Terminal server rdp, tls certificates & subject alternative names?

  • Thread starter Thread starter DavidB
  • Start date Start date
D

DavidB

Cross posting from micorosft.public.security.crypto:

I need to issue some certificates to my terminal servers so I can
secure RDP sessions. I want to use the negotiate TLS and I want to
get rid of the warning messages from the new RDP client. I've been
having a difficult time issuing a certificate which will have all the
names I need for a particular server.

The default certificate only includes the FQDN of the server which is
not too smart in my opinion because locally connected machines use
the
common or short name or ip address to connect up.


From Exchange 2007 certificates I know that we need a SAN or subject
alternative name to get these to authenticate correctly. I wanted to
enter the dns entry for the server short name and the ip address if
possible to the SAN.


I can't get these issued correctly using the mmc console because it
just streamlines the process and never asks me for the SAN entries.
I've tried the command line certreq but that certificate always gets
issued to the administrator and the terminal server won't allow me to
use it! I don't have the IIS pages installed for security.


Anyone else run into this issue and solve it? Driving me nuts!!


Thanks in advance,
DavidB
 
Yes you can put short name and IP as SANs, no restrictions there, I think.
As to fast and easy way of enrolling - install the Web pages. Having the
pages installed doesn't compromise security (if you're eccentricalyy
paranoid - only bind Web services to 127.0.0.1, restricting access to the
console)

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"DavidB" wrote in message
news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...
> Cross posting from micorosft.public.security.crypto:
>
> I need to issue some certificates to my terminal servers so I can
> secure RDP sessions. I want to use the negotiate TLS and I want to
> get rid of the warning messages from the new RDP client. I've been
> having a difficult time issuing a certificate which will have all the
> names I need for a particular server.
>
> The default certificate only includes the FQDN of the server which is
> not too smart in my opinion because locally connected machines use
> the
> common or short name or ip address to connect up.
>
>
> From Exchange 2007 certificates I know that we need a SAN or subject
> alternative name to get these to authenticate correctly. I wanted to
> enter the dns entry for the server short name and the ip address if
> possible to the SAN.
>
>
> I can't get these issued correctly using the mmc console because it
> just streamlines the process and never asks me for the SAN entries.
> I've tried the command line certreq but that certificate always gets
> issued to the administrator and the terminal server won't allow me to
> use it! I don't have the IIS pages installed for security.
>
>
> Anyone else run into this issue and solve it? Driving me nuts!!
>
>
> Thanks in advance,
> DavidB
 
Re: Terminal server rdp, tls certificates & subject alternativenames?

On Jul 1, 4:06 am, "S. Pidgorny " wrote:
> Yes you can put short name and IP as SANs, no restrictions there, I think.
> As to fast and easy way of enrolling - install the Web pages. Having the
> pages installed doesn't compromise security (if you're eccentricalyy
> paranoid - only bind Web services to 127.0.0.1, restricting access to the
> console)
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> *http://sl.mvps.org*http://msmvps.com/blogs/sp*
>
> "DavidB" wrote in message
>
> news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...
>
>
>
> > Cross posting from micorosft.public.security.crypto:
>
> > I need to issue some certificates to my terminal servers so I can
> > secure RDP sessions.  I want to use the negotiate TLS and I want to
> > get rid of the warning messages from the new RDP client.  I've been
> > having a difficult time issuing a certificate which will have all the
> > names I need for a particular server.
>
> > The default certificate only includes the FQDN of the server which is
> > not too smart in my opinion because locally connected machines use
> > the
> > common or short name or ip address to connect up.
>
> > From Exchange 2007 certificates I know that we need a SAN or subject
> > alternative name to get these to authenticate correctly.  I wanted to
> > enter the dns entry for the server short name and the ip address if
> > possible to the SAN.
>
> > I can't get these issued correctly using the mmc console because it
> > just streamlines the process and never asks me for the SAN entries.
> > I've tried the command line certreq but that certificate always gets
> > issued to the administrator and the terminal server won't allow me to
> > use it! I don't have the IIS pages installed for security.
>
> > Anyone else run into this issue and solve it?  Driving me nuts!!
>
> > Thanks in advance,
> > DavidB- Hide quoted text -
>
> - Show quoted text -

Thank you Svyatoslav, I'll give that a try! I was trying to keep my
server as lean as possible but maybe I'll just stop the IIS service
when not in use.
 
Re: Terminal server rdp, tls certificates & subject alternativenames?

On Jul 1, 4:06 am, "S. Pidgorny " wrote:
> Yes you can put short name and IP as SANs, no restrictions there, I think..
> As to fast and easy way of enrolling - install the Web pages. Having the
> pages installed doesn't compromise security (if you're eccentricalyy
> paranoid - only bind Web services to 127.0.0.1, restricting access to the
> console)
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> *http://sl.mvps.org*http://msmvps.com/blogs/sp*
>
> "DavidB" wrote in message
>
> news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...
>
>
>
> > Cross posting from micorosft.public.security.crypto:
>
> > I need to issue some certificates to my terminal servers so I can
> > secure RDP sessions.  I want to use the negotiate TLS and I want to
> > get rid of the warning messages from the new RDP client.  I've been
> > having a difficult time issuing a certificate which will have all the
> > names I need for a particular server.
>
> > The default certificate only includes the FQDN of the server which is
> > not too smart in my opinion because locally connected machines use
> > the
> > common or short name or ip address to connect up.
>
> > From Exchange 2007 certificates I know that we need a SAN or subject
> > alternative name to get these to authenticate correctly.  I wanted to
> > enter the dns entry for the server short name and the ip address if
> > possible to the SAN.
>
> > I can't get these issued correctly using the mmc console because it
> > just streamlines the process and never asks me for the SAN entries.
> > I've tried the command line certreq but that certificate always gets
> > issued to the administrator and the terminal server won't allow me to
> > use it! I don't have the IIS pages installed for security.
>
> > Anyone else run into this issue and solve it?  Driving me nuts!!
>
> > Thanks in advance,
> > DavidB- Hide quoted text -
>
> - Show quoted text -

The web pages worked. I created a duplicate of the web server
template and added client authentication. I also chose the option to
specify the SAN entries instead of pulling them from Active
Directory. It took a few tries but I finally got the syntax correct,
in the attributes box for the web enrollment I had to enter
"SAN:dns=svr&dns=svr.domain.com&ipaddress=x.x.x.x"
Once I installed the certificate, I assigned it to the rdp protocol
and chose to negotiate security. Now the short name and FQDN don't
generate errors when connecting up via rdp. I was hoping to also use
the IP address without error but that didn't work. Perhaps entering
another "&dns=x.x.x.x" would get around that.
Thanks again for your help!
 
Back
Top