Remote Desktop Certificate Warning Show Up Again
Hello everyone! Tim Beasley, Platforms PFE here once more from the gorgeous state of Missouri. Here in the fall, in the Ozark Mountains surface area the colors of the trees are just astonishing! But hey, I'm certain wherever y'all are information technology'south nice there too. Quick shout out to my buds SR PFE Don Geddes (RDGURU), and PFE Jacob Lavender who provided some additional insight on this article! I am writing this blog mail service to shed some calorie-free on the question of "How come nosotros keep getting prompted warning messages about certificates when we connect to machines via RDP?" A couple of examples you might see when running the Remote Desktop Connection Customer (mstsc.exe)… If y'all've come across this in your environs, don't fret…as information technology's a good security practice to have secure RDP sessions. There's as well a lot of misguiding information out there on the internet… Being a PKI guy myself, I thought I'd chime in a scrap to help the customs. The answer to the question? It depends. Okay I'm washed. HA! If only it was that easy! You people reading this right now wouldn't be here if it were that like shooting fish in a barrel, right? To get started, I'k going to break this topic upwards into several parts. I'yard likewise going to assume that whoever is reading this knows a flake of PKI terminology. Unless there are security requirements that they must meet, nigh organizations don't deploy certificates for systems where they are merely enabling RDP to permit remote connections for administration, or to a client Bone like Windows x. Kerberos plays a huge role in server authentication then feel free to accept advantage of it. The Kerberos authentication protocol provides a mechanism for authentication — and mutual authentication — between a client and a server, or between one server and another server. This is the underlying authentication that takes place on a domain without the requirement of certificates. Notwithstanding, to enable a solution where the user can connect to the apps or desktops that you have published for them from Any device and from ANYWHERE, then you somewhen need to deploy certificates. Let's be clear on 1 thing: The alarm letters / pop-ups that end users see connecting via RDP are a GOOD THING . Microsoft wants you to be warned if there's a potential hazard of a compromise. Sure, information technology tin be perceived as a hassle sometimes, but dog gone it…don't just click through it without reading what it's trying to tell y'all in the first place! Why not you ask? Well for one thing, using sniffing tools attackers can successfully extrapolate every unmarried fundamental stroke you type in to an RDP session, including login credentials. And given that, often customers are typing in domain admin credentials…which ways you could take just given an attacker using a Human being-in-the-Middle (MTM) attack the keys to the kingdom. Granted, current versions of the Remote Desktop Client combined with TLS makes those types of attacks much more difficult, but there are withal risks to be wary of. I'm going to go through a few scenarios where the alarm messages tin can exist displayed, and and so how you can remediate them THE SUPPORTED Manner. I tin't tell you lot how many times nosotros've seen customers manually change registry settings or other hacks to avoid the warning prompts. However, what should be done is making sure the remote computers are properly authorized in the first identify. DO NOT JUST HACK THE REGISTRY TO Forestall WARNING PROMPTS FROM OCCURRING. Read the following quick links, and pick which i applies for your situation: (or read them all Scenario 1: Regardless if RDS Role has been deployed, no internal PKI (no ADCS), and you're experiencing document warning prompts when establishing RDP connections. I'one thousand going to begin this by saying that I'm only including this scenario because I've run into it in the past. We HIGHLY recommend y'all have an internal PKI/ADCS deployed in your environment. Although technically achievable, using self-signed certificates is normally Non a good thing every bit it can atomic number 82 to a never-catastrophe scenario of having to deploy self-signed certs throughout a domain. Talk virtually a direction overhead nightmare! Additionally, security risk to your environment is elevated…especially in public sector or government environments. Needless to say, any security professional would take a field mean solar day with this do an ANY environment. IT life is much better when you take ADCS or some other PKI solution deployed in an organization. A beau colleague of mine, Jacob Lavander(PFE), wrote a dandy article on how to remove self-signed RDP certificates…so if y'all're wanting the details on how you can attain this, check out this link! Jacob has also written a couple of awesome guides that will come in handy when avoiding this scenario. The kickoff one is a guide on how to build out an Active Directory Certificate Services (ADCS) lab, and the 2d link is