Unable to add certificate to RD farm

[nikosgeorgalis]

Hello,
I ran at a problem when trying to add a new certificate to RD farm using ImportRDSFull.ps1 as post renewal script.

Specifically,
I got the following error, running win-acme at the Remote Desktop Connection Broker

2024-01-23 12:22:04.925 +02:00 [VRB] Cert thumbprint was not set successfully to RD Gateway
2024-01-23 12:22:04.928 +02:00 [VRB] Error: The path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' does not exist.

With a little bit of debugging, I think the issue is caused in ln.87-98 where the script assumes that the localhost is also a Gateway, which is not always the case.
If I comment out this section the script works.

Furthermore, the section seems redundant since the certificate is set to the Gateway using the Set-RDCertificate cmdlet in ln. 171-184
Also, I think no output is provided in the terminal and I had to search through the log.
Any feedback would be welcome.

Platform:

• OS: Windows 2019, English
• Version: 2.2.6.1571 (release, trimmed, standalone, 64-bit)

[WouterTinus]

Hi Nikos, thanks for reporting this, but as you can imagine it's tricky to support these scripts, because of all the different deployment scenarios out there. Probably if we comment out the line like you did, sooner or later someone will report that in their setup, they actually needed that. I don't have lab environments available to test this, and even I did, I lack the required knowledge about RDS. Perhaps you could work with @christaylorcodes who recently made some changes to try and make this more reliable.

Generally the best advice about using example scripts is to test them, modify them as needed, and save them in a seperate folder for yourself so that your version doesn't get overwritten with some future update.

[nikosgeorgalis]

Hi Wouter,
thank you for the swift reply. I understand, you can't really support all the different deployments. And this is a minor issue, the client works pretty well.
In that particular case though, this code block seems redundant, at least for my understanding. I would definitely like another opinion from @christaylorcodes if it's possible.

[christaylorcodes]

I would agree that lines 87-107 are redundant to 200-223
This command would only work where the local machine is the Gateway.
The only benefit I can see is this doesn't rely on the cert being exportable, but that is already a documented requirement.

I would also argue that lines 108-120 would fall under that same logic. Setting the local RDP listener to use the cert even though it might not be part of the RD deployment.

The script logging/output is redirected to the event log.
It seems there is not a consistent event id for the script output though.
Is there some sort of logic to the event id that I am missing?

My last update, I tried to make as little change as possible to resolve the issue I was facing.

I currently manage 50+ RD environments but only a handful of them are multi-server farms.
I can start monitoring the results of the script more closely and make more updates to the script if that is something you would be interested in.

[christaylorcodes]

Quick script modification for review.
https://github.com/christaylorcodes/win-acme/blob/master/dist/Scripts/ImportRDSFull.ps1
I will deploy it to my managed systems and monitor.

[nikosgeorgalis]

Hello @christaylorcodes

I agree with what you said.

I have also tested your script modification in my lab environment and it succeeded, with some errors in line 168.
Similarly with above, it tries to start the gateway service locally, which does not exist.
Script error: "Get-Service : Cannot find any service with service name 'TSGateway'."

I am not sure if it is needed, but maybe a cmdlet like this or this could be used in order to get the fqdn of the Gateway (if it exists) and invoke the command to it.

Lastly, I've noticed a small typo in the numbering of the positional parameters (0,1,3 instead of 0,1,2). It might not affect anything, I don't know :)