Greg Ferguson's BLOG

One of my favorite features of Windows Server 2008 is Remote Desktop Gateway. This feature allows you to access all of the windows machines on your network (XP, Vista, 2003, etc.) via remote desktop even if they are behind a NAT or firewall. Furthermore, all communication is over SSL! How awesome is that?

One pain point that I did have with this feature was the creation of Self Signed Certificates. The Remote Desktop Gateway interface allows you to create a Self Signed Certificate but once generated it only has a lifespan of 6 months annoying. I have been using this feature for over a year and a half so I have had to regenerate my self signed certificate three times. I finally got fed up and decided to figure out how to generate my own self signed certificate that lasts longer than 6 months. FYI : Microsoft recommends only using a self signed certificate for testing purposes. I am only using Remote Desktop Gateway for my home lab and I don’t want to shell out the cash to purchase an SSL certificate so I am going to ignore this recommendation.

Create the Certificate

To create the self signed certificate you will need to download a few tools, Makecert.exe, cert2spc.exe, and pvkimprt.exe. Makecert and cert2spc are found in the Windows Platform SDK and the .Net Framework SDK. PvkImprt.exe can be found as a stand alone download. These tools can be installed and run on a different server or workstation, you do not need to run the tools on the target server.

Once you have downloaded and installed the three command line tools you can begin. The first and most involved command is Makecert. For the purposes of this example I will use contoso.com as the URL that I will access my remote desktop gateway server using. It is very important that you generate the certificate with the same URL that you will use to access the server with.

makecert -r -pe -n "CN=contoso.com" -eku 1.3.6.1.5.5.7.3.1 -b 05/19/2009 -e 01/01/2029 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv contoso.com.pvk contoso.com.cer

Makecert will prompt you for a password, supply any password that you are comfortable with. You can find a description of all of the command line options for Makecert here. The most important things to note here are the -b and -e arguments which specify the dates from which the certificate is valid. These are the options that the terminal services gateway UI does not give you.

Next you will run cert2spc and pvkimprt.

cert2spc contoso.com.cer contoso.com.spc
pvkimprt -pfx contoso.com.spc contoso.com.pvk

Pvkimprt will prompt you for the password, enter the same password that you used when you created the certificate with makecert. The pvk file is the one that you will import on your target windows server 2008 server.

Server Configuration

First you will install the certificate on the target Windows 2008 server. To install the certificate on the target server you should open the Microsoft Management Console, MMC, and add the certificates snap-in. When opening the certificates snap-in choose “Computer Account”.

Once you have added the snap in, right click on the “Personal” key store and choose “All Tasks” and “Import”.

Browse to the pvk file that you created during the steps above. Again, you will be prompted for the password that you used during certificate creation. Once imported the remote desktop UI should recognize the certificate as a valid certificate to use.

Go to the TS Gateway Manager. Click on your server and click properties. Select the SSL Certificate tab and click “Select an existing certificate for SSL encryption (recommended)”, then click “Browse Certificates”. You should see your certificate here. Select your certificate and click “Install”, then “Ok”.

Client Configuration

Now that you have installed the self signed certificate on the server you will need to install the certificate on all the computers that you will be connecting to the remote desktop gateway from. On the client computer double click on the consoto.cer file generated by the makecert command or the pvk file generated by pvkimprt and install it to the “Trusted Root Certification Authorities” key store.

Then configure your remote desktop client to use a remote desktop gateway. Open the remote desktop client, mstsc, and go to the “Advanced” tab.

Then click on settings and select “Use these TS Gateway server settings” and enter “contoso.com”. Optionally you can select “Bypass TS Gateway server for local addresses”.

When you enter the name of the server/workstation you want to connect to enter it as if you are on the network local to the Remote Desktop Gateway Server. When you click connect you will first be prompted to enter credentials authenticating you to the Remote Desktop Gateway Server. Then you will be prompted for credentials to authenticate you to the target server/workstation.

I am going to the Microsoft Web Experiences event tomorrow in LA. They will be showing all kinds of new web technologies like ASP.NET Ajax, WPFe, and IIS7. Here is some more information:

Microsoft is hosting free Microsoft Web Experience events at the Los Angeles Microsoft office on June 8th and the Denver Microsoft office on June 15th. They will be presenting information on building the next generation user experience on the web.

They are providing breakfast and lunch, hosting a reception with beer and wine, and attendees are automatically registered in a drawing for an XBox 360 and a Zune that will be given away at each event. For more information, visit http://kaevans.sts.winisp.net/Shared%20Documents/webexperience.aspx.

Technorati Tags: MicrosoftWebExperience

For a recent school project I was asked to create a Sudoku solver application. If you are not familiar with Sudoku puzzles you can visit, http://www.websudoku.com. Sudoku has become quite popular in recent months. When I told my friends and family that I was creating this piece of software they were all very interested and asked if they could use the program when I was done. So I took my school project and extended it for general use. You can download the software here. The software requires the .NET Framework v2 and Windows Installer v3.1. You will have both of these if you have been keeping up with your windows updates.

Download Sudoku Solver

Screenshot:

I wrote two papers this quarter that may be of interest of someone, sometime, somewhere. The first is a look at the object model of php 5. It can be found here. The second is a more in depth look at relational database theory. It can be found here. Although the papers were written for a technical writting class and had to meet certain criteria, time and attention were put into these works and could prove to be a good read for someone.

I had a smooth transition going from the blog that was hosted on my home machine to an actual hosted solution. The previous URL looked something like this, http://home.fergitech.com:8080/wordpress. As you can see the URL is now much cleaner, http://fergitech.com/wordpress. So now the blog won’t die when I turn off my computer. Now, if that isn’t a modern marvel, I don’t know what is. The only downside is that I loose all control. I was running on Apache. Now the blog is running on IIS.

For the reader of the blog you don’t see a difference and you don’t care. But for a true nerd you know what I am talking about.