Securing RDS with certificates

In this post I’ll go through the process to implement certificates in a Microsoft RDS farm with Windows 2008 R2. It assumes that the RDS Gateway, Session Broker, Web Access and Session Host servers are installed and configured with remote apps already working.

The process describes how to generate the certificate request from a Windows 2008 R2 server, generate a Personal Information Exchange certificate so the same certificate can be used to sign RDP files on other servers that are part of the same rds farm; and configure the RDP connection and RemoteApp to use the certificate for server authentication and sign RDP files.

Note that during the process of generating the Personal Information Exchange the private key will be removed from the server where the server certificate was generated and stored with the .PFX file being password protected; this is done to protect the private key for the certificate.

Creating a Certificate Signing Request

Open Microsoft Management Console (mmc) and add the Certificates snap-in to configured for the local computer. From the Personal store under Certificates (Local Computer) Select All Tasks\Advanced Operations\ Create Custom Request …

This will bring the Certificate Enrolment window. Press Next once and it will prompt you to Select Certificate Enrolment Policy. Select Proceed without enrollement policy under Custom Request.On the Custom Request select the following options

  • Template: (No Template) Legacy key
  • Request format: PKCS #10

UPDATE: if you still have XP clients on your network then select CGN Key on the Template field, as per Rod comment below.

And press Next

For the Certificate Information press the arrow on the right hand-side of Details and then select Properties.

On the Certificate Properties window enter a Friendly name and Description.

On the Subject tab you will need to add the following properties, they are shown below with some values for example only. The Common Name is the FQDN of the RDS farm:

  • Common Name (CN) = rds.lab.local
  • Organizational Unit (OU) = IT
  • Organization (O) = The sheep network
  • Locality (L) = London
  • Country (C) = GB

You can change the values as required; make sure that the CN is equal to the name of the DNS name of the RDS farm. Note also that these are the minimum options required.

Open the Extensions tab and expand the Extended Key Usage (Application policies) and add Server Authentication and Code signing as selected options.

Select the Private Key tab and expand the Key options and select 2048 (or any other key size as you require) as the key size and tick the Make private key exportable, then press ok.

Select where to save the request and select also Base 64 as the file format

Unless the RDS farm name changes or the certificate expires the CSR is only required to be completed once. After the certificate request is signed by a Certification Authority (CA), Entrust or a private CA, the same certificate can be used on the other RDS servers; but it is required to be installed on the server were the request was made from first so it can be exported with its private key; and it is this certificate with the private key (pfx) that will be imported to the other RDS servers in the farm.

Import Certificate

Once the certificate has been generated by the CA  it will need to be imported into the server where the certificate request was generated.

Open mmc and add the Certificates snap-in to the local computer. From the Personal store under Certificates (Local Computer) select Import …

On the Certificate Import Wizard window type the location and name of the certificate or Browse to its location then press Next

Verify that the certificate store is Personal

Verify everything and press finish.

If the import was successful you will notice that on the store it will have a small key on its icon  ; if this isn’t the case then the server isn’t the server where the request was created and this certificate should be removed.

Export Personal Information Exchange (.PFX)

In order for a certificate be used for code-signing it needs to have a private key, this can be obtained from the server where the certificate was requested and imported and its identified by a small key on the certificate icon in the personal store .To start the export select the certificate then right-click select All Tasks\Export…

Note the presence of a key in the certificate icon

Press Next once and this will bring the Export Privte Key step of the wizard, and select Yes, export the private key then press Next

Select Personal Information Exchange – PKCS #12 (.PFX) as the Export File Format, tick the Include all certificate in the certification path if possible and Delete the private key if the export is successful.

Enter a strong password to protect the certificate with the private key. Remember that this certificate will be imported on the other RDS session host servers

Select or type the location to export the certificate to and save it as .pfx

Finally verify the settings, make sure the Export key is Yes and press Finish.

Keep the password and .PFX in a safe location as they are required to install the certificate on other machines.

Import Personal Information Exchange (.PFX)

To import the Personal Information Exchange certificate use the same procedure as described in Import certificate but select the .pfx file when prompted in the File to Import if using Browse change the file type to Personal Information Exchange.

You will be prompted for the certificate password. Do not check Mark this key as exportable. As this can be a security risk.

Refer to Import Certificate for further instructions.

Signing RDP files

On the RDS server open RemoteApp Manager, locate the Digital Signature Settings and press Change.

On the RemoteApp Deployment Settings window tick the Sign with a digital certificate in the Digital Signature tab, and then press Change.

A Windows Security window will pop-up with a list of valid certificates, select the certificate generated in the previously, press Ok

Back on the RemoteApp Deployment Settings window the information about the certificate being used will show under the Digital certificate details area. Press Apply and then Ok.

RemoteApp Manager main window will now display a green check and Signing as under Digital Signature Settings

RDP server authentication

This will change the certificate presented to the clients by the RDS server

On the RDS server open the Remote Desktop Session Host Configuration and select the connection to change the certificate, by default there is only one connection RDP-Tcp, and double-click on it.

On the General tab of the properties window press Select

A Windows Security window will pop-up with a list of valid certificates, select the certificate generated in the previously, press Ok

The properties window will now display the certificate being used. Press Apply and then Ok.