Home / server / Questions / 1039615
In Process
user1686
Asked: 2020-10-22 11:49:19 +0800 CST

Should Remote Desktop use a dedicated certificate template?

  • 772

Practically all instructions on enabling certificates for Remote Desktop server authentication (and configuring auto-enrollment through Group Policy) say that you should create a new certificate template (named "RemoteDesktopComputer" or similar), adding only the RDP-specific OID 1.3.6.1.4.1.311.54.1.2 as an extendedKeyUsage.

However, some third-party clients always expect the certificate to have a "TLS server" extendedKeyUsage and have issues verifying servers which only have this OID. So I would much rather use a generic TLS certificate for RDP as well.

Will there be any operational issues if I don't use a custom template, but instead specify the built-in 'Computer' template in the GPO setting? (The one under "Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security".)

Will there be any operational issues if the GPO also has certificate enrollment under "Public Key Policies/Automatic Certificate Request Settings" enabled for the same 'Computer' template? Will this possibly cause the computer to get two redundant certificates based on the same template?

Will there be any security issues due to computers using their generic 'Computer' certificate (with the standard "TLS server" OID) for serving Remote Desktop?

active-directory remote-desktop-services windows-10 ad-certificate-services

2 Answers

  1. Automatic Certificate Request Settings (ACRS) only enrolls V1 certificate templates (Windows 2000 only supported this method). These are inflexible.

    In general, any certificate including an EKU of Server Authentication (and containing a subject and/or SAN containing the DNS name the RDP client is validating against) should be usable for Remote Desktop-class certificates.

    Should you use a separate certificate? It depends on the security profile of the certificates you're deploying to the machine.

    • If the key isn't useful for other things, then it doesn't really matter.
    • If you were going to give every client 2 certificates anyway, it might not matter.
    • If your RDP auth profile is significantly different from every other certificate provided to the device, it's worth keeping it as a different certificate type.
    • If you're providing certificates for another purpose as well - like SCCM authentication and management, or VPN, or both - could those other Client Authentication certificates be combined with Server Authentication to produce an all-in-one device certificate?
      • again, key tradeoffs: more certificates may = more management; fewer may be easier to manage, but evaluate security capabilities and tradeoffs carefully
    • 1

  2. If you use generic Computer template, you will loose automatic certificate binding to RDP port. You will have to manually monitor certificate expiration and re-binding on every RDP-enabled machine.

    There are no security differences between RDP-dedicated and generic Computer, it is all about maintenance. With dedicated certificate template, everything is done automatically as long as GPO is configured. With generic certificate that doesn't meet certain requirements -- you will have to do RDP certificate provisioning manually.

    However, some third-party clients always expect the certificate to have a "TLS server"

    add two entries in EKU: RDP Authentication and Server Authentication

    • 0