How to renew SSL cert for Remote App

http://www.urtech.ca/2010/08/how-to-renew-a-terminal-server-remote-desktop-certificate/

CREATE A NEW CERTIFICATE REQUEST:

  1. Launch IIS Manager and click the SERVER name (not the websites or virtual directories)
  2. In the IIS section, click SERVER CERTIFICATES (if you don’t see this, you are likely not at the server level, go click on the server name at the top of the IIS Manager CONNECTIONS tree)
  3. Click CREATE CERTIFICATE REQUEST and complete the form. Note that the only things that really counts is the certificate name (like tsg.commodore.ca) and company information.
  4. Click NEXT and on the CRYPTOGRAPHIC screen, leave the default MICROSOFT RSA… provider option but you mush change the BIT LENGTH to 2048.
  5. Specify a path for the CSR.  I like C:\ but it realy make no difference.

Skip this part for 2012r2, just to MAP A CERT

  1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:
  2. Click Start, click Run, type mmc, and then click OK.
  3. On the File menu, click Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
  5. In the Certificates snap-in dialog box, click Computer account, and then click Next.
  6. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
  7. In the Add or Remove snap-ins dialog box, click OK.
  8. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Personal.
  9. Right-click the Personal folder, point to All Tasks, and then click Import.
  10. On the Welcome to the Certificate Import Wizard page, click Next.
  11. On the File to Import page, in the File name box, specify the name of the certificate that you want to import, and then click Next.
  12. On the Password page, do the following:
  13. If you specified a password for the private key associated with the certificate earlier, type the password.
  14. If you want to mark the private key for the certificate as exportable, ensure that Mark this key as exportable is selected.
  15. If you want to include all extended properties for the certificate, ensure that Include all extended properties is selected.
  16. Click Next.
  17. On the Certificate Store page, accept the default option, and then click Next.
  18. On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected.
  19. Click Finish.
  20. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.
  21. With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the TS Gateway server. The certificate must be under the Personal store of the local computer.

MAP A CERTIFICATE TO THE LOCAL TS / RD GATEWAY SERVER:

  1. You must use TS Gateway Manager to map the TS Gateway server certificate. If you map a TS Gateway server certificate by using any other method, TS Gateway will not function correctly.
  2. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
  3. In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Properties.
  4. On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.
  5. In the Install Certificate dialog box, click the certificate that you want to use, and then click Install.
  6. Click OK to close the Properties dialog box for the TS Gateway server.
  7. If this is the first time that you have mapped the TS Gateway certificate, after the certificate mapping is completed, you can verify that the mapping was successful by viewing the TS Gateway Server Status area in TS Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed

Netsh int ip reset says access denied

http://davidvielmetter.com/tricks/netsh-int-ip-reset-says-access-denied/
netsh int ip reset c:\resetlog.txt

The command must be run in an elevated command prompt windows (WIN+X) and it can be destructive in terms of IPv4 info set on an adapter, so…like don’t run it remotely on a server with a static IP.

I digress. The issue I’m really getting to is related to Homegroup membership and the Windows 10 upgrade. I found that if you’re upgrading from Windows 7 to Windows 10 and the original system you’re upgrading was joined to a homegroup, then the upgraded system might have issues with the TCP/IP stack (I.e. obtaining an IP address via DHCP).

I spent hours troubleshooting this on several freshly upgraded systems running Windows 10 that couldn’t connect to the network because they couldn’t obtain an IP from the DHCP server. All machines exhibited the same issue and all machines were previously joined to a homegroup (not a domain). Here are the symptoms:

  1. The system is upgraded from Windows 7 to Windows 10 build 1511 and works as expected but cannot obtain an IP address via Ethernet or Wi-Fi.
  2. The system works normally if a static IP is assigned.
  3. Resetting the TCP/IP stack results in the following information:
    netsh int ipv4 reset
    Resetting interface, OK!
    Resetting Unicast Address, OK!
    Resetting Neighbor, OK!
    Resetting Path, OK!
    Resetting , failed.
    Access is denied.Resetting , OK!
    Restart the computer to complete this action

In essence having had the systems joined to a homegroup somehow messed up the TCP/IP stack in windows 10 after the upgrade to the point that the system cannot obtain an IP address from DHCP. Here’s how to fix the issue:

  1. Open Regedit.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi and expand that folder.
  3. Expand the subfolder named {eb004a00-9b1a-11d4-9123-0050047759bc} and right-click the subfolder named 26. Select Permissions… and ensure that for Everyone the Full Control box is checked.
  4. change_network_key_permission_registry_editor
  5. Press WIN+X to open a command prompt with elevated permissions. Type netsh int ip reset and hit enter. Now you should see the following results:
    Resetting , OK!Restart the computer to complete this action
  6. Reboot the system.
Back to Top