Microsoft
MicrosoftThanks for sharing, great piece of information! Maybe this is a question for the Windows User Experience team, but I give it a try.
You say that auto enrollment should be avoided on the Remote Desktop template:
Then Make sure to ONLY select Allow Enroll permission. DO NOT select Autoenroll.
Does this mean that the Remote Desktop Certificate needs to be manually enrolled to every server? And what happens when the certificate is about to expire, must the certificate be manually re-enrolled to each server?
MicrosoftHey jocke
So no you do not need to do manual enrollment. The reason why you should NOT do autoenrollment is because that is done via the certificate autoenrollment code. This is done every 8 hours and does certificate replacement based on 80% used plan. Meaning that the current certificate will be archived and then a new certificate will be enrolled for if it is configured properly.
The issue with this is that when this happens the certificate is ripped away from the Remote Desktop Services service (TermServ). So Terminal Services will immediately have issues and no longer be able to have a TLS encrypted session between itself and the TSClient. See discussion on WMI and tracking of the Thumbprint within Terminal Services.
Terminal Services actually has a service that should be in control of requesting / submitting the certificate request to the CA based on the template defined in the GPO. The Service Responsible for this is Remote Desktop Configuration service. It waits until pretty much the very last moment before the certificate expires to do the enrollment request to the CA for a new certificate. Once the certificate is issued it will then update the WMI location with the new certificate's thumbprint. This keeps Terminal Services from having an outage.
Yes, if you want more detailed information on just how the TS GPO and Remote Desktop Configuration service does all this majik then yes you will need to talk to the UEX team as they own that service.
Like my blog states I created this blog to help all the Directory Services support engineers and customers that believe its just enabling autoenrollment to make things work with terminal services when it is NOT the case. Unfortunately, there are a lot of teams within Microsoft that believe they do not need to know anything about certificates that their produce leverages and just say its a Directory Services issue to deal with. Thats why I tend to write these very esoteric blogs about how a component works. I want to share with the community as well as help DS engineers be able to point customers to straight forward content to help them get this configured properly and explain why things happened the way they did.
