Enterprise Mobility and Security Blog


Why create Kerberos Identity for farms?

In Windows 2008, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop Session Host (Terminal Server) farm and deploying it to each server in the farm. Since requiring SSL certificates on each server in RDS farm within an Intranet scenario can be expensive and burdensome, Windows Server 2008 R2 now provides an option to create a Kerberos identity for the farm for providing server authentication on intranet scenarios.

How it works:

The farm’s account credentials are stored on the Remote Desktop Connection Broker (RD Connection Broker). The RD Connection Broker provides each RDS server in the farm with the farm’s account credentials. RDS servers use the farm’s account credentials as supplemental to the individual server credentials.

How to enable Kerberos Identity for RD Session Host farms using Windows PowerShell Script:

This example doesn’t show you how to create an RD Session Host farm by using Windows PowerShell. For more information on creating an RDS farm, see the following blog post.

Important! The user account in the following procedure must have the Add workstations to domain user right and be a member of local Administrators security group on the Remote Desktop Connection Broker.

Important! Kerberos identity is not supported if the Connection Broker runs as a node in a Failover Cluster.

Important! RDS provider for Windows PowerShell does not enable automatic updates of the farm account’s password. To enable automatic password updates use WMI script as shown in Part II of this blog post series.

1. On the RD Connection Broker, launch Windows PowerShell Modules. To launch Windows PowerShell Modules, click Start, point to Administrative Tools, and then click Windows PowerShell Modules.

2. Type cd RDS: to switch to RDS provider for Windows PowerShell.


3. Type cd RDSFarms and then press ENTER. If you type DIR, you can see all the RDS farms that the Connection Broker manages.


4. Type CD <farm name> where <farm name> is the name of the RDS farm on which you want to enable a Kerberos identity. Type DIR to see its properties.


5. Type CD KerbIdentity and then press ENTER. Type DIR to see the current configuration.


6. Type Set-Item EnableKerbIdentity 1 and then press ENTER. The result is shown in the screenshot below


7. Type the name of the user account that will be used as the Kerberos Identity and then press ENTER.

You can assign the user account while enabling the Kerberos Identity by using the AccountName parameter, as shown in the screenshot below.


Please refer to Part II of this blog post series for information on enabling Kerberos Identity for RD Session Host farms using a WMI script.