How to create a self-signed certificate for Remote Desktop

self-signed certificate for remote desktop

[Forum FAQ] How to setup Self-Signed Certificate for RDS

• General discussion

• 

  

  0

  Sign in to vote

  Everyone knows that certificate are most important for RDS server connections. Whenever we deploy the Server environment, servers need certificate for trusts. Whenever we are browsing any https site, it requests the certificate information. After getting trusted by the certificate, it’s getting access to browse sites. When we browse RD Web site, it also needs certificate.

  Generally in production environment, we use wild card certificate or SAN certificate and use a Self-Signed Certificate only for testing and evaluation purposes. We can obtain certificate by generating and submitting a certificate request to obtain a certificate from a stand-alone or an enterprise certification authority (CA) or purchase certificate from one of trusted public CAs that participate in the Microsoft Root Certificate Program Members program. When we buy a certificate from a public provider, the Root and Intermediate certificates are already located in the computers Certificate Store. (Trusted Root Certification Authorities). Which means that the computer already trusts the provider of the certificate and therefore your certificate is also trusted. But this does not the case with Self-Signed certificate and thus we can’t use it in production environment and only used for testing.

  Suppose we brought Wildcard certificate with RDS farm name “*.it.com”. It means that it can be used for “abc.it.com, xyz.it.com, etc.” for all different RDS roles (RDCB, RDG, RDWA). However, when we create a self-signed certificate, it only can use specific names such as “abc.it.com”. Therefore, with Wildcard certificate, we can manage the production RDS server environment with single certificate.

  When we need to test or evaluate RDS, we can use a Self-Signed certificate. We can create it during the configuration for certificate of RDS server and we can also create the Self-Signed certificate from IIS manager. Here, we will introduce how to create a Self-Signed certificate from IIS manager and then how to use for RDS environment.

  Please follow the following steps:

  1. Click on Search and type IIS Manager (Figure 1)

  

  Figure 1

  2. It will open IIS Manager Dialog Box (Figure 2)

  

  Figure 2: IIS Manager

  3. InFeaturesview, double-clickServer Certificates. (Figure 3)

  

  Figure 3: Server Certificate

  4. In theActionspane, clickCreate Self-Signed Certificate. (Figure 4)

  

  Figure 4: Select option for creating certificate

  5. On theCreate Self-Signed Certificatepage, type a friendly name for the certificate in the“Specify a friendly name for the certificate”box. For the RDS setup “Specify the certificate store as “Personal” and then clickOK. (Figure 5). Because the certificate must be stored under “Local Computer\personal certificate Store”.

  

  Figure 5: Specify Friendly Name

  6. After creating the certificate, we need to export the certificate and then, we will assign it to RDS deployment. We can export with the help of Export option as per below image. (Figure 6)

  

  Figure 6: Export

  7. Specify the path where you want to export the certificate. Please remember that certificate is exported in .pfx file format. (Figure 7)

  

  Figure 7: Specify the path

  8. When we export the certificate, we need to provide a password for your certificate (Figure 8).

  

  Figure 8: Export Certificate Procedure

  9. Exported Certificate (Figure 9)

  

  Figure 9: Exported Certificate

  10. Before applying to the RDS deployment, we need to check whether the certificate is stored under Trusted Root certification Authorities.

  Open MMC > Add\Remove Snap in > Certificate > Add it and specify the path and we can see below display page. Where we can see the certificate is listed under “Trusted Root certification Authorities” with its private key (Figure 10). Please make sure that the certificate has attached private key.

