Managing RPD Server certificates in Windows Server

While creating RDP Server in Fudo Enterprise, you can specify the server verification method by getting the server certificate or importing the CA certificate. You can follow below manual to manage mentioned certificates in the Windows Server environment.

Locating the Server Certificate in Windows Server

Please follow one of below scenarios to localize the certificate retrieved by Fudo Enterprise from the Widnows Server during the RDP server creation.

Locating the Server Certificate in Certificate Manager Tool:

You can localize the certificate retrieved by Fudo Enterprise from the Widnows Server in the Certificate Manager tool. To view the certificate, please follow below steps:

1. Select Run from the Start menu in Widnows Server, and then enter certlm.msc.
2. The Certificate Manager tool for the local device appears.
3. To view your certificate, expand the Remote Desktop > Certificates directory under the Certificates - Local Computer in the left pane of the Certificate Manager tool window.

Locating the Server Certificate by the Serial Number:

You can also localize certificate used by Fudo Enterprise by extracting certificate’s serial number.

1. After clicking the ‘Get certificate’ button, Fudo Enterprise connects to the specified address and port to retrieve the certificate. A similar action can be performed from the command line by invoking below command:

   openssl s_client -connect adres:port
   

   Example:

   openssl s_client -connect 10.0.133.4:3389
   

2. In the response you will receive the certificate that you can use to extract the certificate serial number by typing below command and providing the obtained certificate content:

   c x509 -noout -serial
   
   -----BEGIN CERTIFICATE-----
   MIIChbdygdu656sdf65ac55mpn1PmpBK/70WFeh+xjANBgkqhkiG9w0BAQsFADAZ
   MRcwFQYDVQQDEw5IT1NUMS5tay5sb2NhbDAeFw0yMzA5MTMxNzA2NTRaFw0yNDAz
   MTQxNzA2NTRaMBkxFzAVcas7c6c6sh83uydtLm1rLmxvY2FsMIIBIjANBgkqhkiG
   9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ngYkoMa4dgLgGl1+G+m2UEAIH/6ttyQep5u
   tUYkxKeuqpn9AWnYP8To1fornJN387ddhcy76d7jchc8Q093RWVb2cMKKjgOAW9w
   qLFW+WrLEUPY8hYvsCFYgFH3H0HhKLEoWBN5qHH7vjIiW3Rb0Y7xeGb9x0FWItQX
   mbF6sucGdlH+OsjepxMLPVh3Qpb2WQ18kSQGyS1ocbJxOWST9sH4MQkRVFL3rkxN
   f7/qdJcdM6sFxEJTdp30CITRfbORXacl84bStjW2MJzvJRqr94xDHonRdIM9tUka
   06LVJQY6qiEpMVE8MpSDAfoZ+HeyVWt+2EfXlfWE4hiMJP1DoQIDAQABoyQwIjAT
   BgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQAD
   ggEBAGNXzwNC4DhOxyaVhVTPePsa97aeWJtpl64cE4/ZdAfGBEIfHlBEh/Tnrrn2
   7pr0jLnCjUq9rxHC6jfMR0U2PT4qrMHvGD1nUwZdHuZPavPLFHh/rYHZpizoS+9W
   ggEBAGNXzwNC4DhOxyaVhVTPePsa97aeWJtpl64cE4/ZdAfGBEIfHlBEh/Tnrrn2
   xyXjeYdX8/U9EdgrXOLGX9U74rfGQTrQxZyjuYlGxxqop/y2V3n+3NnNzY+ehW1G
   ggEBAGNXzwNC4DhOxyaVhVTPePsa97aeWJtpl64cE4/ZdAfGBEIfHlBEh/Tnrrn2
   ZUvdUnqtdH+0DdAWBo4P1dv0nL8=
   -----END CERTIFICATE-----
   

3. This will result in extracting the certificate’s serial number that you can use to search the exact certificate in the Certificate Manager tool.

