Thursday 11 May 2017

Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Configure Console Connect Feature in Windows Azure Pack - Part 10

Hello Everyone,

In this post, I will explain how to configure console connect features in Windows Azure Pack.

To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - INTRODUCTION - Part 1, Click Here!

To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Components & Deployment Types- Part 2, Click Here!

To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Complete Setup Deployment Requirement - Part 3, Click Here!

To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - WAP Architecture (STANDALONE & HIGH AVAILABILITY) - Part 4, Click Here!

To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - WAP Components Sizing - Part 5, Click Here!

To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Installation & Configurations - Part 6, Click Here!

To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Integration process with SPF and SCVMM & Post Configurations - Part 7, Click Here!

To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Tenant Portal Login overview & Configure Public Access  - Part 8, Click Here!

Let'start with understanding the concept of Console Connect for Tenant Virtual Machines...


To configure Console Connect in Windows Azure Pack, You have to: 

Configuring Certificates on SCVMM Servers 

Copy and paste the "makecert.exe" file in C Drive from WAP VM. 

NOTE: “Makecert.exe” is used for creating Self-signed certificate. This can be downloaded from Internet or can be used from WAP Server from above mentioned path.

User can also use Domain Certificate if Root CA Server is available.

Path in WAP VM is: "c:\Program Files (x86)\Windows Kits\8.0\bin\x64"

Copied in SCVMM VM:

Open command prompt as Administrator, Go to path of "makecert.exe" file and run the below mentioned command:

Makecert -n "CN=Remote Console Connect" -r -pe -a sha256 -e 01/01/2050 -len 2048 -sky signature -eku -ss My -sy 24 "RemoteConsoleConnect.cer”.

NOTE: CN stands for Certificate Name. Self-Signed Certificate created with Enhanced Key Usage (eku is for Client Authentication Object Identifier) is Client Certificate that’s why extension used is “.cer”.

Open Certificate console using "mmc" in Run Windows, login as local user, expand Personal & see certificate created from above command:

Now, Export this certificate 2 times because we need to use this certificate for:
  • Public Certificate (.cer) for SCVMM Server, Host and RDG Server .
  • Private Certificate (.pfx) with Private Key, i.e. With secure password because this password will be used when You will import certificates on Host and RDG Server for authentication.

Export the certificate with extension (.cer):

Click Next:

Click Next:

Give path & Click Next:

Click Finish:

Exported Certificate in folder:

Now, Export certificate with extension (.pfx) with private key and password:

Follow same steps and choose "Yes, export the private key" and click next:

Select below option & Click Next:

Give Password & click next:

Give Path & Click Next:

Click Finish:

Exported certificate in Folder:

Now, we need to import .pfx file in VMM database using Set-SCVMMServer cmdlet.

Open the SCVMM powershell module as administrator and execute below commands:

$mypwd = ConvertTo-SecureString "PASSWORD" -AsPlainText –Force

NOTE: Password is for the “.pfx” certificate which was given at the time of exporting certificate with private key.

$cert = Get-ChildItem .\RemoteConsoleConnect.pfx

NOTE: “RemoteConsoleConnect.pfx” is the name of “.pfx” certificate.


NOTE: “SCVMM_SERVER_FQDN_NAME” is the name of Your VMM Server

Set-SCVMMServer -VMConnectGatewayCertificatePassword $mypwd -VMConnectGatewayCertificatePath $cert -VMConnectHostIdentificationMode FQDN -VMConnectHyperVCertificatePassword $mypwd -VMConnectHyperVCertificatePath $cert -VMConnectTimeToLiveInMinutes 2 -VMMServer $VMMServer

NOTE: For the VMM server, we load the pfx into the VMM database so that VMM doesn’t need to rely on the certs being in the cert store of node. You shouldn’t need to do anything on the VMM server except import the pfx into the VMM database using Set-SCVMMServer cmdlet. The VMM server is responsible for creating tokens.

NOTE: This above added certificate in VMM DB will be automatically added to all Nodes which are added in SCVMM and if any node is added then need to either install this certificate manually on the node or repeat the above scripts step.

Now, Go to SCVMM Console and refresh all host so that SCVMM can install ".pfx" certificate in personal certificate store of all host.

After completing this step, you can check if Certificate is installed on Hyper-V host in local computer as shown below:

Configuration is completed on SCVMM.

Configuring certificates on the Hyper-V hosts:

Now, Next part is critical so before proceeding, please confirm if any VM is running on Hyper-V Host. This is because we are using self-signed certificate and for that after installing public key of certificate to Trusted Root Certification Authority Certificate Store, we need to reboot the Hyper-V Host.

Before proceeding to reboot, first keep the host as maintenance mode and wait till all VMs moves to another node. Then after confirmation reboot the host.

Now, Start proceeding:

We have to install public key certificate to Trusted Root Certification Authority Certificate Store in all hyper-v host as shown below.

Open Windows Powershell prompt as Administrator and Run below command on hyper-v host:

Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -FilePath "C:\RemoteConsoleConnect.cer"

Now Restart SCVMM Agent Service and then cross-check if certificate is installed successfully or not:

To check if certificate is installed or not, run below command:

dir cert:\localmachine\My\ | Where-Object {$_.subject -eq "CN=Remote Console Connect"}

Repeat same steps on all Hosts.

