Solved

Options for Windows 2008 remote desktop security certificates

Posted on 2010-09-20
7
632 Views
Last Modified: 2012-06-27
Users in a workgroup connect to a remoteapp published on a Windows 2008 R2 terminal server.  User’s workstations belong to a workgroup, not the Windows 2003 active directory (AD) to which the Windows 2008 terminal server belongs. Every 6 months the W2008 server certificate expires.  When it expires the users are required to accept the new certificate.  (See image of certificate). I realize that the root certificate for the W2008's certificate is not installed on the workstations.  My goal is to stop requiring the users to have to accept a new certificate every 6 months.  I see only two options.
1.  Join the workstations to the AD.
2.  Configure a domain certificate authority and then add its root certificate to the workgroup workstations.

Are there other options available for auto accepting the certificate or maybe extending the servers expiration date?  Can I retrieve the AD's root certificate without installing a CA server?

Certificate image here
   Server cert issued to workstations
0
Comment
Question by:epmmis
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33718453
Your TS server is currently using what is called a Self-Signed certificate. Active Directory itself doesn't have a root certificate until you add a Certificate Authority (CA) server to the network. Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO. If you only need one certificate,

With that said, unless there is a major technical reason you don't have your workstations in a domain already, you'll probably be much better off adding them, as it will save you a great deal of work in the long run. Workgroups just aren't very useful.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33718462
Oops. Sorry, submitted before finishing this sentence. If you only need one certificate, a Root CA is more trouble than it's worth. However, if you want to use BitLocker, EFS, or 802.1x authentication, it's a great addition to your network.
0
 

Author Comment

by:epmmis
ID: 33724802
It is not clear to me your statements   "If you only need one certificate, a Root CA is more trouble than it's worth." and "Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO"

1.  Does your comment mean that the TS server in question has a "root certificate", which could be transferred to workstations in the domain?

2.  The current need is for about 20 workstations to trust the certificate issued by the TS. Would that be considered needing just 1 certificate?  

There are a several reasons, which I can not elaborate on in this forum, for not wanting to join the workstations to the AD.  It would be considered the last choice, only if the workstations would then be able to trust the self-signed certificate issued by the TS.

Could you provide a little more clarification please?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33726898
1. Yes. The self-signed certificate for the TS server needs to be added to the Trusted Root Certification Authorities list in the computer's certificate store. I'll explain how to use this in a second.

2. The TS server's self-signed certificate is the only certificate that is being deployed, so there is only need for 1 actual certificate. If you were using BitLocker or EFS you would need a CA to generate and deploy certificates for all users. The main purpose for a CA is automating certificate delivery and providing a centralized trust for certificates. When you only have one certificate to deploy, the overhead associated with a CA server is excessive.

If your computers were part of a domain, you could easily deploy the Self-Signed certificate with a GPO. Unfortunately, the only way to do this with workgrouped computers is to import the certificate using the certificates snap-in.

To do this, run mmc.exe. When the console opens, click file, then Add/Remove snap-in. Double Click "Certificates" in the list on the left. When you do this, you will be prompted to select whether the snap-in will manage certificates for Users, Service Account, or Computer account. If you want to install the certificate so it is available for all users on the computer, select computer account, click next, then finish. Hit Okay to close the Add/Remove snapins window. Expand the Certificates (Local Computer) entry on the left window of the console. This will expand a number of certificate stores. Expand Trusted Root Certification Authorities, right click on Certificates, hover over All Tasks and select Import when the option shows up. This will open a wizard that will allow you to import the certificate for the TS server.

To pull the certificate off the TS server, check this link out: http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/4abecbd4-90df-4e6e-be12-44cc454ceb24/
0
 

Author Comment

by:epmmis
ID: 33727513
You advise is grand.
I have only 1 more question.
Is there a command line utility I can use to import the resulting certificate?

Thank you very much for your wisdom.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33727531
Not for a workstation. For a server you can use Certsrv.exe to import certificates, but I don't know of a CLI utility for importing on client machines.
0
 

Author Closing Comment

by:epmmis
ID: 33733736
Thank you for helping me make my quest easier.

Charlie
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now