for building out an RDS Farm in a lab. Both of course feature the astonishing new Windows Server 2016, and they are spot on to help you avoid this first scenario. Just remember they are guides for LAB environments. Off my soapbox now…back to the topic at hand: More than likely, you've decided to RDP to a machine via IP address. I don't know how many users are out there that believe that this method is right. Sure, it works…but estimate what? You will always get the alarm because you are trying to connect using IP address instead of a name, and a certificate can't be used to authenticate an IP address. Neither can Kerberos for that matter. And then, RDP asks yous to make sure y'all want to connect since information technology can't verify that this is really the machine yous want to connect to. Main security reason: Someone could accept hijacked it. (This is very easily washed with environments that don't use secure DNS btw…) Take a quick second to smack yourself for doing this, and make a mental note to plant RDP sessions using machine names going forward…go on, I'll look. If by just changing HOW you connect via RDP to machines (names vs IP accost) fixes your problem…congrats! You can stop reading now. And in example you're wondering, yes…that's a supported solution. *stifles laughter* Yet, if RDP using names even so produces warning messages so allow'south go on. You've launched the RDP client (mstsc.exe) and typed in the proper noun of a motorcar…hit connect…and pops upwards a warning regarding a certificate trouble. At this point, typically this is due to the self-signed document each server generates for secure RDP connections isn't trusted by the clients. Think of a Root CA Certificate and the concatenation of trust. Your clients want to apply/trust certificates that a CA bug, but they must trust the certificate dominance that the certificates come from, right? RDP is doing the same thing. The customer auto y'all're trying to establish the RDP session from doesn't have the remote machine'due south self-signed certificate in the local Trusted Root CA certificate store. So how do we remedy that? Solution for this scenario Export the remote machine's certificate (no individual fundamental needed) and create a GPO that disperses the self-signed certificate from the remote automobile to the local machine. Import remote machine's document into a new GPO at Reckoner Configuration -> Policies -> Windows Settings -> Security Settings -> Public Primal Policies -> Trusted Root Certification Authorities. This volition install the motorcar'south document accordingly on the local motorcar, and then the next time you RDP using the remote car'southward proper name, the alarm vanishes. One little caveat though: Certificate SAN names for CNAME DNS entries. If you utilize CNAME (alias) DNS records in your environs, DO NOT try and connect to a machine using the CNAME entry unless that CNAME exists on the certificate. The proper name you're trying to connect to must exist on the certificate! Otherwise yous'll get warnings despite the fact the cert is deployed in the local Trusted Root CA shop. Just because it's trusted doesn't guarantee warnings are forever gone. You nevertheless must connect using the correct automobile names. Detect I didn't say to brand any registry changes or click the petty "Don't ask me again for connections to this computer" option? The idea is to go rid of the warning message the right way…heh. Scenario 2: Remote Desktop Services ROLE has NOT been deployed yet, you have an internal MS PKI (ADCS), and y'all're experiencing document warning prompts when establishing RDP connections. Okay this scenario is a niggling like the previous one, except for a few things. Devil's in the details! First, your domain-joined client should already accept a valid chain of trust if ADCS is deployed…and so that can't be the root cause. Only perhaps information technology'south not a domain-joined client…in that case go the advisable certificate(due south) installed on your local machine to have a valid chain of trust to eliminate that possibility. Moving on and re-referencing the info in Function i, quit trying to RDP to an IP address, and make sure you're connecting to a car that has a certificate that contains the name you're trying to institute an RDP session into. I don't believe I need to harp on that one any more than… Normally when deploying ADCS, certificate autoenrollment is configured equally a good practice. In this example, all users and machines can be configured to automatically enroll for a certificate, disallowment a published template's permissions are set correctly. But RDS is a scrap dissimilar since information technology can use certificates that not all machines have. For instance, just because a car with autoenrollment enabled acquires a figurer certificate from an ADCS issuing CA, doesn't mean RDS will use information technology automatically. Remember, by default the local Remote Desktop Protocol will use the self-signed certificate…not ane issued by an internal CA…even if it contains all the