Hello.
Scenario: RDS deployment (RDCB server, 2x RDSH servers, 1x RDWA server), 2xRDGW servers in a NLB farm (outside of the RDS deployment), all servers living in a abc.local domain. There's a session collection containing both RDSHs. Since users are connecting almost exclusively from the internet and are not domain-joined, we've acquired a wildcard certificate (from public CA) for a xyz.com domain and applied that certificate to the RDS deployment.
There's also certificate (from public CA) for the RDGW NLB name (say gw.xyz.com).
Since users are connecting from outside of the network/domain, we generate custom RDP files for them containing the required parameters like:
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.<session_collection_name>
workspace id:s:rds.xyz.com
etc. to make that work. The RDP file is also signed using rdpsign using the hash of the *.xyz.com certificate.
So far so good. Now, with this configuration, users can connect to the farm (using the rds.xyz.com as computer name). But in older OSes like Windows 7 or Vista, there will be a untrusted cert. warning upon connection to the target RDSH server (those are using the default pre-generated selfsigned certificates).
Users using W8/8.1 do not get this warning.
What should we do in order for the W7/Vista users to not get this warning? Our thought was to install the *.xyz.com certificate on the RDSH servers and forcing them to use that by modifying the WMI class Win32_TSGeneralSetting as explained for example at http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
However when we do this, users can't connect at all getting a authentication error: An authentication error has occurred (Code: 0x607)
What's the problem with this? How can it be resolved? Is there a better technical documentation what and when actually verifies the certificates? Is it the RDGW? Is it the RDCB? Something else? Why is the behavior different between OSes (using same RDC version)?
I presume (correct me if I'm wrong) that the user connects to the RDCB that wants to create/redirect the session to one of the RDSHs. At that moment it checks the certificate installed on the RDSH, but since it's *.xyz.com and the computer lives in AD domain abc.local, that check will fail. Would modifying an alternate DNS suffix to xyz.com on the RDSH help? Or something else?
Thanks in advance.