Share via

Azure WVD doesn't publish correct ssl cert on connection using WVD client

Olaf Christian Olsen Skaug 1 Reputation point
2021-04-27T12:45:56.357+00:00

We're trying to deploy a Windows 10 multi session image with VPN to Azure and direct line of sight to both AADDS and to the session hosts, but when we try to connect using the WVD client and published apps the connection gets terminated after the SSL cert is negotiated.
We've tried adding a trusted certificate to the session hosts, but it is not picked up by the service so that it sends the untrusted auto generated certificate no matter what we do. We've even tried deleting the certificate, but it's for some reason auto regenerated.

The documentation and roadmap states that Windows Hello works with WVD as long as it has a direct line of sight to the session host and to AADDS, which is has.

Please clarify how this can be achieved, because we've literally tried everything. And now I'm hoping it's not something super obvious. (Yes we put the cert in the same storage location, and tried short path).

Any help will be very much appreciated!

Current setup:
Azure AD
Azure AD DS
Azure WVD Windows 10 Multi Session Image
Azure VPN (with exposed routes to AADDS and Session Hosts, as well as DNS published to client)

/Olaf

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,796 questions
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Microsoft Security | Microsoft Entra | Other

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leila Kong 3,706 Reputation points
    2021-04-29T03:28:00.437+00:00

    Hello @Olaf Christian Olsen Skaug ,

    What certificate do you add to the session host? What's the exact error message of certificate?
    Either of AADDS network or Azure VPN will work for WVD environment. How did you configure your Azure VPN (with exposed routes to AADDS and Session Hosts, as well as DNS published to client)?

    For your reference:
    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
    https://learn.microsoft.com/en-us/answers/questions/99723/azure-vpn-p2s-failed-azure-auth.html
    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems
    https://learn.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support

    Best regards,
    Leila

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Leila Kong 3,706 Reputation points
    2021-05-07T09:08:46.507+00:00

    Hello @Olaf Christian Olsen Skaug ,

    I don't quite understand your scenario. We generally use RDS or Azure certificate rather than session host certificate. Is there any error message related to the SSL cert? Based on what we read, this won't work as Kerberos authentication without KDC proxy would require that the clients are joined to the same domain as the session hosts. This is not possible with AAD DS.

  3. Leila Kong 3,706 Reputation points
    2021-05-13T08:27:36.38+00:00

    Hello @Olaf Christian Olsen Skaug ,

    1.Yes. It is required to be public available and needs a public certificate. This is the case here If you want to setup Kdc proxy.
    2.We still don’t understand why you want to use vpn to connect to WVD? Kdc proxy is for customers that use smart cards.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.