After the first renew of my certififcate RDP still works correctly when connecting directly and also the website shows the newly generated SSL-Certificate.
sadly I can’t connect through RDWEB till I reboot the whole Server… Restarting single services didn’t help.
maybe I just didn’t found the right service. Does someone have an idea?
Info → It’s running on only a single 2019 Server. without Gateway! (yes this works)
Hi, which services did you restart? Did you use a service restart in your script or in a Service Stop/Start/Restart deployment task? I agree it’s quite difficult to automated as you are generally connected to that service at the same time as trying to automate the cert!
Hey there
now getting the same problem again, but rebooting doesn’t help.
I verified that the cert in the webbrowser has the same fingerprint as the cert which is shown…
I also imported it like this:
Import-RDWebClientBrokerCert
but smh not working.
So I’m not an RDP expert but here is our built-in deployment task code for RDP Gateway (Tasks > Add Deployment Task)- note that if you want to restart services you need to enable that in the task parameters UI and I would recommend using the Manual trigger type so you can run the task during a maintenance window if it will interrupt other users.
I don’t know if it applies to your version/configuration and some users prefer to script their own. It works in the 2016 version I tested when developing this script in a simple environment (no other machines involved):
param($result, [switch] $restartServices = $false)
Import-Module RemoteDesktopServices
# Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
# Optionally restart TSGateway and related service
if ($restartServices -eq $true)
{
Restart-Service IAS -Force -ErrorAction Stop
Restart-Service TSGateway -Force -ErrorAction Stop
Restart-Service SSTPSvc -Force -ErrorAction Stop
Write-Host "Services Restarted."
}
In general, if a service is using IIS for it’s website then by default Certify will take care of the IIS side, but for other things you need to ensure you are applying the new certificate thumbprint etc to the service.
Sometimes this involves powershell, registry settings, WMI or just copying the file somewhere. Usually you then have to restart the service, as you know. For some services this can get extremely complicated/unpredictable and sometimes the best result is to not apply the new cert until a maintenance windows then do a full reboot, so for instance to make it part of your monthly updates etc.
Some of this stems from not knowing the full dependency chain of services and sometimes it because the service was not designed to change it’s certificate more frequently than about once per year (the old way of doing it before Let’s Encrypt existed), so reboots were normal. If the problem persists (and the built in certify deployment task is not right for you) then I would contact microsoft support to ask them.