Missing Advanced Options

What to run a Post-request script in Verison 5.0.12.0
All documentation says to check the box for Show Advanced options.
There is No Checkbox? Did it get moved or just removed in the current version. If so does someone have a download link to an older version of Certify?
Thanks,

Post request scripts can be added in the Deployment tab on the right, Deployment Tasks sub-tab in the center.

Thank you I have been trying to find this all afternoon.
Thanks,

@tshemon thanks, I’ll get https://docs.certifytheweb.com/ updated, which part was wrong?

If I were to make a guess based on my own experiences rather than documentation(sorry, I haven’t read much of it)… I would say that it’s not obvious enough when there are sub-tabs in the center. Not all pages have sub-tabs and visually it’s easy to over look when you don’t know they exist until you enter that page.

I don’t know what control makes the icons on the right to switch views… but if it’s possible to show sub-entries there, to directly jump to those pages, it would be very hard to overlook them existing. If it’s possible but too ugly, maybe have the “advanced” checkbox again to show the ugly version with the sub-page links.

Thanks, yes it’s pretty hard to balance between trying to make options discoverable and not crowd the UI with too much stuff. Deployment Tasks in particular went through many different UI layouts. Ideally no-one would ever have to read the docs (then I wouldn’t have to write any!).

Perhaps we need to have ‘Tasks’ side tab, before or after the Deployment Tab.


" Scripting can be used by checking Show Advanced Options and open the Scripting tab."

Once I was able to find were to add scripting its working great.
Thanks,

So was able to add script for Example: update Remote Desktop Role Certificates#
But when it goes to open powershell get Access is denied.
Tried Running as Administrator and still same.

2020-06-26 12:17:05.374 -05:00 [INF] Run Powershell Script :: powershell.exe: Connecting to remote server SHRSVR.LEC911.LOCAL failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Scripts\RDWebCert.ps1:3 char:1

  • ps64 -args $result -command {

powershell.exe: Connecting to remote server SHRSVR.LEC911.LOCAL failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Scripts\RDWebCert.ps1:3 char:1

  • ps64 -args $result -command {

powershell.exe: Connecting to remote server SHRSVR.LEC911.LOCAL failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Scripts\RDWebCert.ps1:3 char:1

  • ps64 -args $result -command {

powershell.exe: Connecting to remote server SHRSVR.LEC911.LOCAL failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Scripts\RDWebCert.ps1:3 char:1

  • ps64 -args $result -command {
  • 
    

2020-06-26 12:17:05.374 -05:00 [INF] Deployment Tasks did not complete successfully.

Also get
2020-06-26 16:36:56.507 -05:00 [INF] ---- Performing Task [On-Demand or Manual Execution] :: Run Powershell Script ----
2020-06-26 16:36:56.510 -05:00 [INF] Task [Run Powershell Script] :: Task will run for any status
2020-06-26 16:36:56.510 -05:00 [INF] Executing command via PowerShell
2020-06-26 16:37:16.552 -05:00 [ERR] powershell.exe: Empty path name is not legal.
At C:\Scripts\RDWebCert.ps1:3 char:1

  • ps64 -args $result -command {

powershell.exe: Empty path name is not legal.
At C:\Scripts\RDWebCert.ps1:3 char:1

  • ps64 -args $result -command {

powershell.exe: Empty path name is not legal.
At C:\Scripts\RDWebCert.ps1:3 char:1

  • ps64 -args $result -command {

powershell.exe: Empty path name is not legal.
At C:\Scripts\RDWebCert.ps1:3 char:1

  • ps64 -args $result -command {

Get Access Denied if I check the Box
Pass Results as First Argumen
Get Empty path name is not legal if unchecked.

Wrap output using the Preformatted text button in the post toolbar. Or manually add ``` above and below the output. This way the forum software won’t try to interpret it and make it a mess.

Is SHRSVR.LEC911.LOCAL a remote machine or is it the machine that Certify is running from? If it’s actually remote, then getting access denied makes sense because local users on the local machine have no permissions on a remote machine. You’d need to impersonate a domain user or domain machine that does have permission.

As general advice, it’s best to take a step back and read the descriptions a bit more because it will save you time and frustration, happy to take suggested edits though (https://github.com/webprofusion/certify-docs/tree/master/docs)

  • The same paragraph in the docs that points to Scripting under Show Advanced Options explicitly states that’s for older 4.x versions and the sentence before that tells you to look under Deployment. Perhaps the highlighting on the 4.x instructions is throwing you off.
  • The example you used specifically was for older 32-bit clients, which is why it says:
    This example assumes it's starting in a 32-bit instance and switches to the 64-bit powershell to import the 64-bit RemoteDesktop module. V4.x onwards of the app is 64-bit only.