   serial=41EB33A67D4F9A884AFFBD1615E11EDD
   

4. Copy extracted serial number and go to the Windows Server.

5. Select Run from the Start menu, and then enter certlm.msc to open the Certificate Manager tool.

6. Go to Action > Find Certificates...

7. Provide copied serial number in the Contains field and select Serial Number from the Look in Field drop down list.

8. Click Find Now.

Providing the CA Certificate

Note

• This is a conceptual guide that outlines the fundamental setup of a CA for the RDP protocol. The necessary steps may vary depending on the initial settings of the environment in which you are working.
• To prepare CA certificate to be used in Fudo Enterprise it is needed to deploy internal Certificate Authority on the network with an RDP certificate template to issue RDP certificates.

Install the Certificate Authority on Windows Server:

To install the Certificate Authority on Windows Server, follow the default configuration as specified in the manufacturer’s manual.

Note

For the procedure outlined in the manual below, the Enterprise CA option was selected.

Create a Template for RDP Certificate:

1. Open the Certificate Authority from the Server Manager by clicking Tools > Certification Authority in the upper right corner of the window.

2. Right click on the Certificate Template and choose Manage.

3. Find the Computer template, right click on it and choose Duplicate Template.

4. In the General tab, enter the name for new template and specify the validity and renewal period according to your needs.

5. In the Compatibility tab, choose Windows Server 2003 from the Certification Authority drop-down list and Windows XP/ Server 2003 from the Certificate recipient drop-down list.

6. In the Request Handling tab, set the Purpose to the Signature and encryption and check the Allow private key to be exported.

7. In the Cryptography tab, choose:

   • set the Provider Category to Legacy Cryptography Service Provider,
   • set the Algorithm name to Determined by CSP,
   • set the Minimum Key Size according to organisation security requirement (e.g., 1024).
   • choose the Request must use one of the following providers option and select the Microsoft RSA SChannel Cryptographic Provider.

8. In the Key Attestation tab, leave default settings.

9. In the Server tab, leave default settings.

10. In the ‘Security’ tab, add the computers and groups you want to be able to enroll for this template. Check if group or user you are using has the Read, Write, and Enroll permissions enabled. It is needed to request the certificate using this template in the next steps.
11. In the Extensions tab, edit the Application Policies.
12. Remove the Server Authentication and Client Authentication policies.
13. Add new policy by clicking Add, and New in the next window.
14. In the Name field enter Remote Desktop Authentication and in the Object identifier field type 1.3.6.1.4.1.311.54.1.2.

15. Click three times OK to return to the Properties of New Template window.
16. In the Subject Name tab, select Build from this Active Directory information option and next the DNS name.

17. In the Issuance Requirements tab, leave default settings.

18. Click OK to save created template. Close the Certificate Templates Console.
19. Go back to the Certification Authority window. Right click on the Certificate Template and choose New > Certificate Template to Issue.

20. Select created template and click OK.

Configure a GPO to Deploy the Template

1. Press Win + R, type gpmc.msc, and press Enter to open the Group Policy Management on the server.
2. Create new Group Policy Object (GPO), or navigate to the GPO, you are going to edit. In this example we will create new one.
3. Right click on the domain name and choose Create a GPO in this domain, and Link it here…
4. Provide a name for new GPO (e.g., rdp) and click OK.

5. Right click on the name of created GPO and select Edit….
6. In the Group Policy Management Editor navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
7. Double-click on the Server authentication certificate template to edit this setting.

8. Select Enabled option and enter the name of the template created in the previous steps into the Certificate Template Name field.

9. Click OK.
10. Double click on the Require use of specific security layer for remote (RDP) connections to edit this setting.
11. Select Enabled option and choose SSL from the Security Layer drop-down menu.

12. Click OK.
13. Link the GPO to the OU containing your servers / desktops that need RDP certificates if needed. They will auto enroll when Group Policy is updated.

