Install a white certificate on a Microsoft VDI farm



    Many companies use the VDI infrastructure to organize remote work with unmanaged company personal stations. When publishing a VDI farm on the Internet, external users are faced with a distrust of the certificate issued by the corporate certification authority. As a result of this, security warnings appear when establishing a remote connection.

    image


    In this case, the warning appears twice: the first time the Connection Broker server is not trusted, and the second is the virtual machine of the VDI farm.

    Many system administrators come out of this situation either offering users to ignore this message by setting the “Do not ask again” checkbox, or installing the root certificate in trusted ones on the user's remote computer and publish the corporate CA CRL. However, these methods do not work if the user connects each time from different places, or connects to different virtual machines.

    To solve this problem, you need to use a "white" certificate issued by a trusted Certificate Authority for the VDI farm. The name of this external certificate and the names of the VDI computers must match.

    SOLUTION


    First, we need a wildcard certificate of the form * .yourcompany.com, purchased from a trusted certification authority.

    Adding a New Domain Suffix DNS:

    In DNS on the domain controller, add the new Active Directory Integrated zone yourcompany.com, which will serve internal queries for the new names of the servers and virtual machines in the VDI farm.

    To maintain an additional domain suffix in a domain, you need to make changes to the msDS-AllowedDNSSuffixes attribute at the domain level. You must add the internal and external domain names as attribute values, for example, yourcompany.local and yourcompany.com. At the domain level, we create a new group policy for specifying DNS suffixes that will be added to short machine names during DNS queries.

    image


    The following policy must be enabled and the values ​​of the internal domain name and external domain name separated by commas: Computer Configuration \ Policies \ Administrative Templates \ Network \ DNS Client \ DNS suffix search list.

    image


    Certificate Installation on RD Server

    Before creating a VDI farm, you must change the DNS suffix of the planned RD servers to the name of an external domain. To do this, go to the computer properties and choose to change the computer name. In the window for changing the computer name, click on the More ... button and set a new primary DNS suffix for the computer - yourcompany.com.

    image

    Next, create a new VDI farm based on the selected Microsoft Windows Server 2012 R2 servers. Information on this procedure can be easily found on the net.

    After the pfx certificate file is on hand, you can proceed to install it on the new VDI farm. On the RD Connection Broker server, go to Server Manager -> Remote Desktop Services -> Overview. In the Deployment Overview field in the TASKS drop-down list, select Edit Deployment Properties.

    image


    Open the Certificates tab and install the required * .yourcompany.com certificate for all farm services. Adding is done one per action. We select the existing certificate, specify its path on the file system and password.

    image


    After that, these certificates will be installed on VDI servers, but not on virtual machines. The register SSLCertificateSHA1Hash REG_BINARY parameter appears in the Connection Broker server certificate thumbprint with the value at the following location:
    HKEY_LOCAL_MACHINE \ the SYSTEM \ CurrentControlSet \ the Control \ Terminal Server \ WinStations \ the RDP-Tcp.

    This parameter is responsible for choosing the certificate that will be used when installing the RDP session. This parameter will also need to be installed on client machines.

    image


    Install a certificate on virtual machines

    To use the white certificate in virtual machines:

    • Install the certificate on all machines in the personal computer certificate store.
    • Set the read permissions of the certificate key for the Network Service of each machine.
    • Have an SSLCertificateSHA1Hash REG_BINARY parameter with a thumbprint value for the certificate.
    • Virtual machine names must match the certificate name, i.e. have the suffix yourcompany.com

    Create a new group policy at the level of the Organizational Unit dedicated to the computer accounts of the virtual machines in the VDI farm.

    This policy should run Startup Script ExportVDICert.bat on virtual machines.

    image


    This script uses Microsoft certutil and FindPrivateKey utilities. Certutil is a built-in utility, FindPrivateKey is provided as a Samle tool for developers and can be compiled independently. The script must be located inside the policy.

    The certificate and the FindPrivateKey utility must be placed in a network folder, from where the script will pick up the files for installation. Script text:

    certutil -f -p "" -importpfx "" NoExport
    c:
    mkdir "c:\TempCertSecurity"
    cd "c:\TempCertSecurity"
    xcopy "" "c:\TempCertSecurity"
    FindPrivateKey.exe My LocalMachine -t "" -a > tmp.txt
    set /p myvar= < tmp.txt
    del tmp.txt
    del FindPrivateKey.exe
    cd \
    rd "c:\TempCertSecurity"
    cacls.exe %myvar% /E /G "NETWORK SERVICE":R"
    

    Using this script, after rebooting the virtual machine, a new certificate will be installed and rights will be configured for it.

    The next part of the policy is to set the SSLCertificateSHA1Hash parameter. The required key is configured through Preferences \ Windows Settings \ Registry

    image


    To centrally change the Primary DNS suffix of virtual machines in a policy, you must enable Primary DNS suffix and set it as the external domain name yourcompany.com.

    image


    After rebooting, the machine will receive a new FQDN corresponding to the white certificate. After carrying out these operations, users will no longer see annoying security warnings.

    Also popular now: