Solved

Win2K3 TS Certificate newbie questions

Posted on 2006-11-16
5
1,145 Views
Last Modified: 2013-12-04
Win2k3 TS, clients RDC RDP WinXP.

Looking at TLS 1.0 for server authentication

1a.  Will ALL RDC clients have to obtain and use the certificate, or just those that choose to?  Is there a cost for them?
1b.  Will ALL RDC clients have to use RDC RDP 5.2 from the Win2k3, I think most XP PCs use 5.1?

Certifcate?:  On the TS Box I found the MMC Certificate screens.
2a.  I see a lot of cerificates already there (out of the box Win2k3), will any of these do TLS?
2b.  Do I have to buy something?  How?  Where?  $?
2c.  I tried the Certificate Request Wizard via the MMC and get a red X dialog "There are no trusted CAs available".  What does that mean I have to do?
2d.  I'm gathering that there are more than one certificate to choose from.  I'd lean toward easy and cheap.  Does MS supply/sell certificates themselves?
2e.  Is SSL in this picture?
2f.  Does any of this add any significient resource drain on the server?

I've read the MS article "How to configure a Windows Server 2003 terminal server to use TLS for server authentication" (http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B895433) , but I still confused about the basics of certificates.    The MS link to "Microsoft Cryptographic Service Providers" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/microsoft_cryptographic_service_providers.asp) just left me more cunfused.

If I get further into this, and decide I gotta back out, can I undo everything?

Be gentle.  Newbie with a lot of questions.  500 Points.



0
Comment
Question by:JReam
  • 3
  • 2
5 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17965046
A local CA server (certificate authority) is much like that you see on the web, when you access a HttpS site for the first time you might be prompted to view this site's SSL certificate, and accept. It's the same thing, you can self sign and create your own certs, or purchase one from those such as Verisign or Thwate
http://en.wikipedia.org/wiki/Certificate_authority
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/core/iiabcsc.htm
M$ OS's come with a variety of root certificates and the domain your in likely has some self-generated ones as well as your PC for things like EFS.

http://technet2.microsoft.com/WindowsServer/en/library/d6eab6a4-a680-40b0-9fde-4978be14ebf41033.mspx?mfr=true
TLS is simply SSL's replacement: http://en.wikipedia.org/wiki/Transport_Layer_Security
RDP is fairly secure, and stepping the bit's up from 56 to 128 is typically a good move, the overhead is the same really.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_ezsw.mspx?mfr=true

site:microsoft.com term-your-looking-for
http://www.google.com/search?hl=en&lr=&safe=off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&q=site%3Amicrosoft.com+install+certificate+authority&btnG=Search
I'll look for the answers to some of the other q's...
-rich
0
 
LVL 1

Author Comment

by:JReam
ID: 17982978

Rich -

My objective remains: Getting a Certificate on Terminal Server via the Certificate Request Wizard.

Status:  Frustrated.  Hours/days burning by.

Here's the documented process:
If you plan to obtain a certificate by using the Certificate Web pages or Certificate Request Wizard, a public key infrastructure (PKI) must be configured correctly to issue SSL-compatible X.509 certificates to the terminal server. Each certificate must be configured as follows:
•The certificate is a computer certificate.
•The intended purpose of the certificate is server authentication.
•The certificate has a corresponding private key.
•The certificate is stored in the terminal server’s personal store. You can view this store by using the Certificates snap-in.
•The certificate has a cryptographic service provider (CSP) that can be used for the SSL (TLS) protocol (for example Microsoft RSA SChannel Cryptographic Provider).


Here's where I'm at.
 - We set up an Ent CA on one of our Domain member Win2k3 Servers.  OK so far I think.   (Our DC and servers are Win2k3 Std, not EE.)
 - I see all the Certs under Certificate Templates, such as "Computer" + "Server Authentication".  This one seems to be the one I want, I think.. :(.
 - I CAN"T seen to ISSUE this one.  It does not appear on the "New Certificite to Issue" list of choices.  I'm not even sure

I'm dying out here.

0
 
LVL 1

Author Comment

by:JReam
ID: 17984429

How about this Idea for me next:

1.  Forget the idea of setting up our own CA.  I'll uninstall the Ent CA we set up today.

2.  Buy one.  Where?
2a.  I need simple SSL for TS.
2b.  Would prefer low hassle on CLient side.  If I'm reading thing right, most CA vendors are already 'trusted' by most WinXP PCs.  

Where should I go?  Is this a better plan?  




0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17984902
You don't buy a CA unless your Verisign: http://en.wikipedia.org/wiki/Certificate_authority#Largest_providers
You still need to have your own installed CA server, you can buy a signed certificate from Thwate, Verisign, Go-Daddy etc... or you can create and sign your own certs. I've not setup TS to use certs myself, but from what I've read, once you have the Cert and it's present on the CA server, all you  should have to do is follow the instructions in your first link: http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B895433
Don't tkae this very literally... "Obtain a certificate from a third-party certification authority, and then manually install the certificate." you can install your own.
You can create your own certs with native windows tools and or use OpenSSL to do so
http://www.davidpashley.com/articles/cert-authority.html http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

-rich
0
 
LVL 1

Author Comment

by:JReam
ID: 18000432


SOLUTION for: How to Install Win2K3 Terminal Server SSL Certificate

Short Answer to reply/close to various posts I made:

- Do not Install Windows Server 2003 Certificate Services.
- Produce a CSR (Certificate Signing Request) on any available IIS6 box, any website. Yes CSP, select MS RSA
-    In CSR be sure to specify your FQDN intented for use by remote RDC Users, same as RDC “Server” text box.
-    My FQDN is a Registered Whois Domain with resolves to IP like any other Domain.
- Buy a SSL Certificate from any CA.  Apply your CSR at CA.  Get CRT files, two in my case, Web Cert & Intermediate Certificate.
- Apply CRTs to IIS6 Box, ICert to MMC and WCert to IIS6.
- Export Certificate from IIS6 Website as .PFX file, remove CRTs from IIS6 Box.
- Apply both CRTs to TS Box via MMC.
- TS Configuration will should now properly see your SSL Certificate.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now