Purchasing and Installing a Trusted SSL Certificate to use for RDGW & RDSH

Below are general steps to purchase/install a Trusted SSL Certificate for use with Remote Desktop Gateway (RDGW) and Remote Desktop Session Host (RDSH) that are installed on the same/single server in workgroup mode.  We created this based on using a Trusted SSL Cert from GoDadddy.  Our clients can ask for a more detailed tutorial of this process too.

1. Assumes you have already installed the RDSH and RDGW roles on the remote Windows Server.

2. You need to have the subdomain/url/domain name that you will purchase the ssl cert for to forward to the IP address of the server.  In this example, we want “RDP.widgets.com” to point to IP address of the server xxx.xxx.xxx.xxx. You already own the domain name for widgets.com (which can be any domain name you own through a registrar like GoDaddy).

Go to the parent domain name in GoDaddy, click on Manage DNS, go to zone file section and click “add record”.  Add “A (Host)” record type and add “RDP” (or whatever you are using in front of the domain name) which will make it be “RDP.widgets.com” and the IP address of the remote server.  Click ok/save and after a few minutes you will be able to ping the full name/url and it should return the IP address of the remote server.

We have tried to use Let’s Encrypt (free certs expiring every 60 days) but found it difficult to use with Windows IIS at the time.

3. Create Certificate Request on the remote Windows Server using IIS Manger

Open IIS Manager on remote Windows Server, in the left side pane under connections, click on your server name.  In the middle window, double-click “server certificates” icon which will open the server certificates screen showing your currently used self-signed cert.  In the far right screen under actions, click “create certificate request”.

Fill out the appropriate fields including, Common name (use the exact name of the url you are requesting for the ssl cert – i.e. “RDP.widgets.com”), Organization and Organization unit could be your legal name, State should be spelled out and not abbreviated, and County can be US.  We recommend changing the bit length to 2048 for crypto.  Create filename for CSR (CSR=certificate signing request) which will be saved in c:\windows\system32 unless you specify full path in the file name request.

4. Purchase SSL Cert at GoDaddy by inputting CSR info

Go back into your GoDaddy account. Purchase a SSL cert (we did DV type in this example) at GoDaddy ($79.99/yr although may be able to find discount code for year 1).  After purchase go back into GoDaddy account to SSL cert and press “setup”. 

Click on New Certificate, then choose “Input a CSR” (you will use the CSR you generated on the remote server via IIS Manager).  Do not select “Domain hosted with GoDaddy”.  Type in domain/url field for what you want the SSL cert to issued for, for example “RDP.widgets.com”. 

Copy in the CSR text from the file you created on the remote server, using the entire text including “—-BEG…—- and —-END…—-” characters.  Select the default GoDaddy SSL algorithm.

You will see the SSL Cert fields change to pending verification and you will have to wait approximately 20 minutes for it to change to ready/certificate issued.

5. Download SSL Cert from GoDaddy and copy it to remote server and install it in IIS Manager

Click download, choose IIS (Windows) and it will download the .zip file with certificate.  Copy this .zip file to the remote server and extract it.

Go back into remote Windows Server, IIS manager, the server certificates icon/section and click on “complete certificate request” under actions.

Attach the security cert from the godaddy zip file and create friendly name (the friendly name is just to identify the certificate).  You can put it in the personal store.  For our example, we were able to skip doing anything with the intermediate cert and only had to attach the actual security cert.  In order to attach the security cert, we had to change the file type selection dropdown to show all files. Press OK and exist IIS manager.  Make sure you keep track of the ssl cert expiration date so you renew/reinstall prior to that date otherwise you will be locked out of the remote server.

6. Modify settings on remote Windows Server in RD Gateway Manager to use new SSL cert

Open Remote Desktop Gateway Manager, then properties and the SSL Cert tab.  Click on existing cert from personal store and select your new SSL cert.  Press Import, which will restart Gateway services and your current connection will be disconnected.  You will then have to connect with the new url/ssl cert name in your local RDP connection client. 

Go back to your local RDP connection client (shortcut on desktop if you created that previously) and change IP address in computer name field (general tab) and gateway name (advanced tab) from IP address to the url/ssl cert/fqdn you created – for example, “RDP.widgets.com”

7. Modify setting on remote Windows Server for RD Session Host to use new SSL cert (if needed)

If you see the warning that certificate name doesn’t match and isn’t from a trusted CA, then it is because the new GoDaddy cert isn’t being used for the RDSH (it is being used for RDGW but not RDSH even though they are both on the same server) and the self signed cert is still being used for the RDSH.  This seems to almost always happen in our experience.    (Note: this warning is different than then the “unknown publisher” warning you may see because you are using a custom rdp connection file shortcut…for the “unknown publisher” warning you can click “don’t ask me again…” if you don’t want to see that message again.)

