Azure Active Directory Domain Services
An Azure service that provides managed domain services.
857 questions
Custom Secure LDAP Certificates for DCs with Remote Desktop Authentication policy
LMS
156
Reputation points
Hi
With DCs we have 2 certificates (2 Certificate templates with CA server) with Auto Renewal through GPO, one for custom secure LDAP and another for RDP. But since both certificates are placed with Personal Certificate folder, we are facing issues with RDP and also with some applications which uses secure LDAP. Below are the existing setup
• Existing RDP GPO uses “RDAuthentication” certificate template.
• With CA, we have certificate template to issue certificate to DCs to be used for LDAPS with multiple SANs. Once the new certificate for LDAP is generated and placed with DC Personal folder, we moved existing RDP certificate from Personal to Remote desktop folder. Whenever we move RDP certificate from personal to Remote Desktop folder, all DCs got new RDP certificate from RDP certificate template and placed with Personal folder (GPO is configured for certificate auto renewal) and this cause issues with RDP connection & many applications failed to communicate securely with DCs (over LDAPS).
So below are our options
Either include "Remote Desktop Authentication" with custom LDAP certificate template along with KDC Authentication, Server Authentication, Client Authentication & Smart Card logon :- is this supported?
If it’s supported and recommended, then we can create a new RDP GPO just for DCs with the Certificate template name of LDAP template instead of “RDAuthentication” which is general for all servers
Or if it's not supported, is there a way to renew & place certificates for RDP with Remote Desktop certificate folder instead of placing it with Personal folder.
Thank You all
{count} votes
-
Vadims Podāns 8,391 Reputation points MVP2020-12-20T09:08:25.063+00:00 Whenever we move RDP certificate from personal to Remote Desktop folder-- why you do that?place certificates for RDP with Remote Desktop certificate folder instead of placing it with Personal folder.-- what is the problem with personal store?
HI
“we moved existing RDP certificate from Personal to Remote desktop folder”
in general ,the rdp certificate is placed in personal list,self-signed certificate is placed in "remote desktop"folder.if you don't want to use self-signed certificate,internal CA issued rdp certificate should be listed in personal folder ,why we must move existing RDP certificate from personal folder to remote desktop folder?
https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remote-desktop-listener-certificate-configurations
Hi
We have moved the RDP certificate from personal to Remote desktop folder since we faced issues with some applications which uses LDAPS, once we moved the RDP certificate from Personal folder then the application started working.
The current RDP certificate have the extensions Remote Desktop Authentication, Server Authentication & Client Authentication. We have created a new template with just Remote Desktop Authentication and issued the certificate to DC. Today we will check the application and will update you.
What EKU (enhanced key usage) uses your RDP template? It should not list anything but "Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2)". In this case, LDAPS won't present this certificate to LDAP clients and will use more suitable certificate (with Server Authentication).
Sign in to comment