Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

RDP Server Certificate

Using the RdpServer template, you can configure computers and servers to make use of managed certificates provided to clients accessing them through the Remote Desktop Protocol.

1

Create Template Object in Active Directory

During the enrollment and mapping of the certificate, the SessionEnv service will lookup the configured certificate template in Active Directory even if the certificate template will be used from the already configured CEP service of SCEPman. To satisfy this lookup we will create an empty certificate template object in the expected location. This requires write permissions to the Public Key Services container in the Forest, for example with the role Enterprise Admin.

An Enterprise Admin is required to perform this object creation — unless you have assigned permissions to further roles on the Public Key Services container.

$ConfigPath = (Get-ADRootDSE).configurationNamingContext
$TemplateContainer = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigPath"
$Name = "SCEPmanRdpServer"

New-ADObject -Name $Name `
             -Type pKICertificateTemplate `
             -Path $TemplateContainer `
             -OtherAttributes @{
                "displayName" = $Name;
                "msPKI-Cert-Template-OID" = "1.3.6.1.4.1.311.21.8.$(Get-Random 9999999).$(Get-Random 9999999)";
                "msPKI-Template-Schema-Version" = 1;
                "msPKI-Template-Minor-Revision" = 1;
                "msPKI-RA-Signature" = 0;
                "flags" = 0
             }
2

Enable Certificate Template in SCEPman

Like other certificate templates, this one can be configured by adding the following environment variables to the the SCEPman app service:

Setting
Value
Description

AppConfig:ActiveDirectory:RdpServer:Enabled

true

Enable the certificate template

AppConfig:ActiveDirectory:RdpServer:GroupFilter

Group SID

Optional: Only allow members of this group to enroll certificates using this template.

3

Configure Group Policy

In a Group Policy we configure the certificate template name and instruct machines additionally to enforce a specific security layer during instructions.

Setting location in Group Policy Management Editor (gpmc.msc)
Computer Configuration

└-Policies
  └-Administrative Templates
    └-Windows Components
      └-Remote Desktop Services
        └-Remote Desktop Session Host
          └-Security
            └-Server authentication certificate template
            └-Require use of specific security layer for remote (RDP) connections

Server authentication certificate template

Enter the name of the certificate template to be used for RDP server authentication. By default, this is SCEPmanRdpServer.

Require use of specific security layer for remote (RDP) connections

Select SSL here to enforce the use of the used certificate.

With the configuration in place, the SessionEnv service can be restarted to enforce the enrollment and mapping of the certificate.

On the computer itself, you can confirm the used certificate by running the following command:

(Get-CimInstance -Class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SSLCertificateSHA1Hash

This will output the thumbprint of the active RDP certificate.

The event log will also show that a new certificate has been used:

Show relevant event log entries
Get-WinEvent -LogName "System" | Where-Object { $_.ProviderName -eq "Microsoft-Windows-TerminalServices-RemoteConnectionManager" } | Select-Object -First 10 | Format-List Message, TimeCreated

A new template-based certificate to be used by the RD Session Host server for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption has been installed. The name for this certificate is svr01.Conitoso.local. The SHA1 hash of the certificate is provided in the event data.

Last updated

Was this helpful?