Enterprise Mobility and Security Blog

RSS

In a previous blog post we explained how to configure Remote Desktop certificates for Windows 7. In Windows 8 (and 8.1) and Windows Server 2012 (and R2) configuring Remote Desktop certificates has become easier:

1. It is no longer required for the template name and template display name to be the same.

2. You no longer need to create a custom template. One of the built-in templates, for example “Computer” template, can now be used.

3. The “Server Authentication Certificate Template” group policy setting can now contain either one: template name (CN), template display name or template object identifier (OID). The latter is more reliable because template name can be changed while OID cannot. Certificate templates that support Windows 2000 CAs (schema version 1) do not have OIDs, so with those templates you can use their template name (CN). Using template display name should be avoided because this name does not uniquely identify the template – multiple templates can have the same display name.

Example 1: providing certificates for Remote Desktop using the “Computer” certificate template.

If you want to use the “Computer” certificate template with Remote Desktop, you first need to publish it in your Certificate Authority if it’s not already published.

Publishing the “Computer” certificate template:
  1. On the computer that has your enterprise Certification Authority installed, start the Certification Authority MMC snap-in.
  2. Right-click on “Certificate Templates”, then select “NewCertificate Template to Issue” from the menu that appears.
  3. The “Enable Certificate Templates” dialog box appears. Select “Computer”, and then click “OK.”

The next (and the last!) step is to configure Group Policy to use certificates based on the “Computer” template for Remote Desktop authentication.

Configuring Group Policy:
  1. On the domain controller start the “Group Policy Management” MMC snap-in.
  2. Right-click the “Default Domain Policy” and click on “Edit…” in the menu that appears. The “Group Policy Management Editor” appears.
  3. Navigate to “Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurity.”
  4. Double-click the “Server Authentication Certificate Template” policy.
  5. Enable the policy, type “Machine” in the “Certificate Template Name” box, and then click “OK”. Note: the “Computer” template does not have an OID so we are using its template name – “Machine” instead.

image

That’s it! As soon as this policy is propagated to domain computers, every computer that has Remote Desktop connections enabled will automatically request a certificate based on the “Computer” template from the Certification Authority server and use it to authenticate to Remote Desktop clients.

Example 2: configuring Remote Desktop certificates using the template OID.

In this example we have a custom “RD Computer” template already published in CA.

Finding the template OID:
  1. Open the Certificate Templates MMC snap-in.
  2. Double-click on the template name.
  3. Select the “Extensions” tab.
  4. Select the “Certificate Template Information” extension.
  5. The “Object Identifier” value in the template information contains the OID.

image

You can now copy/paste the OID into the “Server Authentication Certificate Template” group policy instead of the template name.

Configuring Group Policy:
  1. On the domain controller, open the “Group Policy Management” MMC snap-in.
  2. Right-click the “Default Domain Policy” and click on “Edit…” in the menu that appears. The “Group Policy Management Editor” appears.
  3. Navigate to “Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurity.”
  4. Double-click the “Server Authentication Certificate Template” policy.
  5. Enable the policy, paste the OID into the “Certificate Template Name” box, and then click “OK”.

image

As soon as this policy is propagated to domain computers, they will update their certificates accordingly.

We hope this helps show how it is easier to manage certificates for Remote Desktop.

Note: Questions and comments are welcome. However, please DO NOT post a request for troubleshooting by using the comment tool at the end of this post. Instead, post a new thread in the RDS & TS forum. Thank you.