I was tasked with serving up some software as a RemoteApp for the purposes of bug testing. I set up a DC that also had DNS, ADCS, and RDS to make this happen. I was able to load the RemoteApp on a MacOS client, but when someone tried to connect form Windows 10, it didn't work.

Not only did it just not work, each of the 3 ways to add a RemoteApp provided a different error, with one not even providing any information at all. It turns out this was all due to cert errors, something which Microsoft seems to barely cover anywhere, and all third party help sites have a different idea on how to handle.

The complications I faced are:

1. Domain is private, will not be made public
2. Internally issued enterprise certs are really only useful for domain added computers
3. I do not have access to corporate domain, which users will be VPNing in from
4. Almnost no feasible way to use a public cert internally

The only realistic solution is just to get certificates working enough to allow a win10 connection to this short-term server. Here's how I did it:

• Open IIS console (type IIS in start menu)
• Expand server name
• Double click Server Certificates under IIS in the main menu
• Click Create Certificate Request
• Common name FQDN
• Organization is company name
• Fill in OU, City, State, Country
• Click next
• Change bit length to 2048 (not required, good for "security")
• Specify a name for the .txt file, save it somewhere you'll remember
• Click finish

• Open Certification Authority (type Certification in start menu)
• Click the dropdown for the server you want to add the cert on
• Click action at the top, all tasks, submit new request
• Browse to the cert request .txt file from the above steps, click open
• Click Pending Requests
• Locate the pending request, right click, all tasks, issue

• Open the start menu, type certlm.msc, hit enter
• Navigate to personal, then certificates
• Locate and right click the certificate that was issued earlier
• Right click it, all tasks, export
• Click next, select "Yes, export the private key"
• Ensure ".PFX" file type is selected, click next
• Check password box, enter your password (password is ticket name), click next
• Save in a location you'll remember

• Open Server Manager (type Server Manager in start menu)
• Click Remote Desktop Services
• Under Deployment Overview, select the tasks dropdown, click edit deployment properties
• Click Certificates
• For each one, select the role service, then click "Select existing certificate"
• Select Choose a different certificate, open the .pfx file from earlier, then enter the password
• Click apply

You can now browse to the server's FQDN as https://fqdn/rdweb and, although you will still be prompted with certification warnings, at least you can proceed.

HOME