right information. If you want to use a certificate other than the default self-signed document that RDP creates, you must configure the RDP listener to use the custom certificate…just installing the cert isn't enough. If needed, refer to this article for additional info on configuring the RDP listener for WS2012 /2012R2. Basically, the correct certificate with appropriate corresponding GPO settings for RDS to utilise…and that should solve the warning messages. How do we do that? Proceed in mind the requirements of certificates that RDS uses: Now that you have the document requirements, you lot'll want to create a custom certificate template with the above EKU settings (or none…just I've always used Server Auth or RDA). It's e'er best to utilize a custom certificate template, and not the default ones. But, I'thousand non going to completely go off on a PKI best practices rant hither…that's for another day. (There's several articles that walk you through this process if yous haven't washed so already – hither and here). One time the template's created and scoped appropriately via permissions (autoenrollment or whatever) then it'south time for the machine to asking the certificate. Remember, certificates you deploy need to accept a subject name (CN) or subject area alternate name (SAN) that matches the name of the server that a user is connecting to! And in this scenario where the RDS Roles aren't deployed, then the bailiwick name will typically be the machine'due south name…configure the certificate template to pull the subject field name from AD. Manual enrollment is a bit time consuming, so I prefer autoenrollment functionality here. What about computers that don't accept RDS enabled, will they get those certificates too? Answer: If autoenrollment is configured and the template is configured to auto-enroll "domain computers" then, Aye. To mitigate the CA from handing out a ton of certs from multiple templates, only scope the template permissions to a security group that contains the machine(south) you lot want enrollment from. I always recommend configure certificate templates utilise specific security groups. Where certificates are deployed is all dependent upon what your environment requires. Just take the time to plan / lab things out before deploying to production… Adjacent, we configure Group Policy. This is to ensure that ONLY certificates created by using your custom template will be considered when a certificate to cosign the RD Session Host Server (or machine) is automatically selected. Translation: simply the cert that came from your custom template volition exist used when someone connects via RDP to a machine…non the self-signed certificate. Create a new GPO at the domain level (or OU…and don't use the Default Domain Policy…bad practice), then edit it. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Session Host -> Security. The option yous want to ready is "Server Authentication certificate template." But type in the name of your custom certificate template, and shut the policy to save it. As soon as this policy is propagated to the corresponding domain computers (or forced via gpupdate.exe), every machine the GPO is scoped to that allows Remote Desktop Connections will use information technology to authenticate RDP connections. Hither's an example: In my lab, a custom certificate with the Remote Desktop Authentication EKU was installed via autoenrollment. I then created a GPO called "RDP Certificate" and linked it at the domain level. I updated group policy on a member server, and tested it. Proof: In my lab, I got a warning message since I tried to RDP to an IP . Image2 shows the OID for the custom EKU of Remote Desktop Hallmark. Of grade, equally soon every bit I try to connect using the correct machine name, it connected right up as expected. Warning went POOF! Some other way of achieving this result, and forcing machines to utilize a specific certificate for RDP…is via a simple WMIC command from an elevated prompt, or you can use PowerShell. The grab is that y'all must do it from the individual machine. You will demand the thumbprint of the document you lot wish RDP to use, and the cert itself must be in the machine'due south personal store with the appropriate EKU. CMD: wmic /namespace : rootcimv2TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT" PowerShell: $path = ( Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName='RDP-tcp'" ) . __path Set -WmiInstance -Path $path -argument @ { SSLCertificateSHA1Hash="THUMBPRINT" } Quick, like shooting fish in a barrel, and efficient…and unless you script it out to hit all machines involved, you'll only impact one at a time instead of using a scoped GPO. Scenario 3: Remote Desktop Services Roles have been deployed, you lot have ADCS PKI, and you're experiencing certificate warning prompts when establishing RDP connections. Now nosotros get to the meaty part (equally if I haven't written plenty already). Unlike the above two scenarios, you lot don't really need special GPO settings to deploy certificates, force RDS to use specific certs, etc. The