RDS not updating the Broker, Web, Gateway with scripts

Hi Forum,

like many here I am struggling with getting the certificate to get the SSL certificate to update in the Broker, Web and Gateway services on my single RDS server. The process works great for the IIS part, no issues there.

I have used the script that others are using, and this shows as having run successfully in the CertifyTheWeb logs, but even after a restart of the services, the certificate still hasn’t updated against those services in the RDS Deployment → Certificates section

UpdateRDSwithPFX.ps1

param($result)

set-alias ps64 "$env:C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"

ps64 -args $result -command {

   $result = $args[0]

   $pfxpath = $result.ManagedItem.CertificatePath

   Import-Module RemoteDesktop

   Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force

Log

2021-09-15 09:36:52.419 +01:00 [INF] Task [UpdateRDSWithPFX] :: Task is enabled and primary request was successful.
2021-09-15 09:36:52.437 +01:00 [INF] Executing command via PowerShell
2021-09-15 09:37:28.999 +01:00 [INF] Waiting for powershell to complete..5s
Waiting for powershell to complete..10s
Waiting for powershell to complete..15s
Waiting for powershell to complete..20s
Waiting for powershell to complete..25s
Waiting for powershell to complete..30s
Waiting for powershell to complete..35s
Powershell Task Completed.
2021-09-15 09:37:28.999 +01:00 [INF] UpdateRDSWithPFX :: Task Completed OK
2021-09-15 09:37:29.000 +01:00 [INF] Request completed

In the Tasks section of CertifyThe Web, I have chosen

Task Type: “Run Powershell Script”
Trigger: Run on Success
Auhtentication: Local (as current service user)
Program/Script: c:\scripts\UpdateRDSwithPFX.ps1
Pass result as First Arg: Ticked
Impersonation: Network
Arguements: nil
Script Timout: nil

When I renew the certificate I end up with a valid cert from today at https://rds.mycompany but none of the others have updated despite the ‘success’ of the Task

Can anyone who has this working share their secret sauce to get this working?

Thanks

Mike

I’m not an Remote Dekstop services expert, but is there any chance you need to specify the connection broker like in this example: Install SSL Certificate for RDS Deployment using PowerShell - MSNOOB

Different configurations will vary but the best way to start is to script it yourself, pointing to the current certificate path (which you can find under Certificate > Advanced> Actions - Current Certificate PFX path. After you have a working script you can adapt it to be a task.

You don’t need the ps64 wrapper stuff, that’s old and I think it depends on what version of windows server you are on as whether you need to be using the RemoteDesktop powershell module or RemoteDesktopServices

Since the process runs as Local System it does need to be able to run as that user, and on the local machine (scripting something on a remote machine that doesn’t know about the new certificate won’t work).

So it’ll be more like:

param($result)

   $result = $args[0]

   $pfxpath = $result.ManagedItem.CertificatePath

   Import-Module RemoteDesktop

   Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force -ConnectionBroker something.might.be.required.com

   Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force -ConnectionBroker something.might.be.required.com

   Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force -ConnectionBroker something.might.be.required.com

   Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force -ConnectionBroker something.might.be.required.com

If you find the script can’t run as Local System you can try impersonation settings.

Cheers for that. I might spin up a RDS in Azure and have a play there instead of on this live server. Will try with an amended script and report back.

Cheers

So, turns out I’m an idiot.

The Server Manager GUI doesn’t (or didn’t) show the certificates had updated when the script ran, but querying from powershell with

Get-RDCertificate -Role RDWebAccess

shows the certificate to be current. When I closed Server Manager entirely and relaunched, sure enough there are the latest certs with correct expiry date.

Thanks

Mike

1 Like