Solved

Server 2008 R2 Root and Subordinate Certificate Authorities on parent domain and RDS server on child domain

Posted on 2010-09-20
5
1,867 Views
Last Modified: 2012-06-27
Hello,

I am trying to get a Server 2008 R2 Standard RDS server installed on a child domain. We have a root and subordinate certificate authority established on the parent domain. I am having difficulty attaining a certificate from the subordinate CA because of the network being locked down. The CA's have never been used, they are server 2008 r2 standard as well. I have a few questions on this:
What ports do I need to have opened between the RDS server where I will generate my request for a certificate and the CA's?
Per this article, I need port 135 for RPC, but the other port is randomly generated, how do I establish what it is, and will it stay the same? Also, will it need to remain open? http://support.microsoft.com/kb/832017
What is the best way to go about generating a request for a certificate, and what will the steps be to import the certificate once it is generated? Should I generate a request using a .inf file and certreq, or is there a better way? This is the context of the .inf I was using to generate the request file, will this work?:

[Version]
Signature="$Windows NT$"
[NewRequest]
Subject="C=US,S=PA,L=MyCity,O=MyCompany,CN=RDSServer.Inside.Domain.com"
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
;HashAlgorithm=sha1RSA
KeyLength=2048
KeyUsage=0xF0 ;Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment
KeySpec=1
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

I was able to get a certificate over to the RDS server and select it for use w/ RDS, but when i attempt to connect to it from my Windows 7 pc that is not joined to the same domain, I get an error saying that the Certificate revocation list is not available. Is there communication that takes place between the RDS server and the CA when someone logs on remotely to it? An xp machine on the domain does not get a notification about the certificate at all. This RDS server is going to be accessed from non-domain PCs.

One other thing, the parent and child domains are on seperate vlans & subnets, the parent is on the 10.33.1.* range and the child is on the 10.28.1.* range.

Let me know if you need anything else. I'm sure I will have more questions as we go being that I have now thoroughly confused myself.

Thanks!
0
Comment
Question by:advserver
  • 3
  • 2
5 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 33727180
Port 135 is necessary, then it will call a large range of high numbered ports.  To declare a static high numbered port of your choosing for DCOM traffic, follow this:
http://itbloggen.se/cs/blogs/hasain/archive/2009/04/28/fixed-port-for-the-quot-certsrv-request-quot-rpc-dcom-component-in-windows-server-2008.aspx

This port only needs to be open during certificate requests - its probably more pain than its worth to try to only open it every now and then but feel free if you want to.  I'd suggest setting calendar reminders as part of that process in case things go crazy.

Here's a list of ports I just put up on my site:
http://www.pki101.com/Ports.html

Your request.inf looks fine, although I'm wondering if autoenrollment or just a regular manual enrollment with a template duplicated from the web server template set on the subject name tab to get info from distinguished name / DNS would probably be easier, but I'm not against the concept of manual enrollment for sensitive systems/templates.

Keep in mind that you can always copy the CSR you generate using certreq on the server onto a flash drive and sneakernet that to your workstation or CA to issue, then use the flash drive to move the issued cert back to the originating server - in this case nothing is required to connect to the CA.  Keep in mind you may still need to specify your CRL & OCSP locations in your firewall ruleset.

You can use the Enterprise PKI MMC snapin to get a quick look at your PKI to see if anything is out of date or whatever.  Make sure there is at least one of each for CDP, AIA, and OCSP location.

Note that there are some new things with OCSP if you need to support it in a DMZ, etc. - this is fairly complex but I can point you to more info if needed.

Also, make sure that the child domain's groups DOMAIN\Domain Computers, Domain Users, Domain Controllers are listed in the CERTSRV_DCOM_ACCESS group - this is a local security group on the CA unless your CA is installed on a DC in which case it would be an AD domain local security group.

As far as the subnets go - if they can talk then that's good.  You might want to allow ICMP for testing so you can ping to test connectivity to make sure you don't have a routing issue or something.
0
 
LVL 4

Author Comment

by:advserver
ID: 33737610
Thanks for the thorough response, your steps were very helpful, but I'm still running into the issue with the CRL. When I attempt to connect to the RDS server where the cert is issued, from a non-domain joined pc, I get a CRL issue. I have added an http location to the cert for the client to look and get the CRL, but it does not seem to be looking at it. It says a revocation check could not be performed. I have checked the CRL distribution point listed when I view the certificate, and it has the http listing, and I can manually go and get the CRL via IE, so it shouldn't be a firewall issue. The only thing I can figure is that there needs to be the AIA listing as well, and I have added this and have the .cer file in place, but it seems that with AIA you have to have a .crt extension? I have no idea how to generate a server certificate with that extension... I tried changing the extension on the file to .crt and I can navigate to the location in IE but when I attempt to connect via RDP I get an error saying that an unexpected cert was retrieved...

Apparently this is a known issue with Windows 7 and Server 2008 R2, and a hotfix is available, but I can't do this as we have vendors connecting to the RDS server that I do not have access to, and there are quite a few of them.
0
 
LVL 4

Author Comment

by:advserver
ID: 33737999
Found where to get the .crt files; thought I had to manually create them. Still any input you have would be great. Thanks!
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 33770679
Glad you found the .crt file - for the root CA that is created during installation of AD CS, for the subordinates it is issued from the root (or another higher subordinate) CA.

You might try setting up an OCSP responder and adding that path to your AIA (http://pki.domain.com/ocsp) - for some dumb reason some newer remote connections seem to have a strong preference for OCSP instead of the traditional CRL.  I highly recommend not messing with the /ocsp virtual directory.  The responder may be set up on a regular web server - this is the only AD CS role that is available to a web server edition installation.  I would recommend having a dns alias 'pki' or something like that so you can move it easier some day if you need to or to start load balancing for redundancy.  the actual bandwidth should be pretty nominal unless your company is quite large.
0
 
LVL 4

Author Comment

by:advserver
ID: 33770732
Thanks! Yeah that was kind of the direction I figured that we would have to go with, but unfortunately the 2008 R2 Standard edition does not include functionality for the OCSP responders. I think we're going to have to do an upgrade of our CA's in order to get that across. For now we are going to wait a bit and use the patch provided by MS to fix the issue with Windows 7... Not ideal but hopefully the patch will eventually get released as an update, or another fix will come out for the RDP 7 client. Thanks for your input, it was definitely helpful.
0

Join & Write a Comment

A procedure for exporting installed hotfix details of remote computers using powershell
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now