Solved

Options for Windows 2008 remote desktop security certificates

Posted on 2010-09-20
7
630 Views
Last Modified: 2012-06-27
Users in a workgroup connect to a remoteapp published on a Windows 2008 R2 terminal server.  User’s workstations belong to a workgroup, not the Windows 2003 active directory (AD) to which the Windows 2008 terminal server belongs. Every 6 months the W2008 server certificate expires.  When it expires the users are required to accept the new certificate.  (See image of certificate). I realize that the root certificate for the W2008's certificate is not installed on the workstations.  My goal is to stop requiring the users to have to accept a new certificate every 6 months.  I see only two options.
1.  Join the workstations to the AD.
2.  Configure a domain certificate authority and then add its root certificate to the workgroup workstations.

Are there other options available for auto accepting the certificate or maybe extending the servers expiration date?  Can I retrieve the AD's root certificate without installing a CA server?

Certificate image here
   Server cert issued to workstations
0
Comment
Question by:epmmis
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33718453
Your TS server is currently using what is called a Self-Signed certificate. Active Directory itself doesn't have a root certificate until you add a Certificate Authority (CA) server to the network. Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO. If you only need one certificate,

With that said, unless there is a major technical reason you don't have your workstations in a domain already, you'll probably be much better off adding them, as it will save you a great deal of work in the long run. Workgroups just aren't very useful.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33718462
Oops. Sorry, submitted before finishing this sentence. If you only need one certificate, a Root CA is more trouble than it's worth. However, if you want to use BitLocker, EFS, or 802.1x authentication, it's a great addition to your network.
0
 

Author Comment

by:epmmis
ID: 33724802
It is not clear to me your statements   "If you only need one certificate, a Root CA is more trouble than it's worth." and "Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO"

1.  Does your comment mean that the TS server in question has a "root certificate", which could be transferred to workstations in the domain?

2.  The current need is for about 20 workstations to trust the certificate issued by the TS. Would that be considered needing just 1 certificate?  

There are a several reasons, which I can not elaborate on in this forum, for not wanting to join the workstations to the AD.  It would be considered the last choice, only if the workstations would then be able to trust the self-signed certificate issued by the TS.

Could you provide a little more clarification please?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33726898
1. Yes. The self-signed certificate for the TS server needs to be added to the Trusted Root Certification Authorities list in the computer's certificate store. I'll explain how to use this in a second.

2. The TS server's self-signed certificate is the only certificate that is being deployed, so there is only need for 1 actual certificate. If you were using BitLocker or EFS you would need a CA to generate and deploy certificates for all users. The main purpose for a CA is automating certificate delivery and providing a centralized trust for certificates. When you only have one certificate to deploy, the overhead associated with a CA server is excessive.

If your computers were part of a domain, you could easily deploy the Self-Signed certificate with a GPO. Unfortunately, the only way to do this with workgrouped computers is to import the certificate using the certificates snap-in.

To do this, run mmc.exe. When the console opens, click file, then Add/Remove snap-in. Double Click "Certificates" in the list on the left. When you do this, you will be prompted to select whether the snap-in will manage certificates for Users, Service Account, or Computer account. If you want to install the certificate so it is available for all users on the computer, select computer account, click next, then finish. Hit Okay to close the Add/Remove snapins window. Expand the Certificates (Local Computer) entry on the left window of the console. This will expand a number of certificate stores. Expand Trusted Root Certification Authorities, right click on Certificates, hover over All Tasks and select Import when the option shows up. This will open a wizard that will allow you to import the certificate for the TS server.

To pull the certificate off the TS server, check this link out: http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/4abecbd4-90df-4e6e-be12-44cc454ceb24/
0
 

Author Comment

by:epmmis
ID: 33727513
You advise is grand.
I have only 1 more question.
Is there a command line utility I can use to import the resulting certificate?

Thank you very much for your wisdom.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33727531
Not for a workstation. For a server you can use Certsrv.exe to import certificates, but I don't know of a CLI utility for importing on client machines.
0
 

Author Closing Comment

by:epmmis
ID: 33733736
Thank you for helping me make my quest easier.

Charlie
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now