Scripting and RDS

maniac1972 · May 20, 2021, 2:11pm

Hi,
i got the program now working on my RDS 2016
ive added the scripts
“Deploy to RDP Listener Service”
“Deploy to RDP Gateway Service”
“Deploy to Generic Server”

We have a farm
First Server ist RDGateway, Connection Broker
Second and third are App Servers

In IIS the certificate already assigned, but when i go the the config of my RDS, no certs assigned
HowTo? assign the cert to all roles?

HowTo set the cert to my both app servers?

im not so familar with PS, so i need a little bit of help

So any script to automate assigning the cert to all my roles and servers?

regards
Markus

maniac1972 · May 21, 2021, 7:07am

im debugging the RDSGatewayServices.ps1 script and got errors
PS C:\Windows\system32> Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
Set-Item : Der Parameter “Value” darf nicht NULL sein.
In Zeile:1 Zeichen:1

Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $r …

  + CategoryInfo          : InvalidArgument: (RDS:\GatewaySer...cate\Thumbprint:String) [Set-Item], ParameterBindingException
  + FullyQualifiedErrorId : MissingArgument,Microsoft.PowerShell.Commands.SetItemCommand

webprofusion · May 22, 2021, 4:53am

Hi, as you know we do provide a basic script for RDS Gateway:

github.com

webprofusion/certify-plugins/blob/master/src/DeploymentTasks/Core/Providers/Assets/RDPGatewayServices.ps1

# This is an example script and it will be overwritten when the next update is installed. 
# To use this script copy it to another location and modify as required

# Enable certificate for RDP Gateway
# For more script info see https://docs.certifytheweb.com/docs/script-hooks.html

param($result, [switch] $restartServices = $false)

Import-Module RemoteDesktopServices

# Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop

# Optionally restart TSGateway and related service

if ($restartServices -eq $true)
{

	Restart-Service IAS -Force -ErrorAction Stop
	Restart-Service TSGateway -Force -ErrorAction Stop

This file has been truncated. show original

The key thing with testing it outside of the app is that it expects a $result parameter which is a special result object passed by Certify which contains things like the status of the certificates request, the new certificate thumbprint value and the path to the PFX file (if required).

More details on scripting support can be found here: https://docs.certifytheweb.com/docs/script-hooks

The main job of Certify is to request and renew certificates, how you then choose to apply the certificate will depend a lot on your configuration and requirements. We don’t currently operate multi server RDP systems for the purposes of testing these scripts and there are thousands of different possible service you could deploy your certificate to, RDP being one category.

So we do rely on users to provide their own experience and expertise with regards to the services they are trying to deploy to. Our example script is just a basic example talking to a local service and you may find there is a much better way to do it for the type of deployment you require.

You should have a look through this forum and any others elsewhere to see if there is a script others are using and if you find a something it would be great if you could post here for others to benefit from. There may be relevant scripts you can re-use from other tools like win-acme, Posh-ACME etc.

The best place to look is of course the microsoft documentation site and if necessary contact microsoft support to find out exactly how certificate deployment can be scripted.

webprofusion · May 22, 2021, 4:54am

p.s. make sure you are running the latest version (5.4.2) of Certify, 5.4.0-5.4.1 had a bug where certain newly added managed certificates weren’t deployed to the local certificate store properly, which could affect other scripting.