Custom Secure LDAP Certificates for DCs with Remote Desktop Authentication policy

LMS 156 Reputation points
2020-12-20T07:32:12.917+00:00

Hi

With DCs we have 2 certificates (2 Certificate templates with CA server) with Auto Renewal through GPO, one for custom secure LDAP and another for RDP. But since both certificates are placed with Personal Certificate folder, we are facing issues with RDP and also with some applications which uses secure LDAP. Below are the existing setup

• Existing RDP GPO uses “RDAuthentication” certificate template.
• With CA, we have certificate template to issue certificate to DCs to be used for LDAPS with multiple SANs. Once the new certificate for LDAP is generated and placed with DC Personal folder, we moved existing RDP certificate from Personal to Remote desktop folder. Whenever we move RDP certificate from personal to Remote Desktop folder, all DCs got new RDP certificate from RDP certificate template and placed with Personal folder (GPO is configured for certificate auto renewal) and this cause issues with RDP connection & many applications failed to communicate securely with DCs (over LDAPS).

So below are our options

Either include "Remote Desktop Authentication" with custom LDAP certificate template along with KDC Authentication, Server Authentication, Client Authentication & Smart Card logon :- is this supported?

If it’s supported and recommended, then we can create a new RDP GPO just for DCs with the Certificate template name of LDAP template instead of “RDAuthentication” which is general for all servers

Or if it's not supported, is there a way to renew & place certificates for RDP with Remote Desktop certificate folder instead of placing it with Personal folder.

Thank You all

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,860 questions
Microsoft Entra
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.