amendala
asked on
Can a Remote Desktop certificate be configured to issue a Subject Alternative Name in NetBIOS format in addition to the FQDN?
Folks -
Per the article linked to below, I have configured a certificate template on my internal PKI that is properly issuing certificates for use by the terminal services/remote desktop client in Windows 7.
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
However, I receive a certificate validation warning when I attempt to connect to the destination computer via its NetBIOS name rather than its FQDN. The validation warning is complaining that the name the certificate was issued to does not match the name of the destination computer. Well, that's because the template didn't place both "ComputerX" and "ComputerX.domain.lcl" on the cert. It doesn't appear to issue the cert with a Subject Alternative Name that would allow connectivity with either name.
The template has some additional options for what to include in the certificate. One of which are the Service Principal Names of the account. I selected that but it made no difference to the behavior. I would have assumed that since both HOST/ComputerX and HOST/ComputerX.domain.lcl are default SPNs on all computer accounts that both names would end up on the certificate - they don't. Only the FQDN does, so I'm in the same boat.
Has anyone figured out a way around this? Is it possible to get the template to issue a cert for the purposes of RDP with both the FQDN and NetBIOS names included?
This is purely for RDP console support purposes - general remote workstation administration by a help desk. No RD gateways, brokers, VDI, etc. involved. Simple P2P connectivity.
Thanks.
Per the article linked to below, I have configured a certificate template on my internal PKI that is properly issuing certificates for use by the terminal services/remote desktop client in Windows 7.
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
However, I receive a certificate validation warning when I attempt to connect to the destination computer via its NetBIOS name rather than its FQDN. The validation warning is complaining that the name the certificate was issued to does not match the name of the destination computer. Well, that's because the template didn't place both "ComputerX" and "ComputerX.domain.lcl" on the cert. It doesn't appear to issue the cert with a Subject Alternative Name that would allow connectivity with either name.
The template has some additional options for what to include in the certificate. One of which are the Service Principal Names of the account. I selected that but it made no difference to the behavior. I would have assumed that since both HOST/ComputerX and HOST/ComputerX.domain.lcl are default SPNs on all computer accounts that both names would end up on the certificate - they don't. Only the FQDN does, so I'm in the same boat.
Has anyone figured out a way around this? Is it possible to get the template to issue a cert for the purposes of RDP with both the FQDN and NetBIOS names included?
This is purely for RDP console support purposes - general remote workstation administration by a help desk. No RD gateways, brokers, VDI, etc. involved. Simple P2P connectivity.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It doesn't seem this can be done based on conversations I've had with Microsoft PFE's. Going to close the question out.
I wish it was. I looked into it some time ago as I figured it would be nice not to have the warning all the time when making RDP connections to various machines.
ASKER
I'll keep the question open for a bit to see if anyone else knows.