In a previous blog post we explained how to configure Remote Desktop certificates for Windows 7. In Windows 8 (and 8.1) and Windows Server 2012 (and R2) configuring Remote Desktop certificates has become easier:
1. It is no longer required for the template name and template display name to be the same.
2. You no longer need to create a custom template. One of the built-in templates, for example “Computer” template, can now be used.
3. The “Server Authentication Certificate Template” group policy setting can now contain either one: template name (CN), template display name or template object identifier (OID). The latter is more reliable because template name can be changed while OID cannot. Certificate templates that support Windows 2000 CAs (schema version 1) do not have OIDs, so with those templates you can use their template name (CN). Using template display name should be avoided because this name does not uniquely identify the template – multiple templates can have the same display name.
Example 1: providing certificates for Remote Desktop using the “Computer” certificate template.If you want to use the “Computer” certificate template with Remote Desktop, you first need to publish it in your Certificate Authority if it’s not already published.
Publishing the “Computer” certificate template:The next (and the last!) step is to configure Group Policy to use certificates based on the “Computer” template for Remote Desktop authentication.
Configuring Group Policy:That’s it! As soon as this policy is propagated to domain computers, every computer that has Remote Desktop connections enabled will automatically request a certificate based on the “Computer” template from the Certification Authority server and use it to authenticate to Remote Desktop clients.
Example 2: configuring Remote Desktop certificates using the template OID.In this example we have a custom “RD Computer” template already published in CA.
Finding the template OID:You can now copy/paste the OID into the “Server Authentication Certificate Template” group policy instead of the template name.
Configuring Group Policy:As soon as this policy is propagated to domain computers, they will update their certificates accordingly.
We hope this helps show how it is easier to manage certificates for Remote Desktop.
Note: Questions and comments are welcome. However, please DO NOT post a request for troubleshooting by using the comment tool at the end of this post. Instead, post a new thread in the RDS & TS forum . Thank you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.