Configure Certificates on Remote Desktop Gateway Server:

Copy and paste "RDGatewayFedAuth" setup file from SCVMM dumb as shown below:

Why different VM is used for RDG Server?

RDG server will be used as a federated authentication server for only Console Connect Option in WAP. In order to support federated authentication, VMM has a VMM Console Connect Gateway which is located at “DLayout.EVAL\amd64\Setup\msi\RDGatewayFedAuth”. This gateway needs to be installed at RDG Server.

What will happen if that VM is dead?
  • User won’t be able to get access to console connect.
  • For RDG in HA, we can create a new RDG server as Secondary Server with load balancer between both and all required certificates needed to be installed same as in primary server.

Install this file RD Server:

Click Next:

Click Next:

Click Install:

Add certificate in local machine with public key as show below:

Import-Certificate -CertStoreLocation cert:\LocalMachine\My -Filepath "C:\RemoteConsoleConnect.cer"   --- for personal store

Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -Filepath "C:\RemoteConsoleConnect.cer"   --- for trusted root store

Run below Commands:



//This thumbprint is for above installed certificate which can be copied from certificate properties via mmc console.

$TSData = Get-WmiObject -computername $Server -Namespace "root\TSGatewayFedAuth2" -Class "FedauthSettings"

$TSData.TrustedIssuerCertificates = $Thumbprint


This is all done at Remote Desktop Server End.

NOTE: This was failed because "RDGatewayFedAuth" setup file was not installed. After installing the command completed successfully.

WAP Configuration:

Open Admin Site, go to VM cloud, click edit and provide FQDN of RDG Server as shown below:

Now tenants are able to view console from tenant site.

Open tenant site and login with tenant user credentials:

Click on connect and then click on console option, Click on Tick Mark:

Click on Open:

Download of RDP file is completed so now again click open:

Below is the console of the VM named as “TESTVM01”:

What are the requirements to use this feature for different network machines:

  • Port “883” must be opened from VLAN ID for different network segment to RDG Server.
  • RDG Server certificate must be installed on client machine in trusted root certificate authority (See below: How to install certificate on client machine).
  • DNS Name resolution must be configured for RDG Server. If DNS resolution is not done then Client has to enter the RDG Server details in Host File of client machine (See below: How to enter Host File entry for RDG Server on Client Machine).
  • If Client machine is using base OS as Windows 7 with SP1 then need to install update KB2830477 on client machine (Click Here!).

How to install certificate on client machine:

  • Copy & paste the RDG certificate to client machine.
  • Open "Run" window & type "mmc".
  • Click on "File" & then click "ADD/Remove Snapin".
  • A small window will open and from there select "certificate" & click "add".
  • Choose "Computer Account", Click "OK", select "Local Machine", click "Finish" & then "OK"
  • Expand "Certificates" & then Expand "Trusted Root Certificate Authority".
  • Right click on "Certificate", Select "All Task" & Click on "Import".
  • Click "Next", Give "RDG Certificate Location", Click 2 times "NEXT" & then click "Finish".
  • Certificate will get installed on client machine.

How to enter Host File entry for RDG Server on Client Machine Open notepad as administrator:

  • Open "Hosts" file in notepad from location: "C:\Windows\System32\drivers\etc"
  • Enter the RDG Server details as: RDG_SERVER_IP_Address      RDG_SERVER_FQDN
  • Save the "Hosts" file & close it.

NOTE: Certificate used for RDG Server is Self-Signed Certificate which will expire in one year. So after one year, New RDG Server Certificate needs to be created on RDG Server & install it on RDG Server itself and on all client machines. Certificate can also be created through internal CA Authority using web template and then can be exported/imported on RDG Server & on all client machines.

Steps to create Self-Signed Certificate for RDG Server:

  • Open IIS Manager on RDG Server.
  • Click on Server Certificates.
  • Click on “Create Self-Signed certificate”.
  • Give Name for the certificate & click on create.
  • Install the certificate in personal store.
  • Export the certificate & distribute to client.

This is how You configure & connect Virtual Machine via Console Connect on Windows Azure Pack.

This completes my Windows Azure Pack series... Now it's time to upgrade skill & share new series for Microsoft Azure Stack... Keep supporting... Azure Stack series in coming soon!!!

Share Your feedback or any query!!!

Happy Reading!!!

If You like my post then follow my updates:

Join my Facebook group for updates on trending technologies/technical references/issues etc:


  1. This information is meaningful and magnificent which you have shared here about the Microsoft Windows Azure. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. cloud backup solutions for small business in USA

  2. Thank you for your post, I look for such article along time, today i find it finally. this post give me lots of advise it is very useful for me. private rdp

  3. For what reason do these bitcoins have esteem? It's quite basic. They've advanced into something that many individuals need and they're in restricted gracefully. In spite of the fact that the framework keeps on turning out bitcoins, this will stop when it arrives at 21 million, which was intended to occur in about the year 2140. bitcoin mixer