To fix this, use powershell (run as admin) below to change the certificate used for RDSH (NOT GW) to the GoDaddy SSL cert you purchased.  Type each line separately below exactly as shown except the thumbprint info in row 3 will need to be added after the row 1 info has generated (after the first line/row is entered, you will see the thumbprint for the new ssl cert which you will need to enter for line 3 between the “”). 

Get-ChildItem “Cert:\LocalMachine\My”

$PATH = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices)

Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash=”ENTER-THUMBPRINT-HERE“}

Next try to connect again and you should not see the Certificate error message anymore.

Lastly, some clients have noted that they had to enter username as SERVERNAME\username when connecting via rdp connection client, so if you are still having issues, try that method in the rdp file too.

RD Gateway Role in RDS

Update: see more detailed post on how to install the RD Gateway Role on Windows Server 2019/2016 here:  http://www.riptidehosting.com/blog/installing-the-remote-desktop-gateway-role-rdgw-on-windows-server-2019/

RD Gateway Role in RDS

Using the Remote Desktop Gateway Role (RDGW) provides additional security by forcing RDP traffic over https/port 443 (requires SSL certificate) instead of port 3389.

General steps to install the RDGW role on Windows Server 2016: (we have a more detailed post on this too)

  • Install RDGW role which will also install IIS
  • In RD Gateway Manager, create CAP and RAP policies for who can login to the gateway and what resources they can access.
  • For initial testing/deployment, you can create a self-signed certification and change the certificate name to IP address in the name field. Using a self-signed certificate will require you to install the certificate on each client device. Using a SSL cert issued by a certificate authority is preferred and can only be issued in the domain name, not IP address).
  • Confirm that all items in the RD Gateway Manager have green checkmarks.
  • From the RD Connection Client on your local PC, go to more options, advanced tab, enter gateway settings before connecting.
  • Turn off port 3389 to the outside on the Windows Firewall on the server to force traffic to use port 443.

Test deployment

Logging off users on Windows Server 2016 with Remote Desktop Services

You may want to see which users are logged on to your Windows 2016 Server at any given time and may want to logoff a user. Users can be “active” on a server or in a “disconnected” session status which means they disconnected from the server but didn’t log off.  Since disconnected sessions continue to utilize server resources, we recommend you enable a group policy to log off disconnected sessions automatically after a specific time period such as 5 minutes or X hours – easiest method is to enable a group policy to set session time limits for all users as follows:

  1. Cmd prompt, gpedit.msc
  2. Computer Configuration, Admin Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Session Time Limits
    1. Enable appropriate group policies and modify as needed
    2. We recommend setting this one because it will prevent disconnected sessions from consuming server resources — “Set time limit for disconnect sessions”
  3. After modifying group policies, you can force an update without rebooting by typing “gpupdate /force” at cmd prompt

 

By default, we now release Windows 2016 Servers with the disconnected session limit set at 5 minutes.  We strongly recommend keeping this group policy at 5 minutes or change it to another time amount that you want.  We don’t enable a default policy to log off “idle” sessions after X period of time but it is recommended that you enable this at X hours or X days.

To see detail on each users session (how long it has been active, if disconnected or idle, etc.), you can open a command prompt and type in “quser” which will show each user with session stats.

We haven’t seen this happen very frequently, but if a user logs on to the server and the screen remains black, it is likely because the user has an existing disconnected session that has not be fully logged off. To resolve this, log into the server as an Administrator and log off the User’s disconnected session.  When the User logs in again, they should see their full desktop session without any issues.

Steps to view and log off users:

  1. Login as Administrator or account with administrator rights
  2. Open Task Manager by right clicking the bottom tool bar
  3. Click on “More” or “Detail” to view all tabs of Task Manager
  4. Go to the “Users” tab which will show the users that are logged on the server
  5. Right click on a username and select “Log Off”
  6. Task_manager_log_off_users

We recommend that users be educated to log off from the server when their tasks are completed (start, click on username, select log-off or sign-off) instead of just disconnecting the session by clicking the X in the upper right corner which doesn’t log the user off and only disconnects the session.

