Tuesday, August 17, 2010

Minimum Certificate Requirements for Typical RDS implementation

I see this question a lot on the Microsoft RDS forum:  What certificates do I need to purchase in order to sucessfully implement a typical RDS environment with farms, and RD Web Access and RD Gateway?

Personally, I like to use separate certs for all needs so that the names on the certs all say what these services represent. 

This is my optimal setup:
  • 1 cert per farm name (farm1.ash.local, farm2.ash.local, etc)
  • 1 cert for rd gateway (
  • 1 signing cert (
  • 1 web cert (SAN cert if no hairpin turn in the firewall) (rdweb.ash.local and
And really, certs are like 30 bucks each these days. So it’s not a huge expense.  Still for small businesses, it might still be an expense they wish to forgo. 

So, to set up RD Web Access, RD Connection Broker, RD Session Host server farms and RD Gateway with the least amount of certs: 

Get one cert for each farm name. (reason: you can't use SAN certs for server auth):
  • farm_1.domain.local
  • farm_2.domain.local
  • farm_n.domain.local
Install the pertaining cert to each appropriate farm member (make sure private key is included on each cert on each server). 

The cert you SIGN your remoteapps with needs to be the SAME on EACH farm member in ALL farms (so websso works across farms). 

Get a SAN with to cover all RDWEB names and RD Gateway names and RemoteApp signing:   
  •  rdweb.domain.local (if you use an internal URL),,, 

Install it to RDWEB, RD Gateway and on ALL farm servers in every farm.  Also install it on RD Connection Broker server.  

Configure it as a signing cert in RemoteApp Manager on ALL farm members and also in RD Connection Broker.  (Note, that this cert is only for signing on the farm already have a farm cert for server auth)

Configure it as the RD Gateway server cert in RD Gateway Properties.   

Reboot all servers and test.
This works for me. :)

Other cert info:


  1. Kristin, thanks for this much-needed light on the subject.

    I'm told by Digicert that SAN and wildcard certs are mutually exclusive. You can have either but not both. I'm checking with other CAs, but I'm curious as to who your CA was. I will need to use a 3rd party CA.

    But is there an alternative? Is it sufficient for SSO to have the RDP signing cert installed on all the machines and configured as a signing cert throughout, but not match the FQDN?

  2. My CA is my own. So I can create this type of cert. The big guys probably don't because they can charge for each type (my speculation). So if you are using a public CA, then just get a SAN cert and add all names you need.

  3. Hi Kristin, this blog is really helpful and has helped in understanding the entire setup with certs.

    I only have one doubt:

    You said "you can't use SAN certs for server auth", however, in my environment I am able to use SAN for server auth and it is working without any issues. Is there a particular reason why SAN should not or does not work for server auth?

    I also have another question and if you could please shed some light on it. Could you please explain the flow in which a client gets a certificate and the checks which are carried out. for eg. it is required to have a signing certificate for signing remote apps and connection manager. Why does the client check whether these two places have the same cert?

    Thanks for your help.

  4. Neo, sorry I did not see your post sooner. I would have to take a lok to see why server auth is wokring for you with a SAN cert. So ping me if you wanna get together: kristin.l.griffin AT gmail DOT com.

    I know when I went through it, I had issues. Could be that the first name in your SAN cert is being used for server auth and that works, but if its the second anme it woudl not...I cannot remember off-hand now (it was a while ago that I did that testing). But that is my first guess...

  5. Hi Kristin. I hope you can take the time to answer this.

    I have set up two farms after reading your book "Microsoft Windows Server 2008 Terminal Services Resource Kit" We use Rd Gateway/broker and web access. Hosts are load balanced w. DNS RR.

    When a client has connected it always presents me with the internal host certificate of which ever member the client got redirected to, not the farm name cert.

    Does this mean I need 2+n certs for, AND one (n) for the real hostname of each member server?

    I could of course use RDP encryption between the gateway and farm members, but then SSO wont work. I would really appreciate a confirmation that SAN certs actually works.


  6. Greetings Kristin,

    where is the cert request generated that is sent to the CA? for webservers i could do that from the IIS. Is this the same for RD Web/ RD Gateway and RD Broker.


  7. Thanks for the a very good info.I'm in the process of designing 2008 R2 RDS Farm for 500 users. I'm currently testing to set this up based on the following role placement
    3x RDSH -- Internal network - domain joined ( domain.local)
    1x RD Connection Broker --- Internal network - domain joined ( domain.local)
    2x RD WebAccess and RD Gateway roles on each server -- Internal network - domain joined ( domain.local)
    I'm planning to deploy WebAccess and RD Gateway roles on the same server, but wants to have HA for both WebAccess and RD Gateway. As i only have to open port 443 and i don't see any reason to put the RD Web/Gateway in DMZ.

    Can i achieve HA using two servers with each one having RD Web and RD Gateway roles installed? I'm planning to use NLB, but don't know if i can use this when both roles are installed on each of the two servers? is there any best way to design this? does it really effect the performance?
    I red some where that a minimum of 2 SAN certs are required . one to cover the farm name: domain.local [INTERNAL DOMAIN] and another SAN cert covering rdg,web and app signing. do we really need two certs? can i get away with one SAN cert covering domain.local,,,
    OR 1 cert covering domain.local and and use the for RDG/WEB/APP SIGNING?
    what is the best way to perform load test before going to production? any capacity planning tools? automation tools?testing tools?
    I'll really appreciate your help.
    many thanks

  8. I am attempting to use the RD Gateway to authenticate all clients using CA certificates in addition to the standard username:password. The environment is private with no route to the Internet so, all certificates will be maintained on private PKI. Is it possible to define the certificate location of CAs and/or valid peers?

    We couldn't find this configuration option in the documentation; therefore, are attempting to configure STunnel to front-end the RD Gateway as an SSL bridge. Do you know of another way to enforce authentication of the *client (peer) certificate* to the RD Gateway in addition to the standard authentication using a server-side CA certificate?
    Thank you!

  9. لدينا مميزات في خدمات كشف تسربات التي تقدمها شركة ركن البيت التي تكون متخصصة فيها فتعاملك مع شركة كشف تسربات المياه بالدمام لديها امكانيات جيدة يساعدك علي التخلص من مشاكل التسريب التي توجد لديك بسهولة دون التعرض للخطر حيث نمتلك في شركة كشف تسربات بالدمام الامكانيات والفنين المتميزين الذين يقدمون الخدمة بتميز فاذا كنت فى حيرة من امر التسريب الذي يوجد لديك فعليك ان تعلم ان خدماتنا منتشرة في جميع انحاء المملكة مثل خدمات شركة كشف تسربات المياه بالرياض التي تحل لك المشاكل المتكررة المتعلقة بالتسربات فلا داعى للقلق من الان لانك سوف تملك فني جيد منزلك يحل لك كل مشاكل التسربات و كيفية القيام بهذه الخدمة وتذكر ان الحل الامثل فى شركة كشف تسربات بالرياض ان توفر كل الامكانيات التى تساعدك علي حل مشكلاتك