RDS not updating the Broker, Web, Gateway with scripts

McMike · September 15, 2021, 9:40am

Hi Forum,

like many here I am struggling with getting the certificate to get the SSL certificate to update in the Broker, Web and Gateway services on my single RDS server. The process works great for the IIS part, no issues there.

I have used the script that others are using, and this shows as having run successfully in the CertifyTheWeb logs, but even after a restart of the services, the certificate still hasn’t updated against those services in the RDS Deployment → Certificates section

UpdateRDSwithPFX.ps1

param($result)

set-alias ps64 "$env:C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"

ps64 -args $result -command {

   $result = $args[0]

   $pfxpath = $result.ManagedItem.CertificatePath

   Import-Module RemoteDesktop

   Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force

Log

2021-09-15 09:36:52.419 +01:00 [INF] Task [UpdateRDSWithPFX] :: Task is enabled and primary request was successful.
2021-09-15 09:36:52.437 +01:00 [INF] Executing command via PowerShell
2021-09-15 09:37:28.999 +01:00 [INF] Waiting for powershell to complete..5s
Waiting for powershell to complete..10s
Waiting for powershell to complete..15s
Waiting for powershell to complete..20s
Waiting for powershell to complete..25s
Waiting for powershell to complete..30s
Waiting for powershell to complete..35s
Powershell Task Completed.
2021-09-15 09:37:28.999 +01:00 [INF] UpdateRDSWithPFX :: Task Completed OK
2021-09-15 09:37:29.000 +01:00 [INF] Request completed

In the Tasks section of CertifyThe Web, I have chosen

Task Type: “Run Powershell Script”
Trigger: Run on Success
Auhtentication: Local (as current service user)
Program/Script: c:\scripts\UpdateRDSwithPFX.ps1
Pass result as First Arg: Ticked
Impersonation: Network
Arguements: nil
Script Timout: nil

When I renew the certificate I end up with a valid cert from today at https://rds.mycompany but none of the others have updated despite the ‘success’ of the Task

Can anyone who has this working share their secret sauce to get this working?

Thanks

Mike

webprofusion · September 15, 2021, 10:45am

I’m not an Remote Dekstop services expert, but is there any chance you need to specify the connection broker like in this example: https://www.msnoob.com/install-ssl-certificate-for-rds-deployment-using-powershell.html

Different configurations will vary but the best way to start is to script it yourself, pointing to the current certificate path (which you can find under Certificate > Advanced> Actions - Current Certificate PFX path. After you have a working script you can adapt it to be a task.

You don’t need the ps64 wrapper stuff, that’s old and I think it depends on what version of windows server you are on as whether you need to be using the RemoteDesktop powershell module or RemoteDesktopServices

Since the process runs as Local System it does need to be able to run as that user, and on the local machine (scripting something on a remote machine that doesn’t know about the new certificate won’t work).

So it’ll be more like:

param($result)

   $result = $args[0]

   $pfxpath = $result.ManagedItem.CertificatePath

   Import-Module RemoteDesktop

   Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force -ConnectionBroker something.might.be.required.com

   Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force -ConnectionBroker something.might.be.required.com

   Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force -ConnectionBroker something.might.be.required.com

   Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force -ConnectionBroker something.might.be.required.com

If you find the script can’t run as Local System you can try impersonation settings.

McMike · September 15, 2021, 2:47pm

Cheers for that. I might spin up a RDS in Azure and have a play there instead of on this live server. Will try with an amended script and report back.

Cheers

McMike · September 16, 2021, 10:22am

So, turns out I’m an idiot.

The Server Manager GUI doesn’t (or didn’t) show the certificates had updated when the script ran, but querying from powershell with

Get-RDCertificate -Role RDWebAccess

shows the certificate to be current. When I closed Server Manager entirely and relaunched, sure enough there are the latest certs with correct expiry date.

Thanks

Mike

endeler · April 29, 2022, 2:07pm

Thanks a lot for the script. I added that to my configuration, but at the time of running it leads to an error:

Powershell Task Completed.
Error: Invoke-Command: Object reference not set to an instance of an object.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Certificate.psm1:389 char:5
+     Invoke-Command -Session $M3PSession -ArgumentList @($params)`
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Error: Invoke-Command: Object reference not set to an instance of an object.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Certificate.psm1:389 char:5
+     Invoke-Command -Session $M3PSession -ArgumentList @($params)`
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Error: Invoke-Command: Object reference not set to an instance of an object.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Certificate.psm1:389 char:5
+     Invoke-Command -Session $M3PSession -ArgumentList @($params)`
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Error: Invoke-Command: Object reference not set to an instance of an object.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Certificate.psm1:389 char:5
+     Invoke-Command -Session $M3PSession -ArgumentList @($params)`
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-04-29 15:18:49.697 +02:00 [INF] Deployment Tasks did not complete successfully.

That’s my task configuration:
Task Type: “Run Powershell Script”
Trigger: Run on Success
Auhtentication: Local (as current service user)
Program/Script: c:\scripts\InstallPfx.ps1
Pass result as First Arg: checked
Impersonation Logon Type: Network
Arguments: empty
Script Timeout: empty
Launch New Process: unchecked

Does anyone have a clue what could be the cause of this? The certificate has been created though. Please let me know if you need any further information. Thanks for any hint!

Cheers
Andreas

webprofusion · May 2, 2022, 2:23am

Hi Andreas I think you’d have to look at the source of C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\Certificate.psm1 (line 389) to figure out what value is null that shouldn’t be and work back from there.

endeler · May 2, 2022, 9:08am

Thanks for your reply. I assume that the script could not open a session and therefore did not get an object back. What I tried (I could swear I tried that before though…) is to use Authentication type “Local (as specific user)” and provided the Administrators credentials. Now the script runs Thank you for pointing me into the right direction. Have a great day!