How to Shadow a user’s remote desktop session on Windows Server 2016 in workgroup mode

This post is about how to shadow a user session if the Windows Remote Desktop Server is not connected to a domain. If the server is connected to a domain, you can go to server manager, RDS Manager, and right click on current sessions to shadow and connect. When the server is in Workgroup mode (not connected to domain) the Remote Desktop Services Manager page is not accessible in Server Manager. To shadow another user’s sessions in Windows Server 2016 in Workgroup mode, use the following steps:

1) Open command window by clicking start, CMD. You must be using an account with administrative privileges. If you are using an account with administrative privileges that isn’t the named Administrator account, you must run in administrator mode (right click on cmd and click run as administrator)

2) Type quser.exe to determine the session number of the user session you want to shadow.
C:\Users\administrator.computer>quser.exe (note: typing “>qwinsta” without .exe will show similar information)
USERNAME SESSIONNAME ID STATE
administrator rdp-tcp#0 1 Active
user1 rdp-tcp#1 3 Active

3) In this example, the Administrator is going to shadow the user1 session which is session 3. You need to know the session number (“3”) for the next step.

4) Start shadow session by typing “mstsc /shadow:# /control” where # is the session number to shadow and /control allows you to control the session.
C:\Users\administrator.computer>mstsc /shadow:3 /control

5) The other user (user1 in this example) will get a popup called “remote control request” and must press Yes before shadow session will open.

6) The shadow session will open and you’ll be able to view the user1 session desktop screen.

IF YOU WANT TO SHADOW A USER SESSION WITHOUT NEEDING THEIR CONSENT FOR THE SHADOW SESSION TO OPEN:

  • Enable the following group policy by going to gpedit.msc and then Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Connections.
  • Enable the setting “set rules for remote control of Remote Desktop Services user sessions” and select the option for “Full Control without user’s permission” in the dropdown.
  • Reboot the server to make the group policy take effect (or open elevated command prompt and type in gpupdate.exe /force)
  • Then using the same command as in the section above add “/noconsentprompt” like this:
  • mstsc /shadow:3 /control /noconsentprompt
  • It will still prompt the user to authorize control but if they don’t within 5-10 seconds, the shadow session will open even without their authorization.

Deploy your MS Access Database, MS Access Application online to the cloud with Remote Desktop Services (terminal services)

The quickest and easiest method to move your Microsoft Access Database online (to the cloud) is to deploy it on a hosted Windows Remote Desktop Server.  You should be able to move to a Window Remote Desktop server with MS Access and be up and running on the same day!  We have been providing terminal server (remote desktop) hosting solutions for over 15 years.  Contact us and to discuss your options, pricing, MS licensing, etc.   We host your Access database on its own server (not shared OS, not sharepoint) with resources dedicated to you.  You will have a better experience hosting your MS Access database with us than other providers using a shared OS environment.

As previously announced by Microsoft, Access-based web apps (Access Web Apps) and Access web databases in Office 365 and Sharepoint Online were shut down in April 2018.  See link here:  Access Services in Sharepoint shut-down

You can also review our pricing calculator here:  http://www.riptidehosting.com/Remote-Desktop-Hosting-Pricing.aspx

When comparing options for hosting your Access application online, ask the hosting provider if it will be a Windows Server with Remote Desktop Services or if they are hosting the Access application on a Sharepoint server.  We do not provide hosting services on Sharepoint.  If your MS Access application has VBA coding, it may not work in a sharepoint environment.  You should also ask if your application is hosted in a dedicated OS environment (dedicated VM for you), or if it is on a shared OS environment, or if running on Sharepoint.

Adjusting Server Manager settings on 2016 so it doesn’t automatically start upon login

Adjusting Server Manager settings to it doesn’t automatically start upon login (or turn it back on)

Update: the steps below for modifying auto-start for server manager within the server manager GUI will only affect the user account under which it is being set.  To change the auto-start behavior for all users to not automatically start, you can enable a group policy by going to gpedit.msc, local computer policy, computer configuration, administrative templates, system, server manager, enable the policy for “do not display Server Manager automatically at logon”.

For Windows Server 2016: You may want to adjust the settings for Server Manager so that the Server Manager window opens automatically (or doesn’t open automatically) when logging into a Windows Server 2016 desktop session via RDP. You may want to turn it off so that it doesn’t consume resources during login or if it isn’t useful to users.  You can follow the steps below to turn auto-start on or off.

