Please note: the following post describes a procedure which require Active Directory Certificate Services in an Active Directory environment, as well as Windows 2008R2 domain controller in order to work.
In order to configure the certificate template needed for SSL in RDP connections, we could create a new template based on the existing “Computer” one, via duplication (of course we could duplicate another one, but for the sake of this example we chose the Computer template). When the duplicated template settings appear we should change the following:
a) [optional] change the name and display name of the template to something descriptive of our deployment, for example “RemoteDesktopComputer” (the existence -or not- of spaces is irrelevant in ADCS)
b) [optional] change the validity of the certificate to something different than the default value
c) [required] In the “Extensions” tab, delete the “Server Authentication” and “Client authentication” Application Policies and add the “Remote Desktop Authentication” application policy.
d) [required] Configure Group Policy – we must choose whether to create a new group policy object or configure an existing one (example, default domain policy) with the following settings:
- On a domain controller, start the “Group Policy Management” administrative tool.
- Right-click the “Default Domain Policy” and click on “Edit…” in the menu that appears. The “Group Policy Management Editor” appears.
- Navigate to “Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.”
- Double-click the “Server Authentication Certificate Template” policy.
- Enable the policy, type “RemoteDesktopComputer” (or whatever other name we gave to the template) in the “Certificate Template Name” box, and then click “OK.”
- As soon as this policy propagates to the computers that are affected by it, every server that has Remote Desktop connections enabled will automatically request a certificate based on the “RemoteDesktopComputer” template from the Certification Authority server and use it to authenticate to Remote Desktop clients. You can speed up the propagation to a specific machine by running the “gpupdate.exe” command line tool locally .
Manual Remote Desktop Connection check and configuration for Windows 2008/R2 Terminal Services servers
After the issuance of the certificates for Windows Server 2008/R2 servers, we may manually check each Windows Server 2008/R2 server as follows:
- Open Remote Desktop Session Host Configuration, in Administrative Tools, in the middle pane, we should right-click RDP-Tcp and select Properties.
- In the Select button, make sure that the certificate selected comes from the name of Issuing CA, for example ABC Bank Issuing CA. A previously issued certificate for an existing service on a server could conflict with the ones we have issued via the RDP method.