Questions about RDS farm certificates and renewal

Jim Admin 20 Reputation points
2024-06-13T12:48:09.84+00:00

Customer has an on-premises RDS farm (three RDS servers and a separate server acting as gateway/connection broker). All Windows Server 2019.

The GoDaddy SSL Certificate is expiring soon, so I'm reviewing their environment to determine the next steps.

The current certificate is assigned and bound in IIS, but when looking in Server Manager > Remote Desktop Services > Collections > Tasks > Deployment Properties > Certificates I see the Role Services are not using the new certificate. They are still all using a certificate that expired in 2022.

Employee's remote in from both on their network and off their network (no VPN) using an RDS shortcut.

Their RDS web page (https://workdesk.CENSORED.com/RDweb) is using the current (soon to expire) certificate and working properly.
User's image

Using the "Select existing certificate" option, I am unable to assign a current certificate to these Role Services because it requires a PFX file type (no option to change it in drop down).

Questions

A) How are their employee's able to remote into the RDS environment with those Role Services using an expired certificate? None of them recall getting the gold banner security warning when connecting.

B) What is the proper way to renew a third party issued SSL Certificate for an RDS farm like this? I was unable able to find an official Microsoft guide. Should we be using the "Create new certificate" from the Deployment Properties to generate a CSR, rekey the cert with GoDaddy, then come back and install the cert in Deployment Properties and IIS? Seems like last year someone just renewed the cert in GoDaddy, then installed it in IIS on the GW/CB. I want to ensure we are getting the new certificate installed properly.

Thank you for your time to read through my post and contemplating this issue.

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,386 questions
0 comments No comments
{count} votes

Accepted answer
  1. Karlie Weng 16,091 Reputation points Microsoft Vendor
    2024-06-14T07:06:51.2166667+00:00

    Hello,

    An IIS certificate differs from an RD role certificate; thus, they must be installed in collection. It is important to note that the PFX format is required.

    a. It is possible to deploy RDS without a certificate, and if an RD gateway is not in use, there is no need for concern, as it is akin to not utilizing SSL authentication.

    For those utilizing a third-party certificate, the optimal approach is to request a new certificate in the required format from the issuing authority.


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Jim Admin 20 Reputation points
    2024-06-14T12:40:19.0733333+00:00

    Hello Karlie
    Thank you for your reply.
    It looks like their RDP Shortcut will force external users to go through the gateway.

    User's image

    Do you think those external users received the gold banner security warning about the certificate and chose to connect anyway?

    0 comments No comments

  2. Jim Admin 20 Reputation points
    2024-06-14T13:33:42.5833333+00:00

    Thank you Karlie
    I just verified that their employee's were getting the gold banner security warning when connected to their RDS environment. As you stated, because the Role Services were not using a current certificate.

    0 comments No comments