Solved

Can a Remote Desktop certificate be configured to issue a Subject Alternative Name in NetBIOS format in addition to the FQDN?

Posted on 2014-10-29
4
428 Views
Last Modified: 2014-10-30
Folks -

Per the article linked to below, I have configured a certificate template on my internal PKI that is properly issuing certificates for use by the terminal services/remote desktop client in Windows 7.

http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

However, I receive a certificate validation warning when I attempt to connect to the destination computer via its NetBIOS name rather than its FQDN.  The validation warning is complaining that the name the certificate was issued to does not match the name of the destination computer.  Well, that's because the template didn't place both "ComputerX" and "ComputerX.domain.lcl" on the cert.  It doesn't appear to issue the cert with a Subject Alternative Name that would allow connectivity with either name.

The template has some additional options for what to include in the certificate.  One of which are the Service Principal Names of the account.  I selected that but it made no difference to the behavior.  I would have assumed that since both HOST/ComputerX and HOST/ComputerX.domain.lcl are default SPNs on all computer accounts that both names would end up on the certificate - they don't.  Only the FQDN does, so I'm in the same boat.

Has anyone figured out a way around this?  Is it possible to get the template to issue a cert for the purposes of RDP with both the FQDN and NetBIOS names included?

This is purely for RDP console support purposes - general remote workstation administration by a help desk.  No RD gateways, brokers, VDI, etc. involved.  Simple P2P connectivity.

Thanks.
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40411568
To the best of my knowledge, there is no automatic way to do this.  I think you could manually create a cert with this info though, using the certificate service webpage on a standalone CA (don't think it will work on an Enterprise CA).
0
 

Author Comment

by:amendala
ID: 40411579
Yeah, we are trying to accomplish this through auto-enrollment.  Given that we had thousands and thousands of workstations, obviously, manual issuance and renewal would be well - a headache to say the least.  :)

I'll keep the question open for a bit to see if anyone else knows.
0
 

Author Comment

by:amendala
ID: 40413795
It doesn't seem this can be done based on conversations I've had with Microsoft PFE's.  Going to close the question out.
0
 
LVL 40

Expert Comment

by:footech
ID: 40414585
I wish it was.  I looked into it some time ago as I figured it would be nice not to have the warning all the time when making RDP connections to various machines.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question