2

Practically all instructions on enabling certificates for Remote Desktop server authentication (and configuring auto-enrollment through Group Policy) say that you should create a new certificate template (named "RemoteDesktopComputer" or similar), adding only the RDP-specific OID 1.3.6.1.4.1.311.54.1.2 as an extendedKeyUsage.

However, some third-party clients always expect the certificate to have a "TLS server" extendedKeyUsage and have issues verifying servers which only have this OID. So I would much rather use a generic TLS certificate for RDP as well.

Will there be any operational issues if I don't use a custom template, but instead specify the built-in 'Computer' template in the GPO setting? (The one under "Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security".)

Will there be any operational issues if the GPO also has certificate enrollment under "Public Key Policies/Automatic Certificate Request Settings" enabled for the same 'Computer' template? Will this possibly cause the computer to get two redundant certificates based on the same template?

Will there be any security issues due to computers using their generic 'Computer' certificate (with the standard "TLS server" OID) for serving Remote Desktop?

user1686
  • 10,162
  • 1
  • 26
  • 42

2 Answers2

1

Automatic Certificate Request Settings (ACRS) only enrolls V1 certificate templates (Windows 2000 only supported this method). These are inflexible.

In general, any certificate including an EKU of Server Authentication (and containing a subject and/or SAN containing the DNS name the RDP client is validating against) should be usable for Remote Desktop-class certificates.

Should you use a separate certificate? It depends on the security profile of the certificates you're deploying to the machine.

  • If the key isn't useful for other things, then it doesn't really matter.
  • If you were going to give every client 2 certificates anyway, it might not matter.
  • If your RDP auth profile is significantly different from every other certificate provided to the device, it's worth keeping it as a different certificate type.
  • If you're providing certificates for another purpose as well - like SCCM authentication and management, or VPN, or both - could those other Client Authentication certificates be combined with Server Authentication to produce an all-in-one device certificate?
    • again, key tradeoffs: more certificates may = more management; fewer may be easier to manage, but evaluate security capabilities and tradeoffs carefully
TristanK
  • 9,073
  • 2
  • 28
  • 39
0

If you use generic Computer template, you will loose automatic certificate binding to RDP port. You will have to manually monitor certificate expiration and re-binding on every RDP-enabled machine.

There are no security differences between RDP-dedicated and generic Computer, it is all about maintenance. With dedicated certificate template, everything is done automatically as long as GPO is configured. With generic certificate that doesn't meet certain requirements -- you will have to do RDP certificate provisioning manually.

However, some third-party clients always expect the certificate to have a "TLS server"

add two entries in EKU: RDP Authentication and Server Authentication

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Doesn't the automatic binding come from the fact that the template name is specified under "Remote Desktop Session Host/Security" GPO, and not from the template itself? I fail to see what makes my custom-made RDP template more special in that regard, as the template's configuration itself doesn't have any RDP binding settings. – user1686 Oct 22 '20 at 06:24
  • GPO setting will do some checks and if they fail -- it won't bind failed certificate to RDP. – Crypt32 Oct 22 '20 at 06:25