Implementing SSL for RDP connection (RDP listener on the RD session host)

-

hi,

we have win2008 r2 server rd session host role. accessible rdp public internet under globally-visible dns name in .com domain. server member of active directory domain (dns suffix domain internal, non-public-visible, ending .local ).

now implement ssl certification rdp server, clients connecting outside not certificate warning on connect.

by mean of iis7, created certificate signing request external dns name of server, , signed @ alphassl free/trial certificate valid 45 days. completed certificate signing alphassl reply, , installed certificate iis7. can access external dns name https iis7 default page, , browsers site trusted. certification path starts globalsign, under alpha ca, under our cert domain.

next step, trying install same certificate in properties of rdp-tcp connection of rd session host, instead of auto-generated cert. there default. on clicking 'select', allows pick certificate list (its eku attributes 'server authentication (1.3.6.1.5.5.7.3.1) , client authentication (1.3.6.1.5.5.7.3.2)') , shows active. then, on connection attempt rdp client (usual mstsc included windows 7 prof.), warning "the certificate not valid usage".

then re-tried, having got free/trial certificate same dns name comodo/essentialssl (or instantssl). certification path bit longer : usertrust/comodoca/essentialssl ca/our one. eku contains : server authentication (1.3.6.1.5.5.7.3.1), client authentication (1.3.6.1.5.5.7.3.2), unknown key usage (1.3.6.1.4.1.311.10.3.3) , unknown key usage (2.16.840.1.113730.4.1). used same iis7 dialogs create/complete certificate request. , yes, cert. possible assign rdp-tcp connection, still not valid rdp-tcp usage.

now want ask experts, doing wrong, details overlook , have in different, correct way, obtain certificate usable rdp , signed known ssl trust vendor ?

is problem in eku ? in long certification path ? iis7 form restricted cert.sign.request ?

how should form cert.sign.request on side ? should bring certificate services in domain proper certificate request templates ?
should demand specific ssl vendor when buying certificate them (to make usabel rdp) ? should sign cert.serv. root @ ssl vendor simple purpose ? (i afraid going cost money afford)

thank in advance competent , useful replies .

hi,

the oids (1.3.6.1.4.1.311.10.3.3 & 2.16.840.1.113730.4.1) said in essentialssl trial indicate sgc cert.  possible 1 or more of certs in chain alphassl trial cert sgc cert well.  based on reading thread kristin referred explain problem seeing windows 7 clients.

i recommend obtain ssl certificate not sgc certificate , not have sgc certificates in chain.  example, can purchase standard non-sgc ssl certificate godaddy for $12.99/year.  godaddy certificate has 1 intermediate certificate in addition root.  $12.99 price google godaddy $12.99 ssl , click on link.

another alternative rapidssl certificate www.rapidsslonline.com.  low $10.99/year , issued directly root certificate (geotrust), in other words, no intermediate cert.  offer 30-day money guarantee.  not sgc certificate, , root not sgc certificate. 

there other providers are cheaper or free  (startssl), however, have not tested them.

if need secure multiple servers/rds roles should consider wildcard certificate (as low $99/year), or ucc/san certificate ($60/year).  if of rds servers/roles can under single domain wildcard convenient.  because can add new server names needed , still use same certificate all.  if have older rd client versions in environment ucc or wildcard may cause problems.

-tp



Windows Server  >  Remote Desktop Services (Terminal Services)



Comments

Post a Comment

Popular posts from this blog

Error: 0x80073701 when trying to add Print Services Role in Windows 2012 Standard

-
hello, i'm getting error when trying add print services role in windows 2012 standard. i'm getting same error whether use gui or powershell. this new server install. the powershell error follows: add-windowsfeature : request add or remove features on specified server failed. installation of 1 or more roles, role services, or features failed. the referenced assembly not found. error: 0x80073701 at line:1 char:1 + add-windowsfeature print-services + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + categoryinfo          : invalidoperation: (@{vhd=; credent...name=localhost}:psobject) [install-windowsfeature],     exception     + fullyqualifiederrorid : dismapi_error__failed_to_enable_updates,microsoft.windows.servermanager.commands.addwind    owsfeaturecommand success restart needed exit code      feature result ------- ------...
Read more

Windows 2016 RDS event 1306 Connection Broker Client failed to redirect the user... Error: NULL

-
Image
i'm attempting setup windows 2016 rds standard deployment session hosting.  layout follows: rds01 - rds connection broker , web access ts02 - rds session host ts03 - rds session host domain these servers part of has (1) windows 2008 server , (2) windows 2016 servers acting dcs.  domain running @ windows 2003 functional level. servers on single routed network no firewall between them.  dns , ptr records servers exist , resolve on hosts.  servers can pinged each other. in other words, there no network connectivity issues. i've setup rds deployment several times w/ same results. the issue can login via rdweb interface on rds01 win10 desktop , connect published rdp desktop without issue (i.e. no error messages user) , no errors in logs.  when try directly rdp rds01, authenticate user (per event log) error stating user doesn't have access system.  in event log event id 1306 message of "remote desktop connection broker client faile...
Read more

Como saber quien entro a mi PC por la Red

-
quisiera saber si es posible, o existe forma de auditar quien accedió a mi pc vía red, es decir se que hay software que perminten auditar el file server para saber quien entro y modifico y/o borro un archivo... pero si alguien entro mi pc \\pcname\c$ hay forma de determinar que usuario entro al disco c de una pc en especifica y copio, modifico o borro un archivo...   y la otra pregunta cuales son las mejores herramientas para auditar la red y el file server   gracias una forma de detectar quien esta conectado tu pc es través del comando net user entra en cmd y escribes net user eso muestra los usuarios que están conectados en tu equipo en un momento determinado, se que no es lo que pides pero puede servir para descubir alguien en determinado momento. para que no este compartido le dan clic derecho sobre mi pc>propiedades>remoto y le desmarcan donde dice ''permitir que este equipo envíe invitaciones ...
Read more