Jump to content

Terminal server rdp, tls certificates & subject alternative names?

Guest DavidB

By Guest DavidB
in Techno Babble

 Share

Recommended Posts

Guest DavidB

Guest DavidB

Posted
Posted

Cross posting from micorosft.public.security.crypto:

 

I need to issue some certificates to my terminal servers so I can

secure RDP sessions. I want to use the negotiate TLS and I want to

get rid of the warning messages from the new RDP client. I've been

having a difficult time issuing a certificate which will have all the

names I need for a particular server.

 

The default certificate only includes the FQDN of the server which is

not too smart in my opinion because locally connected machines use

the

common or short name or ip address to connect up.

 

 

From Exchange 2007 certificates I know that we need a SAN or subject

alternative name to get these to authenticate correctly. I wanted to

enter the dns entry for the server short name and the ip address if

possible to the SAN.

 

 

I can't get these issued correctly using the mmc console because it

just streamlines the process and never asks me for the SAN entries.

I've tried the command line certreq but that certificate always gets

issued to the administrator and the terminal server won't allow me to

use it! I don't have the IIS pages installed for security.

 

 

Anyone else run into this issue and solve it? Driving me nuts!!

 

 

Thanks in advance,

DavidB

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest S. Pidgorny

Guest S. Pidgorny

Posted
Posted

Yes you can put short name and IP as SANs, no restrictions there, I think.

As to fast and easy way of enrolling - install the Web pages. Having the

pages installed doesn't compromise security (if you're eccentricalyy

paranoid - only bind Web services to 127.0.0.1, restricting access to the

console)

 

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

 

http://sl.mvps.org http://msmvps.com/blogs/sp

 

"DavidB" <biddled@gmail.com> wrote in message

news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...<span style="color:blue">

> Cross posting from micorosft.public.security.crypto:

>

> I need to issue some certificates to my terminal servers so I can

> secure RDP sessions. I want to use the negotiate TLS and I want to

> get rid of the warning messages from the new RDP client. I've been

> having a difficult time issuing a certificate which will have all the

> names I need for a particular server.

>

> The default certificate only includes the FQDN of the server which is

> not too smart in my opinion because locally connected machines use

> the

> common or short name or ip address to connect up.

>

>

> From Exchange 2007 certificates I know that we need a SAN or subject

> alternative name to get these to authenticate correctly. I wanted to

> enter the dns entry for the server short name and the ip address if

> possible to the SAN.

>

>

> I can't get these issued correctly using the mmc console because it

> just streamlines the process and never asks me for the SAN entries.

> I've tried the command line certreq but that certificate always gets

> issued to the administrator and the terminal server won't allow me to

> use it! I don't have the IIS pages installed for security.

>

>

> Anyone else run into this issue and solve it? Driving me nuts!!

>

>

> Thanks in advance,

> DavidB </span>

Guest DavidB

Guest DavidB

Posted
Posted

Re: Terminal server rdp, tls certificates & subject alternativenames?

 

On Jul 1, 4:06 am, "S. Pidgorny <MVP>" <slavi...@yahoo.com> wrote:<span style="color:blue">

> Yes you can put short name and IP as SANs, no restrictions there, I think.

> As to fast and easy way of enrolling - install the Web pages. Having the

> pages installed doesn't compromise security (if you're eccentricalyy

> paranoid - only bind Web services to 127.0.0.1, restricting access to the

> console)

>

> --

> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

> "DavidB" <bidd...@gmail.com> wrote in message

>

> news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...

>

>

><span style="color:green">

> > Cross posting from micorosft.public.security.crypto:</span>

><span style="color:green">

> > I need to issue some certificates to my terminal servers so I can

> > secure RDP sessions.  I want to use the negotiate TLS and I want to

> > get rid of the warning messages from the new RDP client.  I've been

> > having a difficult time issuing a certificate which will have all the

> > names I need for a particular server.</span>

><span style="color:green">

> > The default certificate only includes the FQDN of the server which is

> > not too smart in my opinion because locally connected machines use

> > the

> > common or short name or ip address to connect up.</span>

><span style="color:green">

> > From Exchange 2007 certificates I know that we need a SAN or subject

> > alternative name to get these to authenticate correctly.  I wanted to

> > enter the dns entry for the server short name and the ip address if

> > possible to the SAN.</span>

><span style="color:green">

> > I can't get these issued correctly using the mmc console because it

> > just streamlines the process and never asks me for the SAN entries.

> > I've tried the command line certreq but that certificate always gets

> > issued to the administrator and the terminal server won't allow me to

> > use it! I don't have the IIS pages installed for security.</span>

><span style="color:green">

> > Anyone else run into this issue and solve it?  Driving me nuts!!</span>

><span style="color:green">

> > Thanks in advance,

> > DavidB- Hide quoted text -</span>

>

> - Show quoted text -</span>

 

Thank you Svyatoslav, I'll give that a try! I was trying to keep my

server as lean as possible but maybe I'll just stop the IIS service

when not in use.

Guest DavidB

Guest DavidB

Posted
Posted

Re: Terminal server rdp, tls certificates & subject alternativenames?

 

On Jul 1, 4:06 am, "S. Pidgorny <MVP>" <slavi...@yahoo.com> wrote:<span style="color:blue">

> Yes you can put short name and IP as SANs, no restrictions there, I think..

> As to fast and easy way of enrolling - install the Web pages. Having the

> pages installed doesn't compromise security (if you're eccentricalyy

> paranoid - only bind Web services to 127.0.0.1, restricting access to the

> console)

>

> --

> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

> "DavidB" <bidd...@gmail.com> wrote in message

>

> news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...

>

>

><span style="color:green">

> > Cross posting from micorosft.public.security.crypto:</span>

><span style="color:green">

> > I need to issue some certificates to my terminal servers so I can

> > secure RDP sessions.  I want to use the negotiate TLS and I want to

> > get rid of the warning messages from the new RDP client.  I've been

> > having a difficult time issuing a certificate which will have all the

> > names I need for a particular server.</span>

><span style="color:green">

> > The default certificate only includes the FQDN of the server which is

> > not too smart in my opinion because locally connected machines use

> > the

> > common or short name or ip address to connect up.</span>

><span style="color:green">

> > From Exchange 2007 certificates I know that we need a SAN or subject

> > alternative name to get these to authenticate correctly.  I wanted to

> > enter the dns entry for the server short name and the ip address if

> > possible to the SAN.</span>

><span style="color:green">

> > I can't get these issued correctly using the mmc console because it

> > just streamlines the process and never asks me for the SAN entries.

> > I've tried the command line certreq but that certificate always gets

> > issued to the administrator and the terminal server won't allow me to

> > use it! I don't have the IIS pages installed for security.</span>

><span style="color:green">

> > Anyone else run into this issue and solve it?  Driving me nuts!!</span>

><span style="color:green">

> > Thanks in advance,

> > DavidB- Hide quoted text -</span>

>

> - Show quoted text -</span>

 

The web pages worked. I created a duplicate of the web server

template and added client authentication. I also chose the option to

specify the SAN entries instead of pulling them from Active

Directory. It took a few tries but I finally got the syntax correct,

in the attributes box for the web enrollment I had to enter

"SAN:dns=svr&dns=svr.domain.com&ipaddress=x.x.x.x"

Once I installed the certificate, I assigned it to the rdp protocol

and chose to negotiate security. Now the short name and FQDN don't

generate errors when connecting up via rdp. I was hoping to also use

the IP address without error but that didn't work. Perhaps entering

another "&dns=x.x.x.x" would get around that.

Thanks again for your help!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...