Solved

Options for Windows 2008 remote desktop security certificates

Posted on 2010-09-20
7
637 Views
Last Modified: 2012-06-27
Users in a workgroup connect to a remoteapp published on a Windows 2008 R2 terminal server.  User’s workstations belong to a workgroup, not the Windows 2003 active directory (AD) to which the Windows 2008 terminal server belongs. Every 6 months the W2008 server certificate expires.  When it expires the users are required to accept the new certificate.  (See image of certificate). I realize that the root certificate for the W2008's certificate is not installed on the workstations.  My goal is to stop requiring the users to have to accept a new certificate every 6 months.  I see only two options.
1.  Join the workstations to the AD.
2.  Configure a domain certificate authority and then add its root certificate to the workgroup workstations.

Are there other options available for auto accepting the certificate or maybe extending the servers expiration date?  Can I retrieve the AD's root certificate without installing a CA server?

Certificate image here
   Server cert issued to workstations
0
Comment
Question by:epmmis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 40

Expert Comment

by:Adam Brown
ID: 33718453
Your TS server is currently using what is called a Self-Signed certificate. Active Directory itself doesn't have a root certificate until you add a Certificate Authority (CA) server to the network. Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO. If you only need one certificate,

With that said, unless there is a major technical reason you don't have your workstations in a domain already, you'll probably be much better off adding them, as it will save you a great deal of work in the long run. Workgroups just aren't very useful.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 33718462
Oops. Sorry, submitted before finishing this sentence. If you only need one certificate, a Root CA is more trouble than it's worth. However, if you want to use BitLocker, EFS, or 802.1x authentication, it's a great addition to your network.
0
 

Author Comment

by:epmmis
ID: 33724802
It is not clear to me your statements   "If you only need one certificate, a Root CA is more trouble than it's worth." and "Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO"

1.  Does your comment mean that the TS server in question has a "root certificate", which could be transferred to workstations in the domain?

2.  The current need is for about 20 workstations to trust the certificate issued by the TS. Would that be considered needing just 1 certificate?  

There are a several reasons, which I can not elaborate on in this forum, for not wanting to join the workstations to the AD.  It would be considered the last choice, only if the workstations would then be able to trust the self-signed certificate issued by the TS.

Could you provide a little more clarification please?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33726898
1. Yes. The self-signed certificate for the TS server needs to be added to the Trusted Root Certification Authorities list in the computer's certificate store. I'll explain how to use this in a second.

2. The TS server's self-signed certificate is the only certificate that is being deployed, so there is only need for 1 actual certificate. If you were using BitLocker or EFS you would need a CA to generate and deploy certificates for all users. The main purpose for a CA is automating certificate delivery and providing a centralized trust for certificates. When you only have one certificate to deploy, the overhead associated with a CA server is excessive.

If your computers were part of a domain, you could easily deploy the Self-Signed certificate with a GPO. Unfortunately, the only way to do this with workgrouped computers is to import the certificate using the certificates snap-in.

To do this, run mmc.exe. When the console opens, click file, then Add/Remove snap-in. Double Click "Certificates" in the list on the left. When you do this, you will be prompted to select whether the snap-in will manage certificates for Users, Service Account, or Computer account. If you want to install the certificate so it is available for all users on the computer, select computer account, click next, then finish. Hit Okay to close the Add/Remove snapins window. Expand the Certificates (Local Computer) entry on the left window of the console. This will expand a number of certificate stores. Expand Trusted Root Certification Authorities, right click on Certificates, hover over All Tasks and select Import when the option shows up. This will open a wizard that will allow you to import the certificate for the TS server.

To pull the certificate off the TS server, check this link out: http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/4abecbd4-90df-4e6e-be12-44cc454ceb24/
0
 

Author Comment

by:epmmis
ID: 33727513
You advise is grand.
I have only 1 more question.
Is there a command line utility I can use to import the resulting certificate?

Thank you very much for your wisdom.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 33727531
Not for a workstation. For a server you can use Certsrv.exe to import certificates, but I don't know of a CLI utility for importing on client machines.
0
 

Author Closing Comment

by:epmmis
ID: 33733736
Thank you for helping me make my quest easier.

Charlie
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question