  

  Figure 10: Trusted Root certification Authorities

  11. Now, we can assign the created certificate under RDS deployment by Edit Deployment properties (Figure 11)

  

  Figure 11: Deployment Properties

  12. In the certificate tab, we can manage our RDS certificate. In this demo, we choose “Select existing Certificate”. (Figure 12)

  

  Figure 12: Select Certificate

  13. After selecting that option, one dialog box will appear and we need to specify the path where certificate is stored, specify the password. We know that it is signed by trusted root but still need to select the checkbox for allowing the certificate to store under trusted root certification authority. (Figure 13)

  

  Figure 13: Specify path and password for certificate

  14. Select the certificate and click Apply. It will display “Ready to apply” (Figure 14)

  

  Figure 14: Applying Certificate to RDS

  15. After selecting certificate and applying, we can see that it’s assigned to RDCB. In the same manner, we need to select the same certificate for all the Role Services by selecting “Selecting existing certificate” option (Figure 15)

  

  Figure 15: Certificate assigned to RDCB-Enable Single Sign

  16. After performing all the required steps, we have done with certificate works on server side. However, Remote Desktop Services clients also must have the certificate from an enterprise certification authority (CA) that issued the server certificate in their Trusted Root Certification Authorities store. Therefore, if we create a self-signed certificate, we must copy the certificate to the client computer (or to a network share that can be accessed from the client computer) and then install the certificate in the Trusted Root Certification Authorities store on the client computer.

  In addition to this, you can refer to following articles for more information on certificates for RDS. RD Gateway also needs SSL certificate signed by trusted authority to connect internal networks through RD Gateway.

  RDS: The RD Gateway server must be configured to use a valid SSL certificate

  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services

  Minimum Certificate Requirements for Typical RDS implementation

  ---

  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Monday, June 9, 2014 5:34 AM

Creating RDP Certificates

In a previous blog on Object Identifiers (OID) in PKI, I mentioned creating a certificate template for Remote Desktop Connection (RDP). In this blog, I will show how to create the template, why the OID and extensions are important, and how to implement it and remove self-signed certificate warnings
from RDP connections.

Important Note

Prior to Windows Server 2012, a bug existed where using the template Display Name in the GPO (below), would trigger an enrollment, however the policy would not honor it. At each subsequent GPO refresh the process was repeated resulting in huge numbers of RDP certificates being issued. Pay close attention to this if there are server OS(s) below Windows Server 2012 in your environment and use template name or OID when specifying the RDP template. A best practice I always follow is no spaces in template names and setting template name and template display name to match when possible.

Why Issue RDP Certificates?

There are multiple reasons to issue RDP certificates from a PKI. The most noticeable is the warning displayed when making an RDP connection to a server or client. Upon the first RDP connection, servers and clients generate a self-signed certificate, which are not trusted so the warning is displayed.

The identity of the remote computer cannot be verified. Do you want to connect anyway?

Clicking Yes, to connect sets a bad precedent, especially when checking the box to not be notified again. In servers and clients prior to Windows 8.1 and Server 2012R2, the self-signed certificates were issued based on a SHA1, until an update when they started issuing SHA2 based self-signed.

After following these steps, clients and servers the GPO is
applied to will no longer generate the self-signed certificates and will use
the trusted certificate issued from your PKI to secure the connection.

Current Policies & Corresponding OIDs

To view the policies and OID list, open the certificate templates console (certtmpl.msc), then right click on the console root at the top left and select “View Object Identifiers...

OID(s) that start with 1.3.6.1.4.1.311 are Microsoft based policies

The highlighted policy above is Microsoft’s OID designation
for Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2) but isn’t present by
default and must be created.

Creating Remote
Desktop Authentication Policy

To create the policy, open certificate templates console (certtmpl.msc)
then right click on the default Computer template and duplicate template. Highlight
the Extensions tab and select Application Polices and click Edit.
Select Client and Server Authentication
polices and Remove. Now click Add and the Add Application Policy
box opens; select New and in the New Application Policy dialog box enter
“Remote Desktop Authentication” in the Name field and 1.3.6.1.4.1.311.54.1.2
in the Object Identifier field (delete the default value in the box) then OK
out. On the Security tab set Read and Enroll for targeted servers or
groups. On the General tab, set the Template
display name and Template name to
match exactly with no spaces. (Example: NewRDPTemplate)

Utilizing the New Certificate Template

Publish the new RDP template to a certificate authority. For servers to automatically enroll and stop generating and using self-signed certificates a GPO must be configured. The GPO settings are located under: Computer Configuration, Policies, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Security, Server Authentication certificate template. Update the policy with the template name or OID of the RDP certificate template and select the enable radio button then OK. When the GPO refresh applies to targeted servers they will enroll for the new certificate and use it for RDP connections.

