Template and Group Policy configuration for Windows 2008/2008R2 SSL RDP certificates

Please note: the following post describes a procedure which require Active Directory Certificate Services in an Active Directory environment, as well as Windows 2008R2 domain controller in order to work.

In order to configure the certificate template needed for SSL in RDP connections, we could create a new template based on the existing “Computer” one, via duplication (of course we could duplicate another one, but for the sake of this example we chose the Computer template). When the duplicated template settings appear we should change the following:

a)     [optional] change the name and display name of the template to something descriptive of our deployment, for example “RemoteDesktopComputer” (the existence -or not- of spaces is irrelevant in ADCS)

b)    [optional] change the validity of the certificate to something different than the default value

c)     [required] In the “Extensions” tab, delete the “Server Authentication” and “Client authentication” Application Policies and add the “Remote Desktop Authentication” application policy.

d)     [required] Configure Group Policy – we must choose whether to create a new group policy object or configure an existing one (example, default domain policy) with the following settings:

  1. On a domain controller, start the “Group Policy Management” administrative tool.
  2. Right-click the “Default Domain Policy” and click on “Edit…” in the menu that appears. The “Group Policy Management Editor” appears.
  3. Navigate to “Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.”
  4. Double-click the “Server Authentication Certificate Template” policy.
  5. Enable the policy, type “RemoteDesktopComputer” (or whatever other name we gave to the template) in the “Certificate Template Name” box, and then click “OK.”
  6. As soon as this policy propagates to the computers that are affected by it, every server that has Remote Desktop connections enabled will automatically request a certificate based on the “RemoteDesktopComputer” template from the Certification Authority server and use it to authenticate to Remote Desktop clients. You can speed up the propagation to a specific machine by running the “gpupdate.exe” command line tool locally .

Manual Remote Desktop Connection check and configuration for Windows 2008/R2 Terminal Services servers

After the issuance of the certificates for Windows Server 2008/R2 servers, we may manually check each Windows Server 2008/R2 server as follows:

  1. Open Remote Desktop Session Host Configuration, in Administrative Tools, in the middle pane, we should right-click RDP-Tcp and select Properties.
  2. In the Select button, make sure that the certificate selected comes from the name of Issuing CA, for example ABC Bank Issuing CA. A previously issued certificate for an existing service on a server could conflict with the ones we have issued via the RDP method.

Smart card RDP disconnection blues…

During a recent smart card logon certificate deployment for a customer, we decided to enable the policy which disconnects a user who has logged in using a smart-card via an RDP connection if the smart card is physically removed (“Interactive logon: Smart card removal behavior” set to “Disconnect if a remote Remote Desktop Services session”). We tested it by starting the Smart Card Logon removal service (it was in manual startup state) in the Windows 2008R2 server and when we removed the smart card, the session was indeed disconnected. However, we noticed that at subsequent logons, when the smart card was re-inserted the user would login but would be immediately disconnected. After some troubleshooting, we tried disabling the Fast Logon Optimization feature (http://support.microsoft.com/kb/305293/en-us) via GPO, and after that the problem was solved. Thus, if you find yourself tackling with the same issue, it might be useful to add a custom smart-card GPO that will also force the Smart-card removal service to Automatic and disable the Fast-Logon feature and check if these actions solve your problem.