Certificate RD Gateway, Broker and RDSH - Multiple login and certificate errors

Hello,

First, please my apologies if this question was asked before...

I have read more than 80 posts over the internet to find a suitable response but nothing really clear for the moment...

This one seems to be the most interesting: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn781533(v=ws.11)

I have a question concerning certificates for RDS 2016.

My customer configuration is:

- 1 RDS Broker (RDB.customer.domain.com)

- 1 RDS Gateway and RD WebAccess (RDGW.customer.domain.com)

- 1 licensing server (RDL.customer.domain.com)

- 4 RDS SH servers (RDSH01 to 04.customer.domain.com)

The servers are in the domain: "customer.domain.com".

The customer's domain is: "main.domain.com".

The RD Web access must be accessed from the customer domain (from main.domain.com=>customer.domain.com using a VPN) and from the internet with the alias "https:\\test.domain.com"

There is no relationship between domains "customer.domain.com" and "main.domain.com".

My customer asked me for a SHA256 certificate created with MMC (right clic on "certificates", "personnal", "certificates", "Advanced Operations", "Create Custom Request", etc...) because it was not possible with IIS (only SHA1 possible).

That is what I have done, creation of the CSR with CN=test.domain.com (and O=xxxxxx, OU=xxxxxx, L=xxxxx, S=xxxxx, C=xx)without specifying the Subject Alternative Name.

When the Certificate was signed with the customer's CA, I put the certificate into the edit propertied of the RDS, enabling SSO but I always have multiple login when trying to connect from the Internet (https:\\test.domain.com).

On the certificate, the Issuer is: "CA of the customer", issued to "CN=test.domain.com, O=xxxxxx, OU=xxxxxx, L=xxxxx, S=xxxxx, C=xx, subject alternative name :test.domain.com (I think this will not work for SSO).

I have read that I have to put on the CSR, a SAN (Subject Alternative Name) with DNS=*.customer.domain.com.

So, my 2 questions are:

how can I create the CSR to avoid multiple login ask and certificate errors...

Is this example correct?

CN=test.domain.com

O=xxxxxx

OU=xxxxx

L=xxxxx

S=xxxx

C=XX

DNS=*.customer.domain.com (alternative name)

Can I use only 1 certificate for Broker, GW, RDWebAccess, RDSH?

Thank you for your support!

Damien.