For your script, you need to run as a user who has permissions (the background service runs as Local System, which may not have the required permissions). The Deployment Task has an option for you to specify impersonation credentials. You did mention trying to run as Administrator but I don’t know if you mean in the deployment task itself or just the UI.

I’d suggest the edited version of your script would be:

   param($result)

   $pfxpath = $result.ManagedItem.CertificatePath
   Import-Module RemoteDesktop
   Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force
   Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force
   Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force
   Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force

Note that in your case you can just try your script out in powershell by specifying a path to the certificate file to test with:

  
   $pfxpath = "C:\path to a pfx file"
   Import-Module RemoteDesktop
   Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force
   Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force
   Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force
   Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force

So did the Edit and get and error right away saying "Set-RDRDCertificate: A Remote Desktop Services deployment does not exist on SHRSVR.LEC911.local. This operation can be performed after creating a deployment. For information about creating a deployment, run “Get-Help New-RDVirtualDesktopDeployment” or “Get-Help New-RDSessionDeployment”.
At C:\Scripts\RDWebCert.ps1:3 char:4

  • Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force"

Ran the Script in power shell pointing to pfx location and everything runs without issues.
I tried to run as Administrator in the Deployment Task.

Very odd that it runs fine in power shell but not when running as a Deployment Task in Certify.
Thanks for Everything very new to Certify.
Thanks,

1 Like

Thanks, I’ll see if I can reproduce this today and get back to you. It seems the powershell context the deployment task is running in can’t see that module for some reason.

Actually it looks like the module is imported OK but it can’t see the RDS config, see also https://stefanos.cloud/blog/kb/rds-error-a-remote-desktop-services-deployment-does-not-exist-in-the-server-pool/

As a workaround you could have the script deployment task output a script (write a new script to a file with all the required file paths set) then use a scheduled task to run that as the user you require. I’ll continue to investigate.

@tshemon can you confirm which version of Windows Server this is running on and whether this was a new install of RDS or is it an existing one (already working) you are trying to apply a cert to.

This is a new Terminal Server. Running on Server 2016.
Thanks,
Tom

So I’ve tested this on Server 2019 (that took a whole day!), the issue is that the background service that runs the powershell scripts is not elevated to Administrator and I don’t think it’s a good idea to change that (if anything we should be running with less permissions). This limitation specifically affects this particular method (powershell) of trying to configure RDS.

In addition I note that only 2019 onwards accepts the certificate Thumbprint as an argument so you are apparently forced to re-import the PFX that’s already present.

Instead, you need to run the script as an elevated powershell command prompt, so the easiest way to do that is have a script that generates the final script, then have that script run as administrator as a scheduled tasks, or manually as part of your regular maintenance window:

Replace the server name for the connection broker and adjust the script as required for your configuration:

param($result)

$output ="

`$connectionBroker = 'EC2AMAZ-NH8VQT5.PROJECTBIDS.CO.UK'

`$pfxpath = '$($result.ManagedItem.CertificatePath)'

Import-Module RemoteDesktop

Import-PfxCertificate -FilePath `$pfxpath -CertStoreLocation Cert:\LocalMachine\My -Exportable

Set-RDCertificate -Role RDPublishing -ImportPath `$pfxpath -Force -ConnectionBroker `$connectionBroker
Set-RDCertificate -Role RDWebAccess -ImportPath `$pfxpath -Force -ConnectionBroker `$connectionBroker
Set-RDCertificate -Role RDGateway -ImportPath `$pfxpath -Force -ConnectionBroker `$connectionBroker
Set-RDCertificate -Role RDRedirector -ImportPath `$pfxpath -Force -ConnectionBroker `$connectionBroker

"

Set-Content -Path "C:\Scripts\RDS_latest.ps1" -Value $output

This then generates another script as output which you can run manually or a scheduled task:



$connectionBroker = 'EC2AMAZ-NH8VQT5.PROJECTBIDS.CO.UK'

$pfxpath = 'C:\ProgramData\Certify\assets\ec2amaz-nh8vqt5.projectbids.co.uk\20200929_38636102.pfx'

Import-Module RemoteDesktop

Import-PfxCertificate -FilePath $pfxpath -CertStoreLocation Cert:\LocalMachine\My -Exportable

Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force -ConnectionBroker $connectionBroker
Set-RDCertificate -Role RDWebAccess -ImportPath $pfxpath -Force -ConnectionBroker $connectionBroker
Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force -ConnectionBroker $connectionBroker
Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force -ConnectionBroker $connectionBroker

Actually using the certificate that Certify acquires for you is generally out of scope for the application, although features like Deployment Tasks do help with deployment they don’t provide a quick solution for every type of deployment. Unfortunately you hit a particularly troublesome example and we should remove reference to the user-submitted example in the docs as clearly there is more to it.

If there is a way to configure RDS via C#/.net without running as Administrator (elevated) instead of powershell perhaps we could provide a dedicated Deployment Task.