Solved

Options for Windows 2008 remote desktop security certificates

Posted on 2010-09-20
7
634 Views
Last Modified: 2012-06-27
Users in a workgroup connect to a remoteapp published on a Windows 2008 R2 terminal server.  User’s workstations belong to a workgroup, not the Windows 2003 active directory (AD) to which the Windows 2008 terminal server belongs. Every 6 months the W2008 server certificate expires.  When it expires the users are required to accept the new certificate.  (See image of certificate). I realize that the root certificate for the W2008's certificate is not installed on the workstations.  My goal is to stop requiring the users to have to accept a new certificate every 6 months.  I see only two options.
1.  Join the workstations to the AD.
2.  Configure a domain certificate authority and then add its root certificate to the workgroup workstations.

Are there other options available for auto accepting the certificate or maybe extending the servers expiration date?  Can I retrieve the AD's root certificate without installing a CA server?

Certificate image here
   Server cert issued to workstations
0
Comment
Question by:epmmis
  • 4
  • 3
7 Comments
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33718453
Your TS server is currently using what is called a Self-Signed certificate. Active Directory itself doesn't have a root certificate until you add a Certificate Authority (CA) server to the network. Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO. If you only need one certificate,

With that said, unless there is a major technical reason you don't have your workstations in a domain already, you'll probably be much better off adding them, as it will save you a great deal of work in the long run. Workgroups just aren't very useful.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33718462
Oops. Sorry, submitted before finishing this sentence. If you only need one certificate, a Root CA is more trouble than it's worth. However, if you want to use BitLocker, EFS, or 802.1x authentication, it's a great addition to your network.
0
 

Author Comment

by:epmmis
ID: 33724802
It is not clear to me your statements   "If you only need one certificate, a Root CA is more trouble than it's worth." and "Adding the clients to the domain won't add a self-signed certificate to them, but it does allow you to deploy the Root CA certificate of the self-signed server to the workstations through a GPO"

1.  Does your comment mean that the TS server in question has a "root certificate", which could be transferred to workstations in the domain?

2.  The current need is for about 20 workstations to trust the certificate issued by the TS. Would that be considered needing just 1 certificate?  

There are a several reasons, which I can not elaborate on in this forum, for not wanting to join the workstations to the AD.  It would be considered the last choice, only if the workstations would then be able to trust the self-signed certificate issued by the TS.

Could you provide a little more clarification please?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33726898
1. Yes. The self-signed certificate for the TS server needs to be added to the Trusted Root Certification Authorities list in the computer's certificate store. I'll explain how to use this in a second.

2. The TS server's self-signed certificate is the only certificate that is being deployed, so there is only need for 1 actual certificate. If you were using BitLocker or EFS you would need a CA to generate and deploy certificates for all users. The main purpose for a CA is automating certificate delivery and providing a centralized trust for certificates. When you only have one certificate to deploy, the overhead associated with a CA server is excessive.

If your computers were part of a domain, you could easily deploy the Self-Signed certificate with a GPO. Unfortunately, the only way to do this with workgrouped computers is to import the certificate using the certificates snap-in.

To do this, run mmc.exe. When the console opens, click file, then Add/Remove snap-in. Double Click "Certificates" in the list on the left. When you do this, you will be prompted to select whether the snap-in will manage certificates for Users, Service Account, or Computer account. If you want to install the certificate so it is available for all users on the computer, select computer account, click next, then finish. Hit Okay to close the Add/Remove snapins window. Expand the Certificates (Local Computer) entry on the left window of the console. This will expand a number of certificate stores. Expand Trusted Root Certification Authorities, right click on Certificates, hover over All Tasks and select Import when the option shows up. This will open a wizard that will allow you to import the certificate for the TS server.

To pull the certificate off the TS server, check this link out: http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/4abecbd4-90df-4e6e-be12-44cc454ceb24/
0
 

Author Comment

by:epmmis
ID: 33727513
You advise is grand.
I have only 1 more question.
Is there a command line utility I can use to import the resulting certificate?

Thank you very much for your wisdom.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33727531
Not for a workstation. For a server you can use Certsrv.exe to import certificates, but I don't know of a CLI utility for importing on client machines.
0
 

Author Closing Comment

by:epmmis
ID: 33733736
Thank you for helping me make my quest easier.

Charlie
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question