Open Server Manager by clicking the Server Manager icon on the bottom taskbar right next to the start button or clicking start and type “server manager” or look at tiles under start button.

  1. Under the “Manage” drop-down in upper right corner, select Server Properties, then click the box by “Do Not Start Server Manager Automatically…” (or uncheck it is you want it to start automatically upon login)
  2. You can always open Server Manager by clicking on the icon in the task manager next to the start button that looks like a toolbox

ServerManager

MS Access Services retired in Office 365 and Sharepoint Online – Look at MS Access Hosting with Riptide Hosting

SWITCH TO RIPTIDE HOSTING FOR YOUR MS ACCESS HOSTING NEEDS

Microsoft announced that  Access-based web apps and Access web databases in Office 365 and SharePoint Online will be shut down by April, 2018.  See link here:

https://support.office.com/en-us/article/Access-Services-in-SharePoint-Roadmap-497fd86b-e982-43c4-8318-81e6d3e711e8?ui=en-US&rs=en-US&ad=US

This does not affect Access Desktop databases (.accdb).

One alternative you should consider is use of a Windows Remote Desktop Server with Access or Access runtime installed.  Riptide Hosting has been providing terminal server (remote desktop) hosting solutions for over 15 years.  Contact us to discuss pricing and options. 

See Access DB Hosting pricing offered by Riptide Hosting, Inc.:

http://www.riptidehosting.com/MS-Access-Hosting.aspx

Installing .net 3.5 on Windows Server 2012 R2

You can follow the steps below to install .net 3.5 on a Windows Server running 2012R2:

  1. Insert Windows Server 2012R2 installation media into DVD-rom (Riptide will have to do this for your remote server)
  2. Follow instructions on this link and as described below https://technet.microsoft.com/en-us/library/dn482071.aspx?f=255&MSPPError=-2147217396
  3. Open Server Manager, add Roles and Features
  4. Select .NET Framework 3.5 Features
  5. On the “confirm installation selections” screen, click on the “specify alternative source path” link at bottom of screen
  6. Type in d:\sources\sxs
  7. Install
  8. Remember to remove the installation media DVD (Riptide will have to do this)

Azure RemoteApp discontinued – use Riptide Hosting as alternative to Azure RemoteApp and Citrix

Azure RemoteApp discontinued – use Riptide Hosting as alternative to Azure RemoteApp and Citrix

Microsoft announced this month that it is discontinuing its Azure RemoteApp service and no new purchases will be available after October 1, 2016. Here is a link to their announcement

Azure RemoteApp shutting down

Riptide Hosting provides Remote Desktop (Terminal Server) Hosting using Windows Server 2012 R2 (soon Windows Server 2016) with Remote Desktop Services for publishing user customizable desktop sessions or RemoteApps.   We have several options for delivering cloud hosted remote desktops and applications and can include monthly licensing for Windows Server, RDS user licenses, MS Office, SQL Server and more.  You can start with as little as 2 users (not 10 or 20 users minimum as with other hosting provders).  Give us a call or email and we will talk with you regarding your specific situation.

Logging off users on Windows Server 2012R2 with Remote Desktop Services

You may want to see which users are logged on to your Windows 2012R2 Server at any given time and may want to logoff a user. Users can be active on a server or in a disconnected session status which means they disconnected from the server but didn’t log off.  Since disconnected sessions continue to utilize server resources, we recommend you enable a group policy to log off disconnected sessions automatically after a specific time period such as 1,2,4, or 8 hours – see our blog post here on how to enable this group policy https://www.RiptideHosting.com/blog/how-to-set-time-limit-for-disconnected-sessions-windows-server-2012r2/

We haven’t seen this happen very frequently, but if a user logs on to the server and the screen remains black, it is likely because the user has an existing disconnected session that has not be fully logged off. To resolve this, log into the server as an Administrator and log off the User’s disconnected session.  When the User logs in again, they should see their full desktop session without any issues.

Steps to view and log off users:

  1. Login as Administrator or account with administrator rights
  2. Open Task Manager by right clicking the bottom tool bar
  3. Click on “More” or “Detail” to view all tabs of Task Manager
  4. Go to the “Users” tab which will show the users that are logged on the server
  5. Right click on a username and select “Log Off”
  6. Task_manager_log_off_users

We recommend that users be educated to log off from the server when their tasks are completed (start, click on username, select log-off or sign-off) instead of just disconnecting the session by clicking the X in the upper right corner which doesn’t log the user off and only disconnects the session.