Solved

Options for Windows 2008 remote desktop security certificates

Posted on 2010-09-20
7
633 Views
Last Modified: 2012-06-27
Users in a workgroup connect to a remoteapp published on a Windows 2008 R2 terminal server.  User’s workstations belong to a workgroup, not the Windows 2003 active directory (AD) to which the Windows 2008 terminal server belongs. Every 6 months the W2008 server certificate expires.  When it expires the users are required to accept the new certificate.  (See image of certificate). I realize that the root certificate for the W2008's certificate is not installed on the workstations.  My goal is to stop requiring the users to have to accept a new certificate every 6 months.  I see only two options.
1.  Join the workstations to the AD.
2.  Configure a domain certificate authority and then add its root certificate to the workgroup workstations.

Are there other options available for auto accepting the certificate or maybe extending the servers expiration date?  Can I retrieve the AD's root certificate without installing a CA server?

Certificate image here
   Server cert issued to workstations
0
Comment
Question by:epmmis
  • 4
  • 3
7 Comments
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33718453
Your TS server is currently using what is called a Self-Signed certificate. Active Directory itself doesn't have a root certificate until you add a Certificate Authority (CA) server to the network. Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO. If you only need one certificate,

With that said, unless there is a major technical reason you don't have your workstations in a domain already, you'll probably be much better off adding them, as it will save you a great deal of work in the long run. Workgroups just aren't very useful.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33718462
Oops. Sorry, submitted before finishing this sentence. If you only need one certificate, a Root CA is more trouble than it's worth. However, if you want to use BitLocker, EFS, or 802.1x authentication, it's a great addition to your network.
0
 

Author Comment

by:epmmis
ID: 33724802
It is not clear to me your statements   "If you only need one certificate, a Root CA is more trouble than it's worth." and "Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO"

1.  Does your comment mean that the TS server in question has a "root certificate", which could be transferred to workstations in the domain?

2.  The current need is for about 20 workstations to trust the certificate issued by the TS. Would that be considered needing just 1 certificate?  

There are a several reasons, which I can not elaborate on in this forum, for not wanting to join the workstations to the AD.  It would be considered the last choice, only if the workstations would then be able to trust the self-signed certificate issued by the TS.

Could you provide a little more clarification please?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33726898
1. Yes. The self-signed certificate for the TS server needs to be added to the Trusted Root Certification Authorities list in the computer's certificate store. I'll explain how to use this in a second.

2. The TS server's self-signed certificate is the only certificate that is being deployed, so there is only need for 1 actual certificate. If you were using BitLocker or EFS you would need a CA to generate and deploy certificates for all users. The main purpose for a CA is automating certificate delivery and providing a centralized trust for certificates. When you only have one certificate to deploy, the overhead associated with a CA server is excessive.

If your computers were part of a domain, you could easily deploy the Self-Signed certificate with a GPO. Unfortunately, the only way to do this with workgrouped computers is to import the certificate using the certificates snap-in.

To do this, run mmc.exe. When the console opens, click file, then Add/Remove snap-in. Double Click "Certificates" in the list on the left. When you do this, you will be prompted to select whether the snap-in will manage certificates for Users, Service Account, or Computer account. If you want to install the certificate so it is available for all users on the computer, select computer account, click next, then finish. Hit Okay to close the Add/Remove snapins window. Expand the Certificates (Local Computer) entry on the left window of the console. This will expand a number of certificate stores. Expand Trusted Root Certification Authorities, right click on Certificates, hover over All Tasks and select Import when the option shows up. This will open a wizard that will allow you to import the certificate for the TS server.

To pull the certificate off the TS server, check this link out: http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/4abecbd4-90df-4e6e-be12-44cc454ceb24/
0
 

Author Comment

by:epmmis
ID: 33727513
You advise is grand.
I have only 1 more question.
Is there a command line utility I can use to import the resulting certificate?

Thank you very much for your wisdom.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33727531
Not for a workstation. For a server you can use Certsrv.exe to import certificates, but I don't know of a CLI utility for importing on client machines.
0
 

Author Closing Comment

by:epmmis
ID: 33733736
Thank you for helping me make my quest easier.

Charlie
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Export a GPO and import a GPO 3 43
Active Directory uninstall Windows 2008 R2 6 79
Windows 2012 PKI in a hybrid org 3 47
ticket bloat 3 24
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question