4

So I have a working Active Directory. I've recently added a new machine to act as an Active Directory Certificate Authority.

I've added a Group Policy (Computer level) for automatic certificate enrollment according to this document. And verified that my CA appears in all of my domain members' Trusted Root Certificates.

I've exported the CA's root certificate and added it to my workstation's (computer) Trusted Root CA list.

When I want to remote desktop into my remote servers, it still pops up a warning like this: Remote Desktop Connection untrusted certificate warning

When I view the certificate, it's clear that the certificate that is being sent is the default machine self-signed certificate. How do I get Windows to re-issue machine certificates based on my new trusted root CA? I'm guessing that I need to create an auto-approval policy for machine certificates somewhere with some constraint maybe on who/how such requests can be made. And then I would guess that I need to push a domain policy that somehow instructs all my domain members to get their machine certificate.

Does this sound familiar to anyone? I think the reason I can't find a document on this is because I don't know the correct terminology.

maweeras
  • 2,734
  • 2
  • 17
  • 23
Eric Falsken
  • 647
  • 2
  • 8
  • 21
  • Ok, so I've updated my group policy, and I see in the (local computer)/Personal certificates, I now have a machine certificate that looks correct, issued by my CA. But Remote Desktop still gives me the old certificate without the CA server in the certificate path. – Eric Falsken Jan 20 '12 at 18:54
  • see my updated answer. You need to configure rdp to use the cert. – Paul Ackerman Jan 20 '12 at 19:11
  • I followed the first part of that document, and ended up having to restart the RDP service. I now get the correct certificate. But the warning now reads `A recovation check could not be performed for the certificate.` – Eric Falsken Jan 20 '12 at 21:22
  • Ok. Finally got it. The full certificate path wasn't included on the RemoteDesktopComputer certificates. I had to go into the CA management, edit the properties of the CA, on the Extensions tab, edit AIA properties, and make sure that the ldap and http extension was included in all issued certificates. Then revoke all the RemoteDesktop certs I has issued so they could be re-issued again. And it worked! – Eric Falsken Jan 20 '12 at 22:37

3 Answers3

5

You need to enroll for a machine certificate on the workstation. You can setup autoenrollment via group policy or you can navigate to the cert enrollment website on your CA (https://yourCA/certenroll and enroll manually.
Autoenrollment is set under Computer Config -> Policies -> Windows Settings -> Security Settings -> Public Key Policies.

EDIT After getting a certificate that can be used for "Client Authentication" you need to setup RDP to use the cert. Follow instructions here for a WMI script to do this.

Paul Ackerman
  • 2,729
  • 1
  • 16
  • 23
1

This microsoft documentation might help you: http://support.microsoft.com/kb/281271

"In the following scenarios, if a user from the same domain as a certification authority (CA) requests a certificate, the issued certificate is published in Active Directory. However, if the user is from a child domain, this process is not successful. Also, when users from the same domain as a CA request a certificate, the issued certificate may not be published in Active Directory. "

Zero
  • 315
  • 1
  • 5
  • 21
0

Check this detailed article from Microsoft: http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx?PageIndex=2

Regards.
Farouk.

Faroukdz
  • 1
  • 1
    Please supply a summary for later. – vonbrand Apr 11 '13 at 17:58
  • 1
    Welcome to Server Fault! Generally we like answers on the site to be able to stand on their own - Links are great, but if that link ever breaks the answer should have enough information to still be helpful. Please consider editing your answer to include more detail. See the [FAQ](http://www.serverfault.com/faq) for more info. – slm Apr 11 '13 at 17:59