In Windows 2008, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop Session Host (Terminal Server) farm and deploying it to each server in the farm. Since requiring SSL certificates on each server in RDS farm within an Intranet scenario can be expensive and burdensome, Windows Server 2008 R2 now provides an option to create a Kerberos identity for the farm for providing server authentication on intranet scenarios.
The farm’s account credentials are stored on the Remote Desktop Connection Broker (RD Connection Broker). The RD Connection Broker provides each RDS server in the farm with the farm’s account credentials. RDS servers use the farm’s account credentials as supplemental to the individual server credentials.
Note: This example doesn’t show you how to create an RD Session Host farm by using Windows PowerShell. For more information on creating an RDS farm, see the following blog post.
Important! The user account in the following procedure must have the Add workstations to domain user right and be a member of local Administrators security group on the Remote Desktop Connection Broker.
Important! Kerberos identity is not supported if the Connection Broker runs as a node in a Failover Cluster.
Important! RDS provider for Windows PowerShell does not enable automatic updates of the farm account’s password. To enable automatic password updates use WMI script as shown in Part II of this blog post series.
1. On the RD Connection Broker, launch Windows PowerShell Modules. To launch Windows PowerShell Modules, click Start, point to Administrative Tools, and then click Windows PowerShell Modules.
2. Type cd RDS:\ to switch to RDS provider for Windows PowerShell.
3. Type cd RDSFarms and then press ENTER. If you type DIR, you can see all the RDS farms that the Connection Broker manages.
4. Type CD <farm name> where <farm name> is the name of the RDS farm on which you want to enable a Kerberos identity. Type DIR to see its properties.
5. Type CD KerbIdentity and then press ENTER. Type DIR to see the current configuration.
6. Type Set-Item EnableKerbIdentity 1 and then press ENTER. The result is shown in the screenshot below
7. Type the name of the user account that will be used as the Kerberos Identity and then press ENTER.
You can assign the user account while enabling the Kerberos Identity by using the AccountName parameter, as shown in the screenshot below.
Please refer to Part II of this blog post series for information on enabling Kerberos Identity for RD Session Host farms using a WMI script.
PingBack from http://microsoft-sharepoint.simplynetdev.com/creating-kerberos-identity-for-rd-session-host-farms-part-i-using-the-remote-desktop-services-provider-for-windows-powershell/
Part I of this blog post series describes the benefits of using a Kerberos Identity for Remote Desktop
There are many hosting companies. Search for the best hosting company on the internet. You will come across a lot of hosting companies. Choose the company which provides the best service on your budget. They offer their service in different packages. Choose a package to suit your needs and sign up for an account.
After making the above change, what should the settings be on RDP-Tcp Properties under the general tab? Should "allow connections only from computers running Remote Desktop with Network Level Authentication" be selected? Which certificate should be selected, the default self-signed or the cert that may have been imported? What about the Security layer and encryption level?
Do RemoteApps still need to be signed with a certificate?
I cannot information about this feature anywhere else. It would be nice if there was some documentation outlining how this fits into an RDS deployment and how it affects the other settings.
Q: Should "allow connections only from computers running Remote Desktop with Network Level Authentication" be selected?
A: You can select it, or you can select "(less secure)". Both options will work. If you are not using legacy RDP clients (versions 5.x and below), I'd recommend the "(more secure)" option.
Q: Which certificate should be selected, the default self-signed or the cert that may have been imported?
A: A self-signed certificate should be good enough for the intranet deployment.
Q: What about the Security layer and encryption level?
A: Security layer set to "Negotiate" or "TLS" will work. Set encryption level to either "Client compatible" or "High".
I have some questions:
- Do I have to use an existing specific user account (anyone is suitable?) or is the account created when I type Set-Item...?
- Do I have to configure some other things on the RD Web Access / RD Connection Broker / RD Session Host for the authentication to work?
I've got the same question as Mauro with the addition of this:
Does this replace the requirement to digitally sign applications with a certificate?
The account is created automatically when you do Set-Item...
You do not need to configure anything else for authentication to work.
Having Kerberos identity for the farm does not eliminate the need to sign your RDP files.
I enabled TS farm identity and had the following error:
"The coonection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name."
I use farm name in the RDP file.
It might happen that your Connection Broker failed to propagate the farm credential to the server. Look for error messages in the Connection Broker event log.
I am trying to set up Kerberos in my lab. The server looks fine but I get an error on the client saying the "The remote computer cannot be authenticated due to problems with its security certificate." The only solution I can find ( technet.microsoft.com/.../ee891358(WS.10).aspx ) says to install a cert.
What have I done wrong?
I'd first check that the target name used by your client is the same you created the Kerberos identity for. For example, if you created Kerberos identity for MyFarm.fabricam.com, then the client should use the same name exactly to connect to the farm.
The AccountName where do you define that, do i need to create an service account and then change a service to run under that?
What about SPN for the MyFarm should that not be defined?
The "Set-Item EnableKerbIdentity" command will create a computer account in AD for you. You just need to specify the name. SPN will also be registered for the account.
Remote Desktop uses "TERMSRV" SPN prefix.
Set-Item EnableKerbIdentity 1 -AccountName TestUser and then the TestUser should be created in AD? I don't see the TestUser being created.