In a previous blog on Object
Identifiers (OID) in PKI, I mentioned creating a certificate template for Remote
Desktop Connection (RDP). In this blog,
I will show how to create the template, why the OID and extensions are
important, and how to implement it and remove self-signed certificate warnings
from RDP connections.
Prior to Windows Server 2012, a bug existed where using the template Display Name in the GPO (below), would trigger an enrollment, however the policy would not honor it. At each subsequent GPO refresh the process was repeated resulting in huge numbers of RDP certificates being issued. Pay close attention to this if there are server OS(s) below Windows Server 2012 in your environment and use template name or OID when specifying the RDP template. A best practice I always follow is no spaces in template names and setting template name and template display name to match when possible.
Why Issue RDP Certificates?
There are multiple reasons to issue RDP certificates from a PKI. The most noticeable is the warning displayed when making an RDP connection to a server or client. Upon the first RDP connection, servers and clients generate a self-signed certificate, which are not trusted so the warning is displayed.
Clicking Yes, to connect sets a bad precedent, especially when checking the box to not be notified again. In servers and clients prior to Windows 8.1 and Server 2012R2, the self-signed certificates were issued based on a SHA1, until an update when they started issuing SHA2 based self-signed.
After following these steps, clients and servers the GPO is
applied to will no longer generate the self-signed certificates and will use
the trusted certificate issued from your PKI to secure the connection.
Current Policies & Corresponding OIDs
To view the policies and OID list, open the certificate templates console (certtmpl.msc), then right click on the console root at the top left and select “View Object Identifiers...
The highlighted policy above is Microsoft’s OID designation
for Remote Desktop Authentication (220.127.116.11.4.1.318.104.22.168) but isn’t present by
default and must be created.
Desktop Authentication Policy
To create the policy, open certificate templates console (certtmpl.msc)
then right click on the default Computer template and duplicate template. Highlight
the Extensions tab and select Application Polices and click Edit.
Select Client and Server Authentication
polices and Remove. Now click Add and the Add Application Policy
box opens; select New and in the New Application Policy dialog box enter
“Remote Desktop Authentication” in the Name field and 22.214.171.124.4.1.3126.96.36.199
in the Object Identifier field (delete the default value in the box) then OK
out. On the Security tab set Read and Enroll for targeted servers or
groups. On the General tab, set the Template
display name and Template name to
match exactly with no spaces. (Example: NewRDPTemplate)
Utilizing the New Certificate Template
Publish the new RDP template to a certificate authority. For servers to automatically enroll and stop generating and using self-signed certificates a GPO must be configured. The GPO settings are located under: Computer Configuration, Policies, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Security, Server Authentication certificate template. Update the policy with the template name or OID of the RDP certificate template and select the enable radio button then OK. When the GPO refresh applies to targeted servers they will enroll for the new certificate and use it for RDP connections.
When setting the Certificate Template Name for RDP template in the GPO, rather than using the template name, the templates OID may also be used. The OID is shown under the Extension tab in the Certificate Template Information or via Certutil: Certutil -adtemplate -v “<template name>”.