[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Enforce users use PKI for Remote Desktop in Terminal Server 2012R2

Posted on 2014-07-11
Medium Priority
Last Modified: 2014-08-01
We need to setup the AD CS that we can enforce users to use the PKI in order to connected with terminal server with out auto-enrollment certificate so the users need to install the certificate manually in their clients machine in order to connect with the Terminal Server session

Thank you .
Question by:demichel
  • 5
  • 3

Author Comment

ID: 40191002
LVL 38

Expert Comment

ID: 40191201
What you are trying to do and what provided in link are two different things

Users do not require certificate in order to connect to terminal server

You need to install SSL cert on server hosting terminal server role and need to assign same to RDP through wmic or PowerShell

The SSL certificate subject name must be match to FQDN you are using to connect to terminal server

Author Comment

ID: 40191234
We need a internal certificate that only users can request once via https://<servername>/certsrv/ and install it in their computers in order to connect with the terminal server .
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

LVL 38

Expert Comment

ID: 40191250
You can have certificate requested to CA server with user login
If you are not enabling certificate Autoenrollment, user must request it manually

But this certificate has nothing to do with RDS \ terminal server

Check below post


Author Comment

ID: 40191673
how to create the CA for Remote Desktop login? so that user need to install in order to connect in the TS

Author Comment

ID: 40191677
That's we need ..... The solution is certificate based computer authentication. If the computer cannot authenticate itself by presenting a valid certificate to the terminal server it is trying to connect to, then the RDP connection will be dropped before the user has a chance to attempt to log on.....
LVL 38

Accepted Solution

Mahesh earned 2000 total points
ID: 40192355
Thanks for confirmation
If you are trying to enforce certificate on client computer to connect to RDP sessions, it is not achievable according to my knowledge, because you cannot set that option in RDP protocol and RDP tool
You can enable network level authentication on RDP so that user has to authenticate prior to connect to server and once authenticated, it can get RDP session.

The way you are thinking is possible with IPsec vpn where computer certificate is required for computer authentication in addition to username and password

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question