obsidiman
asked on
Certificate missing from RDP properties on 2003 server
The Setup
We are trying to tighten up security by requiring SSL encryption for all our RDP sessions on the domain. To that end, I have created a certificate on our CA (called RemoteDesktopCertificate) and changed GP to require SSL.
I am basically following the Microsoft Article: and have the following settings in GP:
1)Enable "Set client connection encryption level" and set it to "High"
2)Enable "Require user authentication for remote connections by using Network Level Authentication".
3)Enable "Server Authentication Certificate Template" by following these steps on the certificate server.
4)Enable "Require user authentication for remote connections by using Network Level Authentication".
These Group Policy settings are located in Computer Configuration\Policies\Adm
The Problem
Tested it and it works fine on 2008, but fails on 2003. The failure manifests itself as being unable to log on remotely using RDP. The error box states:
Seemingly the cause of the failure is the lack of certificate under the RDP-Tcp properties screen. Security Layer is set to SSL, Encryption Level is set to High but the Certificate field is blank. No matter what I do it doesn't want to automatically put a certificate in there, whereas there is one for 2008.
I have managed to get a certificate on there by manually requesting a certificate from the 2003 server, deleting the existing RDP-Tcp connection and re-creating it, but that is not useful or practical for all servers since we have hundreds of 2003 servers.
So how can I get the 2003 servers to behave as they are supposed to? (They are SP2 in case you were wondering)
Thanks, Pete
We are trying to tighten up security by requiring SSL encryption for all our RDP sessions on the domain. To that end, I have created a certificate on our CA (called RemoteDesktopCertificate) and changed GP to require SSL.
I am basically following the Microsoft Article: and have the following settings in GP:
1)Enable "Set client connection encryption level" and set it to "High"
2)Enable "Require user authentication for remote connections by using Network Level Authentication".
3)Enable "Server Authentication Certificate Template" by following these steps on the certificate server.
4)Enable "Require user authentication for remote connections by using Network Level Authentication".
These Group Policy settings are located in Computer Configuration\Policies\Adm
The Problem
Tested it and it works fine on 2008, but fails on 2003. The failure manifests itself as being unable to log on remotely using RDP. The error box states:
The remote computer requires that authentication be enabled to connect.
The connection cannot proceed because authentication is not enabled.
The connection cannot proceed because authentication is not enabled.
Seemingly the cause of the failure is the lack of certificate under the RDP-Tcp properties screen. Security Layer is set to SSL, Encryption Level is set to High but the Certificate field is blank. No matter what I do it doesn't want to automatically put a certificate in there, whereas there is one for 2008.
I have managed to get a certificate on there by manually requesting a certificate from the 2003 server, deleting the existing RDP-Tcp connection and re-creating it, but that is not useful or practical for all servers since we have hundreds of 2003 servers.
So how can I get the 2003 servers to behave as they are supposed to? (They are SP2 in case you were wondering)
Thanks, Pete
ASKER
Hi Coralon,
I'm pretty sure RDP 5.2 does support NLA. And I do think that the certificate does something as when the certificate is not enabled I cannot connect over RDP, but when it is enabled the RDP connection works.
Though I do agree that the article does specifically apply to R2 not SP2. Unfortunately I have not been able to locate the same or similar article for SP2.
We already use VPNs to access our network in general. Using SSL certificates on the 2003 servers is to stop MITM attacks, so VPNs to each and every server are not really a practical alternative, especially when the certificate is known to work, the problem is to get it to deploy using GP.
Pete
I'm pretty sure RDP 5.2 does support NLA. And I do think that the certificate does something as when the certificate is not enabled I cannot connect over RDP, but when it is enabled the RDP connection works.
Though I do agree that the article does specifically apply to R2 not SP2. Unfortunately I have not been able to locate the same or similar article for SP2.
We already use VPNs to access our network in general. Using SSL certificates on the 2003 servers is to stop MITM attacks, so VPNs to each and every server are not really a practical alternative, especially when the certificate is known to work, the problem is to get it to deploy using GP.
Pete
Looking at this article: http://technet.microsoft.c
There are v6 clients for XP, but 2003 as a server is not high enough. :-\
A lot depends on how serious you consider the risk man in the middle attacks.. If you add Citrix, you can have end to end SSL.
Coralon
There are v6 clients for XP, but 2003 as a server is not high enough. :-\
A lot depends on how serious you consider the risk man in the middle attacks.. If you add Citrix, you can have end to end SSL.
Coralon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ah.. adding TLS is a little different, although I have not done it. :-\
If you have to do it by hand, it might be worth investigating an automation tool to walk through the steps like AutoIT, Kix32, or Winbatch (first 2 are free, 2nd one is paid).
I've built a number of automation tools through Winbatch, and I'm a huge fan, and it can definitely save you some time :-)
Good luck!
Coralon
If you have to do it by hand, it might be worth investigating an automation tool to walk through the steps like AutoIT, Kix32, or Winbatch (first 2 are free, 2nd one is paid).
I've built a number of automation tools through Winbatch, and I'm a huge fan, and it can definitely save you some time :-)
Good luck!
Coralon
ASKER
The 'solution' is simply an admission that the behaviour experienced in the original question is by design, not some sort of error.
Look at the article -it specifies that it applies to 2008R2.
Getting the cert on the server is unlikely doing *anything*. Even though it is visible after recreating it, it is probably not being used.
If you want the increased security, your best bet is to go with a vpn.
Coralon