0

We want to force Remote Desktop to use a certificate based on a particular named template rather than using a self-signed certificate. This works in forests with a Certificate Authority server, but not in forests that do not have their own CA server. I want to avoid hardcoding the certificate thumbprint to use on each computer as this would need to be updated each time the certificate is renewed.

We have a number of Active Directory domains (one domain per forest) which have Microsoft Enterprise CAs (one CA server per forest). These original domains/forests do not trust each other and are firewalled from each other. All our servers are using Windows Server 2016.

The certificate templates were generated on one CA, then copied to the other CAs. None of the certificate templates have the extension "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Each server in the domain has a certificate based on a template with the "Server Authentication" extension, and we have a GPO with the setting "Server Authentication certificate template" configured with the name of the certificate template we want to use with RDP. This seems to work fine in the domains/forests that have a CA.

To support application development by third parties, we built additional forests, one for each of the original forests, and each of the new forests trusts its corresponding original forest. The development forests do not have CAs - their certificates are issued by the CA in their corresponding original forest. The development forests have GPOs that are generally copies of the GPOs in their corresponding original forest.

If I look at a certificate in the main forests which have CAs, at the property "Certificate Template Information", the value shown is of the form "Template=Display Name(OID)...". In a domain without a CA server, the value shown is of the form "Template=OID" (i.e. no display name, only an OID). I believe that is the reason that the GPO setting is having no effect in the forests without a local CA.

I used the scripts here: https://www.sysadmins.lv/blog-en/export-and-import-certificate-templates-with-powershell.aspx to copy the Certificate Templates and OIDs from one of the forests with a CA to its corresponding development forest. Although the process was successful, this did not help with the resolution of OID to display name for the certificates and did not make the GPO setting work. I noticed that the OIDs of the templates were different when transferred to the new domain (I looked in AD Sites and Services under "Public Key Services". I also tried the module at: https://www.powershellgallery.com/packages/ADCSTemplate/1.0.1.0 which gave similar results.

Is there an easy way, without changing the original certificate templates or creating new ones, that we can have a single GPO (copied between all of the forests) to specify the certificate template to use with RDP, or do we have to have separate GPOs in the development forests which have the OID of the certificate template rather than the display name?

Jon Pennycook
  • 3
  • 4

1 Answers1

0

You have only two options:

  1. install CA in every forest
  2. have a two-way forest trust between forests with and without CAs and configure cross-forest certificate enrollment.
  3. there is no 3rd option.
Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Thanks @Crypt32 . Option 1 is not possible for us. For option 2, looking at https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff955845(v=ws.10), I have two questions:- 1. we already have the root and intermediate CA certificates trusted via a GPO - is it necessary to publish them (certutil -dspublish) as well? 2. I had not tried the PKISync.ps1 script because it looked old. – Jon Pennycook Apr 01 '21 at 11:00
  • Certificate trust isn't the problem here. The problem is that there are no CAs clients can request certificates from. – Crypt32 Apr 01 '21 at 11:03
  • Thanks. We have Bank Holidays for Easter, so I probably won't be able to respond again before Tuesday at the earliest. – Jon Pennycook Apr 01 '21 at 14:09
  • I ran `.\pkisync.ps1 -sourceforest ... -targetforest ...` and restarted the TermService service - this made the error with source TerminalServices-RemoteConnectionManager event ID 1064 ("The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS 1.0)...") disappear, and now I get event ID 1063, so it looks like it works now! Thanks! – Jon Pennycook Apr 06 '21 at 11:09
  • Interestingly, if I look at the certificate it chose, the property "Certificate Template Information" still has its value shown in the form "Template=Display Name(OID)..." (i.e without a name) so maybe that was a red herring. The certificate it chose to use was the correct template. – Jon Pennycook Apr 06 '21 at 11:12
  • You may need to wait until OIDs are propagated to clients from AD. I don't remember if OID container is replicated using pkisync.ps1 script or not, but I suspect it should. – Crypt32 Apr 06 '21 at 12:25
  • PkiSync copied the OIDs, the Certificate Templates, and the contents of Enrollment Services (i.e. the object for the CA). Looking at it today, the "Certificate Template Information" has now resolved to a name. – Jon Pennycook Apr 07 '21 at 09:56