none
Need to automate connection through rdp gateway without cert RRS feed

  • Question

  • Subject says it all to anyone that's automated rdp connections... Using cmdkey to first temporarily store the credentials, building the rdp file on the fly etc... Issue with going through rdp gateway is that client needs to trust the cert... This is an impossibility when automating at data center scale... How do I get the client system to just trust the cert without adding it to the trusted cert store? I'm in an environment with thousands of rdp gateways and support staff that must log in to systems behind them.. Automation obtains credentials from a secure credential management system already... Only blocker right now is the users systems will not have the rdp gateway certs trusted... There must be something in the registry I can set to make the system (the rdp client, mstsc) either bypass the check or simply tell it that it already trusts the gateway? It is an impossibility to actually have the certs in the trusted root store, or assure all certs are from third party Ca's that will already be trusted... Gateways could be server 2008 - 2012R2, need to support them all.

    So, what voodoo/magic have any of u to solve this issue? :)

    Sunday, February 15, 2015 12:55 AM

Answers

  • Hi thanks mjolinor... Unfortunately wildcard cert isn't an option for me. This is managed service provider scenario so thousands of different customer systems (and therefore domains) that are accessed by the service provider staff. I'm thinking there must be some reg entries my automation can utilize dynamically as it needs to... To essentially indicate a remote system is already trusted.

    If there is such a registry setting, I don't know what it is.  

    The requirement to use certificates to authenticate the RDP gateways you're connecting to is there to prevent vulnerability to man-in-the-middle attacks.  If you do find a way to disable it, you could potentially expose all of your customer's systems to that vulnerability.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Sunday, February 15, 2015 5:18 PM
    Moderator

All replies

  • What version are the clients?

    Looking at the docs, there doesn't seem to be any way around needing a cert, but starting with V6.1, you could use a wildcard cert and get it to trust any gateway in a domain, or a SAN cert that would make it trust any of an arbitrary list of gateway names.

    http://blogs.msdn.com/b/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx 


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Sunday, February 15, 2015 1:56 AM
    Moderator
  • Hi thanks mjolinor... Unfortunately wildcard cert isn't an option for me. This is managed service provider scenario so thousands of different customer systems (and therefore domains) that are accessed by the service provider staff. I'm thinking there must be some reg entries my automation can utilize dynamically as it needs to... To essentially indicate a remote system is already trusted.
    Sunday, February 15, 2015 4:47 PM
  • Hi thanks mjolinor... Unfortunately wildcard cert isn't an option for me. This is managed service provider scenario so thousands of different customer systems (and therefore domains) that are accessed by the service provider staff. I'm thinking there must be some reg entries my automation can utilize dynamically as it needs to... To essentially indicate a remote system is already trusted.

    If there is such a registry setting, I don't know what it is.  

    The requirement to use certificates to authenticate the RDP gateways you're connecting to is there to prevent vulnerability to man-in-the-middle attacks.  If you do find a way to disable it, you could potentially expose all of your customer's systems to that vulnerability.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Sunday, February 15, 2015 5:18 PM
    Moderator
  • You are actually asking your question in the wrong forum.  It is not a scripting question.  You should post in the RDS forum.  If anyone knows of a way around this restriction it will likely be found in that forum since it is a product specific question.


    ¯\_(ツ)_/¯

    Sunday, February 15, 2015 5:55 PM
  • How do I get the client system to just trust the cert without adding it to the trusted cert store?

    The short answer to that is "you don't." That's one of the purpose of having certificates and trusting a certification authority. (If this was possible, then all malware authors would exploit it.)

    I agree with jrv that this isn't a scripting question but rather a service architecture question.


    -- Bill Stewart [Bill_Stewart]

    Sunday, February 15, 2015 7:01 PM
    Moderator
  • thanks all, appreciate the input.

    I will post in an RDP/TERMSERV forum... it's 'scripting' in that I'm using powershell to automate RDP logins, but agreed, my current road block is not a 'programming' one, it's product architecture.

    I will say I think there is likely a way though, something similar to this:

    http://www.richud.com/wiki/Windows_7_Remote_Desktop_Connection_no_prompts

    just need to find out the right keys and values to use... I know someone else that has done this but I don't think any of the gateways used are server 2012 yet, so it may be something new to 2012, something more strict. I will also try to find out from this person exactly what he did, as he just pointed me to those reg keys but it's not working for me against 2012 server, which I'm using for testing.

    thanks all!

    Tuesday, February 17, 2015 9:06 PM
  • Good luck with that. It's a very brittle "solution" that depends on a specific server hash, which will change when the server's certificate updates.

    -- Bill Stewart [Bill_Stewart]

    Tuesday, February 17, 2015 9:12 PM
    Moderator
  • (jrv - wrong thread)

    -- Bill Stewart [Bill_Stewart]

    Tuesday, February 17, 2015 9:32 PM
    Moderator
  • Oops! - Thanks.


    ¯\_(ツ)_/¯

    Tuesday, February 17, 2015 9:48 PM