Now when connecting to PCs via the Remote Desktop client, you should no longer receive certificate warnings. Close the certificate properties window and you should be prompted for your password to save the changes. Set the certificate to be trusted by selecting ‘Alway Trust’ from the ‘When using this certificate’ option. Once installed the certificate is not automatically trusted as you can see below: Find the downloaded certificate in Finder and open the certificate to install it into Keychain. Download the CA certificate in DER format. and download the certificate via ‘Download a CA certificate, certificate chain, or CRL’. Navigate to the URL of your certificate server (e.g. Now that my Remote Desktop certificates are configured for autoentrollment and Windows machines are picking up the certificates, I can import the root CA certificate into my MacBook running OS X. Once a Group Poliy refresh occurs or on the next boot, the target Windows machines will autoenroll for the certificate and configure their RDP listener. Edit the policy and enable the following setting:Ĭomputer Configuration / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security / Server authentication certificate templateĪdd the name of the certificate template and shown in the screenshot below: To configure autoenrollment, I’ve created a new GPO dedicated to the autoenrollment setting and linked it to the organisational units containing server and workstation computer account objects. In my case this is ‘RemoteDesktopComputerv2’ (the display name, minus the spaces). However, the important name to note for the next step is the actual template name, which can be found on the General tab of the template. Since my first template failed, it’s actually called ‘Remote Desktop Computer v2’. In my lab my certificate template display name ‘Remote Desktop Computer’. Save the template and configure your CA to issue the new template. See below for the actual ‘Remote Desktop Authentication’ policy.Īdding the ‘Remote Desktop Authentication’ policy requires adding a new extension named ‘Remote Desktop Authentication’ (or similar) with an object value of “1.3.6.1.4.1.311.54.1.2” (excluding quotes). Navigate to the Extensions tab, edit the ‘Application Policies’ extension and remove ‘Client Authentication’ from the list.Īfter you added the ‘Remote Desktop Authentication’ policy, you should see the policies and see in the following dialog box. Use this template because it already has the Server Authentication policy enabled. To create the new template, open the Certificate Templates console and duplicate the Computer template. In my lab, I’ve created a ‘Remote Desktop Computer’ certificate template and enabled it to be autoenrolled via Group Policy. This article has a great walk-through of the entire process and more: RDP TLS Certificate Deployment Using GPO. Some articles will walk through this configuration and recommend removing the Server Authentication policy however, the certificates will then not work on non-Windows clients. This was key for OS X clients - both of these policies must exist. To configure a certificate for use with Remote Desktop Services (or RDP into any Windows PC), you’ll need to create a new certificate template and enable both the Server Authentication and the Remote Desktop Authentication application policies. Using certificates in Remote Desktop Services.Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services (Part 2 of 2).Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services (Part 1 of 2).I won’t cover installing and configuring an enterprise certificate authority here however, here are a number of articles worth reading on this topic: The new Remote Desktop Universal app on Windows 10:Īnd the Remote Desktop client on OS X 10.11: First up the original Remote Desktop Connection (mstsc) on Windows: Here are the client certificate warnings on various Microsoft Remote Desktop clients, including OS X. Client Warnings for Untrusted Certificates While I may only be configuring certificates in my lab environment, there’s not much effort required to remove these certificate warnings. To get OS X clients to accept the certificate takes a little extra configuration not required on Windows clients. An environment with an enterprise certificate authority can enable certificate autoenrollment to enable trusted certificates on the RDP listener, thus removing the prompt. When connecting to a Windows PC, unless certificates have been configured, the remote PC presents a self-signed certificate, which results in a warning prompt from the Remote Desktop client. Windows has supported TLS for server authentication with RDP going back to Windows Server 2003 SP1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |