I have to say that this is probably the most frustrating thing I have ever worked on. I cannot remember having spent so much time over something that (in my opinion) should be easy.
As of now, i have Server1 which is the RD Broker, Web Access and Licensing server. Server2 is the RD Session host. More session hosts will be added in the future.
What i basically want is a session collection to which users can connect to, either by RDP directly or launch their Remote Apps that are either published on computer clients in the domain by Group policy, or via RD Web Access.
As i have understood, the redirection to the session collection is a bit different in 2012. In stead of creating a DNS zone for the session collection farm name with all the session hosts in it, you put the broker into the zone and then let it handle all the redirection to the different hosts. Ok, that sounds all nice, easy and dandy.
So through Server Manager on Server1 i create my session collection, set my public certificate that matches the farm and dns name and add my session host. Does it work? No.
I guess Microsoft failed to mention that you have to modify the registry on the broker to tell the RDP client to which session collection it should be redirected to, or else it will just try to connect directly to the broker. Or am i just not good enough when it comes to searching in Microsoft's seemingly endless maze of links to different topics on technet? Anyway, i did that and redirection worked with the RDP-client.
And this is where my first problem came up. When connecting to the session collection with an RDP-client, i get the infamous certificate error, because of missmatch between the names of the session collection and the host name of Server2, my session host. But why? Is it not supposed to take care of this for me when i add my session host to the session collection via Server Manager on Server1? Well, if so - it doesn't. So i have to log on to my session host, import the public certificate for my session collection and set it on the RDP-Tcp listener. NOW, redirection to my session collection works without any certificate errors. Great.
Next i added my first Remote App through the Server Manager on Server1. The application itself is actually on Server2. And this is where my real headache starts.
Upon launching the Remote App i get a certificate error because of the mismatch between the session collection name and the host name of my session host, Server2. But..i set the certificate on the listener, right? Yes, but the path to the Remote App is \\Server1\c$\foldername\software.exe - so when launching the remote app it still uses the host name of Server2, but since i have changed the RDP-Tcp listener, i now get a certificate missmatch again. This time, only when launching remote apps. An easy way to do this would be to change the path to the remote app to \\dns-name-of-session-collection\c$\foldername\software.exe". But i cannot do that, because my broker is the only one supposed to respond to that name since it is the one handling all the redirection.
I won't bother telling what i have tried, but i have lost track of the hours and days i have spent on this problem. But i can mention that through the entire process, SSO on the RD Web Access has not worked either, no matter what i have tried. What i am doing wrong?
The way i see it, i only have two options into solving the problem with the remote apps now.
1. Create a secondary RDP-Tcp listener on the session host on a different port, and the publish my remote apps on this port. Is this possible in 2012 R2 by the way? Can i set custom ports on the remote apps within a session collection?
2. Probably the most viable solution. Buy a new, public wildcard certificate for the domain and set it on the listeners for all the involved servers. And then an additional DNS zone for my session hosts, so i can set a "common" path for the Remote Apps to avoid the certificate error.