epmmis
asked on
Options for Windows 2008 remote desktop security certificates
Users in a workgroup connect to a remoteapp published on a Windows 2008 R2 terminal server. User’s workstations belong to a workgroup, not the Windows 2003 active directory (AD) to which the Windows 2008 terminal server belongs. Every 6 months the W2008 server certificate expires. When it expires the users are required to accept the new certificate. (See image of certificate). I realize that the root certificate for the W2008's certificate is not installed on the workstations. My goal is to stop requiring the users to have to accept a new certificate every 6 months. I see only two options.
1. Join the workstations to the AD.
2. Configure a domain certificate authority and then add its root certificate to the workgroup workstations.
Are there other options available for auto accepting the certificate or maybe extending the servers expiration date? Can I retrieve the AD's root certificate without installing a CA server?
Certificate image here
1. Join the workstations to the AD.
2. Configure a domain certificate authority and then add its root certificate to the workgroup workstations.
Are there other options available for auto accepting the certificate or maybe extending the servers expiration date? Can I retrieve the AD's root certificate without installing a CA server?
Certificate image here
Oops. Sorry, submitted before finishing this sentence. If you only need one certificate, a Root CA is more trouble than it's worth. However, if you want to use BitLocker, EFS, or 802.1x authentication, it's a great addition to your network.
ASKER
It is not clear to me your statements "If you only need one certificate, a Root CA is more trouble than it's worth." and "Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO"
1. Does your comment mean that the TS server in question has a "root certificate", which could be transferred to workstations in the domain?
2. The current need is for about 20 workstations to trust the certificate issued by the TS. Would that be considered needing just 1 certificate?
There are a several reasons, which I can not elaborate on in this forum, for not wanting to join the workstations to the AD. It would be considered the last choice, only if the workstations would then be able to trust the self-signed certificate issued by the TS.
Could you provide a little more clarification please?
1. Does your comment mean that the TS server in question has a "root certificate", which could be transferred to workstations in the domain?
2. The current need is for about 20 workstations to trust the certificate issued by the TS. Would that be considered needing just 1 certificate?
There are a several reasons, which I can not elaborate on in this forum, for not wanting to join the workstations to the AD. It would be considered the last choice, only if the workstations would then be able to trust the self-signed certificate issued by the TS.
Could you provide a little more clarification please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You advise is grand.
I have only 1 more question.
Is there a command line utility I can use to import the resulting certificate?
Thank you very much for your wisdom.
I have only 1 more question.
Is there a command line utility I can use to import the resulting certificate?
Thank you very much for your wisdom.
Not for a workstation. For a server you can use Certsrv.exe to import certificates, but I don't know of a CLI utility for importing on client machines.
ASKER
Thank you for helping me make my quest easier.
Charlie
Charlie
With that said, unless there is a major technical reason you don't have your workstations in a domain already, you'll probably be much better off adding them, as it will save you a great deal of work in the long run. Workgroups just aren't very useful.