roles themselves handle all that. Let's say Remote Desktop Services has been fully deployed in your environs. Information technology tin can be 2008 R2 RDS, or 2012 / 2012 R2 RDS. Doesn't matter…or does information technology? Kristin Griffin wrote an splendid TechNet Commodity detailing how to use certificates and more than importantly, why for every RDS role service. Her commodity details RDS certificates for Server 2008 R2, GPO settings, etc. When it comes to WS2012 and WS2012R2 notwithstanding, it gets easier and a bit less complicated. Just remember the principals are the aforementioned. Again, we employ certificates to maximize security pertaining to Remote Desktop Connections and RDS. By default, RD Session Host sessions use native RDP encryption. However, RDP does not provide authentication to verify the identity of an RD Session Host server. You can raise the security of RD Session Host sessions by using Secure Sockets Layer (SSL) Transport Layer Security (TLS 1.0) for server authentication and to encrypt RD Session Host communications. The RD Session Host server and the client computer must be correctly configured for TLS to provide enhanced security. (https://technet.microsoft.com/en-u.s./library/ff458357.aspx) First thing to check if warnings are occurring, is (yeah, you guessed it) …are users connecting to the right proper noun? Next, check the certificate(due south) that are being used to ensure they incorporate the proper and accurate information. Referring to the methods mentioned in The following information is from this TechNet Commodity: "In Windows 2008 and Windows 2008 R2, you connect to the farm proper noun, which as per DNS round robin, gets start directed to the redirector, then to the connection broker, and finally to the server that hosts your session. In Windows 2012 / 2012R2, you connect to the connexion broker, and it and so routes you to the collection by using the collection name. The certificates yous deploy need to have a subject name (CN) or subject area alternate name (SAN) that matches the name of the server that the user is connecting to. For example, for Publishing, the document needs to comprise the names of all the RDSH servers in the collection. The certificate for RDWeb needs to contain the FQDN or the URL, based on the name the users connect to. If you have users connecting externally, this needs to be an external proper noun (it needs to match what they connect to). If you have users connecting internally to RDWeb, the name needs to friction match the internal name. For Unmarried Sign On, the subject field name needs to match the servers in the collection." Go and read that article thoroughly. It talks about proper SAN names to include for external and internal naming for the 2012 / 2012 R2 RDS server roles. Merely the RD Web Access and RD Gateway roles should ever be exposed to the Internet, which means obtaining a certificate for those roles from a Public CA. Now that you have created your certificates and sympathize their contents, you need to configure the Remote Desktop Server roles to apply those certificates. This is the cool office! For 2012 / 2012R2: You lot tin use a single certificate for all the roles if your clients are internal to the domain merely, by generating a wildcard certificate (for instance: *.CONTOSO.com) and binding information technology to all roles. Or yous will use multiple certs if you have both internal and external requirements. Annotation: even if you have multiple servers in the deployment, Server Director will import the document to all servers, place the document in the trusted root for each server, and so bind the certificate to the respective roles. Encounter! Told you it was cool! You don't take to manually do anything to each individual server in the deployment! You tin of class, but typically not mandatory. PRO TIP: For most scenarios where the client is not domain-joined just connecting via RDP to a machine that IS domain joined you should probably be using an RD Gateway…since in those scenarios the client is coming in externally anyways. To recap…DON'T try to establish an RDP connection using an IP address. Practise apply the correct naming. DO utilize an internal PKI and/or GPOs. DO use custom templates with proper EKUs. Exercise use RDS. And for all our sanity, practice Non mess with the security level and encryption level settings! The default settings are the most secure. Just leave them lone and keep it uncomplicated. Thank you lot for taking the fourth dimension to read through all this data. I tried to call back of all the scenarios I personally have come across in my experiences throughout the past 25 years, and I hope I didn't miss any. If I did, please feel gratuitous to inquire! Happy RDP'ing everyone! Tim Beasley, Microsoft PFE – Platforms.
)
No ADCS PKI and No RDS Roles
ADCS PKI and No RDS Roles
ADCS PKI and RDS Roles
Decision:
Source: https://argonsys.com/microsoft-cloud/library/remote-desktop-connection-rdp-certificate-warnings/
0 Response to "Remote Desktop Certificate Warning Show Up Again"
إرسال تعليق