Template Name Example

OID Example

When setting the Certificate Template Name for RDP template in the GPO, rather than using the template name, the templates OID may also be used. The OID is shown under the Extension tab in the Certificate Template Information or via Certutil: Certutil -adtemplate -v “<template name>”.

About Jake Grandlienard

Jacob Grandlienard brings more than 19 years of industry experience as a senior level engineer. He has spent the past 10 years designing, leading, and training clients in Public Key Infrastructure (PKI) implementations for medium to enterprise-scale Fortune 500 companies. He specializes in PKI implementations of Microsoft-based identity solutions, including Microsoft Active Directory Certificate Services (ADCS) as well as integration with other security and identity management technologies. Jacob is a subject matter expert in PKI, mobile device management software, smart card management software, and Hardware Security Module (HSM) integration.

View all posts by Jake Grandlienard →

Certificate Template for RDS

1. Right click on Certificate Template and Manage

1. Highlight Computer and right click to select Duplicate Template

1. Change the Template Name to RDS

1. Select Extensions – Application Policies and remove all the existing Application policies

Click Add to include the following

• Name = Remote Desktop Authentication
• Object Identifier = 1.3.6.1.4.1.311.54.1.2

1. Right click Certificate Template and select New – Certificate Template to Issue by selecting RDS Template

1. Verify RDS is shown in Certificate Template

Resolution

1. Delete the expired certificate from the Centralized Certificate Store (CCS) on the server using the Certificates snap-in within Microsoft Management Console (MMC). The path to the certificate is Certificates > Remote Desktop > Certificates.
2. Stop the RDP (Remote Desktop Services) service
3. At the path “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”, take ownership of the f686 key file referenced above and give owner user account Full Control permissions to this file. You may also need to change the Administrators group permissions for the MachineKeys folder to apply to “This folder, subfolders and files” as it is defaulted to “This folder onaly”.
4. Delete file f686aace6942fb7f7ceb231212eef4a4_
5. Start the Remote Desktop Services service
6. Verify that a new certificate has been generated via Certificates snap-in in MMC
7. Verify RDP access to the server

This article describes a possible Microsoft® Remote Desktop Protocol (RDP) connection issue and the resolution.

Issue: Connection failures

RDP connections begin to fail with no apparent cause.

Symptoms

This issue might have the following symptoms:

• The client can’t connect to the server by using RDP. Connection attempts return code 50331673: The Remote Desktop Gateway server administrator has ended the connection.
• The system logs register Event ID 36870 for every RPD connection attempt.

Cause

The following events could cause this issue:

• The RDP self-signed certificate has expired or is missing (Windows® usually recreates the self-signed certificate upon expiration.
• Permissions issues on the following path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4. The parent folder did not allow the OS to delete the existing key, which needs to happen before self-signed certificate recreation.

Resolution

Use the following steps to resolve this issue:

1. Delete the expired certificate from the Centralized Certificate Store (CCS) on the server by using the Certificates snap-in in the Microsoft Management Console (MMC). Select Certificates > Remote Desktop > Certificates.

2. Stop the RDP service.

3. Go to path C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, take ownership of the f686 key file, referenced previously, and give the owner of the file Full Control permission.

4. Change the Administrators group permission for the MachineKeys folder to apply to "This folder, subfolders and files.

5. Delete file: f686aace6942fb7f7ceb231212eef4a4.

6. Start the Remote Desktop Services service.

7. Verify that the system generated a new certificate by using the Certificates snap-in in MMC.

8. Verify RDP access to the server.

Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.

©2020 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License

See license specifics and DISCLAIMER

RDP Certificate Template