had to replace the internal also with an official wildcard certificate. With my new setup i do not want it anymore as this costs money ;)

Why does the Gateway seems to need an official certificate? It is already trusted by the server.


image.png (6.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered StephanG commented

HI

1.How many RDgateway servers in the same environment?

2.What's your RDS architecture?

3.Are you using wildcard certificate issued by internal CA?

4."So my question - i have an external and internal DNS."
Do you mean you have external name and internal name for RDgateway server?
for example;
internal domain name:RDgateway.mydomain.local
external domain name:rdgateway.mydomain.com

5."I have an official wildcard for the external - and from my PKI the certificates for the internal."
Are both internal CA issue certificate and public CA issue certificate wildcard certificate?

6."Why does the Gateway seems to need an official certificate? It is already trusted by the server."
In general, RD gateway server is an entrance for external users, external computer needs external trust public CA issued certificate. Like below document mentioned.

"If you are going to let users to connect externally, and they are not part of your AD domain, you need to deploy certificates from a public CA, such as GoDaddy, Verisign, Entrust, Thawte, or DigiCert."

Using certificates in Remote Desktop Services
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11)


What’s the Difference Between a Public and Private Trust Certificate?
https://www.entrust.com/blog/2019/03/difference-between-a-public-and-private-trust-certificate/
Please Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1.How many RDgateway servers in the same environment?
1

2.What's your RDS architecture? (at the moment it is a PoC for https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg )
1 broker (also web & license server)
1 session
1 gateway

3.Are you using wildcard certificate issued by internal CA?
No

4."So my question - i have an external and internal DNS."
Do you mean you have external name and internal name for RDgateway server?
for example;
internal domain name:RDgateway.mydomain.local
external domain name:rdgateway.mydomain.com

Yes (although my internal DNS is also routeable)

5."I have an official wildcard for the external - and from my PKI the certificates for the internal."
Are both internal CA issue certificate and public CA issue certificate wildcard certificate?
Internal no - external yes

6."Why does the Gateway seems to need an official certificate? It is already trusted by the server."
In general, RD gateway server is an entrance for external users, external computer needs external trust public CA issued certificate. Like below document mentioned.
I have a Webapplication Firewall (with the wildcard) in place so there is no direct connection to the Gateway. But i tried it with NAT and the wildcard on the gateway server. Same error message.

"If you are going to let users to connect externally, and they are not part of your AD domain, you need to deploy certificates from a public CA, such as GoDaddy, Verisign, Entrust, Thawte, or DigiCert."
Yes










0 Votes 0 ·

I remembered that even with my old set up - i could not connect with a domain joined notebook. So i tried my private one.
Another step further.
But the RDS Gateway asks EVERY DC in the domain for authentication - he should use the RODC. My user account is replicated to it.
Or - use the servers in the HQ.

Can i restrict the DC usage of an Gateway? Use in this order - or use only this

0 Votes 0 ·

Seems to work now. It took an extra step that is never mentioned.
You need to register the NPS from the Gateway again - if you performed the mitigation for "printer nightmare".
After removing "Authorized Users" from "Pre-Windows 2000 Compatible Access" - the computer account cannot read the details from the user accounts. So it is needed :)

0 Votes 0 ·