Enroll the RDP Certificate

1. Press Win + R, type certlm.msc, and press Enter to open the Certificate Manager tool for the local device.
2. Navigate to Personal > Certificates.
3. Right-click in the manager window and select All Tasks > Request New Certificate….
4. Click Next on the Before You Begin and on the Select Certificate Enrollment Policy tabs.
5. On the Request Certificate tab, select the template created in previous steps and click Enroll.
6. Copy the enrolled certificate to the Trusted Root Certification Authorities > Certificates directory.

Export the CA Certificate

1. Press Win + R, type certlm.msc, and press Enter to open the Certificate Manager tool for the local device.
2. Navigate to Trusted Root Certification Authorities > Certificates.
3. Right-click on your Root Certification Authority certificate and select All Tasks > Export….
4. Click Next.
5. Select Base-64 encoded X. 509 (.CER) format and click Next.
6. Specify the name and localisation for the exported certificate.
7. Click Next and Finish to save the file.

Create User in Fudo:

1. Select Management > Users and then click Add user.

2. Enter the user name (e.g., ‘User1’).
3. In the Settings tab, under the Safes section, select portal.

4. Click Save.

5. Go to the Authentication section and from the Add authentication method drop down list select Static password.

6. Provide password and click Save.

7. If necessary, please fill in the remaining parameters as needed for your specific configuration. For more details, please refer to the Creating a user section.

8. Click Save and close.

Configure RDP Server:

1. Select Management > Servers and then click + Add server.

2. Enter server’s unique name (e.g., ServerRDP).
3. In the Permissions section, add users allowed to manage this object.
4. In the Settings section on the list of available protocols select RDP.

5. Select the TLS enabled and the NLA enabled options.

6. In the Destination section select IPv4 and enter IP address of the server for which you wish to set up an RDP connection.
7. In the Server verification section select CA certificate and upload exported CA certificate file.

8. Click Save and close.

Configure Account:

1. Select Management > Accounts and then click Add.

2. Define object’s name (e.g., CA-account).
3. Select regular from the Type drop-down list.
4. Go to the Server / Pool section and from the drop down list select the server created in previous step (e.g., ServerRDP) to assign created account to this server.
5. In the Credentials section provide the Domain and Login used to authenticate on the server.
6. From the Replace secret with drop down list select password, and provide password used to authenticate on the server.

7. Click Save.

Configure Listener:

1. Select Management > Listeners and then click Add listener.

2. Enter listener’s unique name (e.g., RDP-bastion).
3. Go to Permissions tab and add users allowed to manage this listener (e.g., User1).

4. Go to Settings tab and press the RDP button in the Protocol field.
5. Select the TLS enabled option to enable encryption.
6. Check the NLA enabled option for additional security.
7. In the Connection mode section, select bastion.

8. Set the local address to any and port 3389.
9. In the Server certificate field, click Generate certificate to generate TLS certificate by choosing key algorithm and providing Common Name (server name where the certificate is installed).

10. Click Save and close.

Configure Safe:

1. Select Management > Safes and then click Add.

2. Enter object’s name (e.g., SafeRDP).

3. Select Web Client option to allow connecting to the session in browser.

4. Select Users tab to assign users allowed to access accounts assigned to this safe.

• Click Add user, and then click the . button next to User1, which was created in previous steps, to enable server access over monitored safe.
• Click ok to close the modal window.

5. Select Accounts tab to add account accessible through this safe.

   • Click Add account, and then click the . next to CA-account, which was created in previous steps.
   • Click ok to close the modal window.
   • Click . to assign listener to accounts.
   • Click . to add listener RDP-bastion created in previous steps.
   • Click ok` to close the modal window.

6. Click Save.

Establish a session:

1. Log in to the Fudo Enterprise Access Gateway using User1 as the username and password provided during the creation of this user.
2. Hover the cursor over the CA_account name and select Web client to start the session.

Related topics:

• Creating an RDP server
• Creating a user