Blog Post

Core Infrastructure and Security Blog
14 MIN READ

Remote Desktop Connection (RDP) - Certificate Warnings

BrandonWilson's avatar
BrandonWilson
Icon for Microsoft rankMicrosoft
Sep 20, 2018
First published on TechNet on Dec 18, 2017   Hello everyone!  Tim Beasley, Platforms PFE here again from the gorgeous state of Missouri.  Here in the fall, in the Ozark Mountains area the color...
Updated Oct 31, 2019
Version 7.0
DonGeddes
JacobLavender
TimBeasley
WintelGeek's avatar
WintelGeek
Copper Contributor
Nov 13, 2020

I very much appreciate this post and the details and examples are very helpful.

 

I realize this is perhaps geared more toward Terminal Services, but for Windows systems, I would assert this is not, technically, the proper setup. Microsoft should be enabling the use of the certificate store for the service via GPO. What I mean is that there is (A) a node in the Windows Computer Certificate store for the self-signed certificate which is specific to the "Remote Desktop Services" service on Windows-based OS's which is automatically used for RDP, and (B) there is a certificate store specific to services running on the OS platform, and specifically for the "Remote Desktop Services" service. Furthermore, when you look at the self-signed certificate, it only has the "server authentication" enhancement, not the RDP OID.

 

Regarding point (A), there appears to be no way to automate a certificate install to that node in the Computer certificate store.

Regarding point (B), there is no strictly GPO-based method of getting a special certificate into the certificate store for the "Remote Desktop Services" service. Auto-enrollment certainly is not supported.

 

Microsoft has made the needed certificate store parts available but has developed no way to utilize them with Microsoft PKI, auto-enrollment, or GPOs (outside of the Computer certificate store, short of running scripts and using registry keys).

 

To get rid of the RDP error message for connecting to Windows-based computers where you already have Microsoft PKI (or some other internal PKI), it seems to me that the most effective method of eliminating the warning would be to simply add the RDP OID ("1.3.6.1.4.1.311.54.1.2" for the "Enhanced Key Usage") to an existing device/computer certificate that your PKI is already issuing to computers/devices, if you are already pushing out certificates for computers. No need to push out a new certificate template.

 

But this, technically, doesn't place an RDP certificate in the correct, more "correct" place. I would think that PKI specialists would want the service to have the certificate rather than the computer account. A technicality, I admit, but Microsoft has had many years to properly develop these PKI pieces. I had to do custom scripting to secure LDAP and it seems that the same mechanism is needed for RDP.