Friday, September 09, 2011 12:10 PM
I have recently investigated a problem with a GPO setting related to Remote Desktop (Session Hosts). This problem appears to occur on every environment I have tested on.
When you go to your Remote Desktop Session Host settings you can configure a certificate for RDP connections. This way your RDP connection is secured by a certificate (Server Authentication). This is very handy. You can also configure this on a wider scale by using a GPO. This GPO setting is called "Server Authentication Certificate Template". What is does, it will look for an already existing certificate by this template, if not present it will request a certificate based on the certificate template.
Great feature. But... when you enable this feature you wind up with multiple/duplicate certificate in your certificate store! This GPO setting supposed to use an already existing certificates. But apparently it keep on requesting the same certificate over and over. This causes multiple/duplicate certificates in your certificate store and on the issuing CA, which creates a mess.
Microsoft, can you please have a look into this problem?
This feature is quit handy. But it gives us an unwanted behavior. The following information is related to the GPO setting...
The full path of this node in the Group Policy Management Console is:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.
GPO policy seting:
Server Authentication Certificate Template
GPO policy explenation:
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server.
A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server during RDP connections.
If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected.
If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected.
If you disable or do not configure this policy setting, a self-signed certificate will be used by default to authenticate the RD Session Host server. You can select a specific certificate to be used to authenticate the RD Session Host server on the General tab of the Remote Desktop Session Host Configuration tool.
Boudewijn Plomp, BPMi Infrastructure & Security
Monday, September 12, 2011 5:33 AMModerator
When configured the 'Server Authentication Certificate Template' GPO setting as described at http://technet.microsoft.com/en-us/library/cc771869(WS.10).aspx.
When applied this to member servers, this causes them to enroll for a certificate as defined in the GPO, matching certificate template name. After running gpupdate.exe, the cert shows up as desired, and Terminal Services begins using it for connections.
The problem is that whenever someone manually issues the gpupdate.exe command, or when background refreshes occur, additional/duplicate certificates are enrolled and placed into the computer certificate store.
This is known issue and scheduled to be fix in future.
This is caused by the API behavior, because the template name must be the same as template display name as API for enrolling for a template requires "template name", while API for getting template OID requires "template display name".
You would have to creating the Template with matching names.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact firstname.lastname@example.org.
Technology changes life……
Wednesday, April 11, 2012 5:58 PMHas this been fixed yet? I am having an issue with multiple certificates per server.