After plowing the web for quite some time looking for a guide on how to set up certificates on a RDS-farm using an internal CA; I figured out a couple of things:
1) It’s actually pretty easy; but a bit tedious.
2) Apparently noone bothers making guides for easy things; and after writing this guide, I fully understand that.
Don’t be intimidated by the length of all of this, you only have to do it once, and it’s all GUI based.
First off: you’ll need an Enterprise CA in you domain. I haven’t tried this with a standalone CA, but I imagine it’ll be a bit trickier.
Installing the CA, if you haven’t done it, is pretty straight forward. Just two warnings first:
1) If at all possible, don’t install it on a DC. In my experience you might be in a world of frustration trying to figure out DCOM permissions and service privileges. You’ll probably be fine, but if you get into trouble, you’re pretty much on your own. There aren’t really that many people in the world with extensive knowledge of the intricate workings of a CA, and if you’re reading this, you’re not one of them.
2) Best practice is to put the database and log files for the CA on a separate drive (as with all such things), though depending on your environment, that may not be a must. But keep it in mind.
So: fire up the Server Manager, click Add Roles, and select Active Directory Certificate Services. Aside from moving the database, keep the default settings. You might need web enrollment for other things, but not this.
Reboot the server (do it even if not prompted for good measure), and your CA is up and running. Congrats!
Now you need to define an RDS template. Lord knows why this isn’t built-in; but I guess why that’s why he created consultants (such as myself).
The RDS team has this pretty much down to a tee on their blogpost, as they should, since they made the damn thing. I’ll paste the relevant section here; check out the blogpost for other details.
Creating Remote Desktop certificate template:
- On the computer that has your enterprise Certification Authority installed start MMC and open the “Certificate Templates” MMC snap-in.
- Find the “Computer” template, right-click on it, and then choose “Duplicate Template” from the menu.
- In the “Duplicate Template” dialog box, choose “Windows Server 2003 Enterprise” template version.
- The “Properties of New Template” dialog box will appear.
- On the “General” page of this dialog box, set both “Template display name” and “Template name” to “RemoteDesktopComputer”. Note: it is important to use the same string for both properties.
- On the “Extensions” page, select “Application Policies”, and then click the “Edit…” button.
- The “Edit Application Policies Extension” dialog box appears.
- Now you can either remove the “Client Authentication” policy leaving the “Server Authentication” policy, or you can use the special “Remote Desktop Authentication” policy. Doing the latter will prevent certificates based on this template from being used for any purpose other than Remote Desktop authentication.
- To create the “Remote Desktop Authentication” policy, first remove both the “Client Authentication” and “Server Authentication” policies, and then click “Add…”
- The “Add Application Policy” dialog box appears. In this dialog box click the “New…”
- The “New Application Policy” dialog box appears. In this dialog box, set “Name” to “Remote Desktop Authentication” and “Object Identifier” to “18.104.22.168.4.1.322.214.171.124”, and then click “OK.”
- Select “Remote Desktop Authentication” in the “Add Application Policy” dialog box, and then click “OK.”
- Now the “Edit Application Policies Extension” dialog box should look like this:
- Click “OK” in this dialog box, and then click “OK” in the “Properties of New Template” dialog box.
So after finishing the above steps; open the template again, and go to the ‘Subject name’ tab. And make sure it’s set to “supply in request”. This will enable you to specify names in the certificate as you please.
Click OK; and your template is ready.
The next step is to make the template you created available on your CA.
Open your Certification Authority management console – right click Certificate Templates, and select New – Certificate template to issue:
Select the Remote Desktop template and click OK.
Good; now the CA is ready.
If you don’t see the template in the list, it’s a replication issue. Either wait, or reboot the server, and the template will appear.
Now you’ll need to define an auto-enrollment policy. Quite simply this a GPO which will enable AD-integrated certificate enrollment.
I set this on the top level of the domain, but keep in mind that this will enable anyone in the domain to request a certificate. That’s not usually a problem, since you likely trust your own domain computers, but this should obviously comply with company policy. The configuration should be set under: User Configuration – Windows Settings – Public Key Policies.
Open Certificate Services Client – Certficate Enrollment Policy. Enable this and click ‘add’.
Select ‘Use default….’ and click add. Now it should look like this:
Now, wait for the policy to replicate, or run a gpupdate; whatever floats your boat.
Keep in mind that after installing a CA; the root certificate of this CA will only replicate to clients/server during startup (correct me if I’m wrong here). So if you haven’t booted the RDS servers, you won’t get any options for auto-enrollment. If you’re not able to boot them, you can manually install the root sertificate by exporting it from the CA and importing it as a trusted root certification authority on the servers. I won’t cover that here.
On the server, open MMC, click file – add/remove snapin; select certificates and local computer. This is the certificate store on your computer.
In order to request a new certificate, right-click ‘personal’ and select “All Tasks – Request New Certificate”. Click next on the following dialog box. And you auto-enrollment policy should appear.
Click Next; and you should get something like this:
Select RemoteDesktopComputer, and click the ‘More information….’ link. This is because we’ve disabled using the AD computer account for identification, so that we can add the farm name.
In the following dialog-box, enter your farm-info:
Now all that is left is to assign the certificate to the RDS-connection.
Go to Remote Desktop Host Configuration, and double-click the TCP connection.
On the ‘general’ tab; simply click Select at the bottom, and select your new certificate.
Though you will need to do this on all farm servers; but not the broker.
And the clients also need to restart in order to get the CA Root certificate, which will authorize the new rds certificate.
Now go get a cup of coffee!