Re: "Certificate" property & Connect security
Vera, I admit I did not know of that article but I was troubled to
have misunderstood the Server Authentication feature of terminal
services. I just read the article you mentioned and think the method
described there has a serious flaw. By design a TLS or SSL server
certificate can only be used to enable a client to verify the server's
identity. If client authentication is desired then (normally) client
certificates are used - but terminal services do not support that.
The "hack" described in the article only works if the client does not
trust the CA that issued the TS certificate. While this might be a
workaround it is by no means secure - a user would just have to copy
the server certificate from a co-worker's PC and be granted access to
the TS. Also, in larger organizations, there tends to be an enterprise-
wide CA/PKI in place and thus the root CA would be available to all
computers.
I hope this does not sound like gibberish. I still think there is no
"clean" solution to TS client authentication - maybe there are third-
party tools around that do the job.
Helge
==================
Please visit my blog:
http://it-from-inside.blogspot.com
==================
On 16 Aug., 22:16, "Vera Noest [MVP]" <vera.no...@remove-
this.hem.utfors.se> wrote:
> Check if this helps:
>
> How to secure remote desktop connections using TLS/SSL based
> authenticationhttp://www.windowsecurity.com/articles/Secure-remote-desktop-
> connections-TLS-SSL-based-authentication.html
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote on 16 aug 2007 in
> microsoft.public.windows.terminal_services:
>
> > I am add "Server Authentication Certificate" to my Terminal
> > Service
>
> > like there
> >http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f
> > 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
>
> > but remote users without any "Certificates" can connect to my
> > Terminal Server with message - "Terminal Server have certificate
> > - Ignore?"
>
> > But I want that remote users without "secret Certificate" can
> > not connect to Terminal Service.
>
> > Is it possible?
>
> > Thanks.