Terminal server rdp, tls certificates & subject alternative names?

Cross posting from micorosft.public.security.crypto:

I need to issue some certificates to my terminal servers so I can
secure RDP sessions. I want to use the negotiate TLS and I want to
get rid of the warning messages from the new RDP client. I've been
having a difficult time issuing a certificate which will have all the
names I need for a particular server.

The default certificate only includes the FQDN of the server which is
not too smart in my opinion because locally connected machines use
the
common or short name or ip address to connect up.


From Exchange 2007 certificates I know that we need a SAN or subject
alternative name to get these to authenticate correctly. I wanted to
enter the dns entry for the server short name and the ip address if
possible to the SAN.


I can't get these issued correctly using the mmc console because it
just streamlines the process and never asks me for the SAN entries.
I've tried the command line certreq but that certificate always gets
issued to the administrator and the terminal server won't allow me to
use it! I don't have the IIS pages installed for security.


Anyone else run into this issue and solve it? Driving me nuts!!


Thanks in advance,
DavidB

S
Tue Jul 01 03:06:28 CDT 2008

Yes you can put short name and IP as SANs, no restrictions there, I think.
As to fast and easy way of enrolling - install the Web pages. Having the
pages installed doesn't compromise security (if you're eccentricalyy
paranoid - only bind Web services to 127.0.0.1, restricting access to the
console)

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"DavidB" <biddled@gmail.com> wrote in message
news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...
> Cross posting from micorosft.public.security.crypto:
>
> I need to issue some certificates to my terminal servers so I can
> secure RDP sessions. I want to use the negotiate TLS and I want to
> get rid of the warning messages from the new RDP client. I've been
> having a difficult time issuing a certificate which will have all the
> names I need for a particular server.
>
> The default certificate only includes the FQDN of the server which is
> not too smart in my opinion because locally connected machines use
> the
> common or short name or ip address to connect up.
>
>
> From Exchange 2007 certificates I know that we need a SAN or subject
> alternative name to get these to authenticate correctly. I wanted to
> enter the dns entry for the server short name and the ip address if
> possible to the SAN.
>
>
> I can't get these issued correctly using the mmc console because it
> just streamlines the process and never asks me for the SAN entries.
> I've tried the command line certreq but that certificate always gets
> issued to the administrator and the terminal server won't allow me to
> use it! I don't have the IIS pages installed for security.
>
>
> Anyone else run into this issue and solve it? Driving me nuts!!
>
>
> Thanks in advance,
> DavidB

DavidB
Tue Jul 01 10:10:41 CDT 2008

On Jul 1, 4:06=A0am, "S. Pidgorny <MVP>" <slavi...@yahoo.com> wrote:
> Yes you can put short name and IP as SANs, no restrictions there, I think.=

> As to fast and easy way of enrolling - install the Web pages. Having the
> pages installed doesn't compromise security (if you're eccentricalyy
> paranoid - only bind Web services to 127.0.0.1, restricting access to the
> console)
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -=3D F1 is the key =3D-
>
> *http://sl.mvps.org*http://msmvps.com/blogs/sp*
>
> "DavidB" <bidd...@gmail.com> wrote in message
>
> news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...
>
>
>
> > Cross posting from micorosft.public.security.crypto:
>
> > I need to issue some certificates to my terminal servers so I can
> > secure RDP sessions. =A0I want to use the negotiate TLS and I want to
> > get rid of the warning messages from the new RDP client. =A0I've been
> > having a difficult time issuing a certificate which will have all the
> > names I need for a particular server.
>
> > The default certificate only includes the FQDN of the server which is
> > not too smart in my opinion because locally connected machines use
> > the
> > common or short name or ip address to connect up.
>
> > From Exchange 2007 certificates I know that we need a SAN or subject
> > alternative name to get these to authenticate correctly. =A0I wanted to
> > enter the dns entry for the server short name and the ip address if
> > possible to the SAN.
>
> > I can't get these issued correctly using the mmc console because it
> > just streamlines the process and never asks me for the SAN entries.
> > I've tried the command line certreq but that certificate always gets
> > issued to the administrator and the terminal server won't allow me to
> > use it! I don't have the IIS pages installed for security.
>
> > Anyone else run into this issue and solve it? =A0Driving me nuts!!
>
> > Thanks in advance,
> > DavidB- Hide quoted text -
>
> - Show quoted text -

Thank you Svyatoslav, I'll give that a try! I was trying to keep my
server as lean as possible but maybe I'll just stop the IIS service
when not in use.

DavidB
Thu Jul 03 07:45:00 CDT 2008

On Jul 1, 4:06=A0am, "S. Pidgorny <MVP>" <slavi...@yahoo.com> wrote:
> Yes you can put short name and IP as SANs, no restrictions there, I think=
.
> As to fast and easy way of enrolling - install the Web pages. Having the
> pages installed doesn't compromise security (if you're eccentricalyy
> paranoid - only bind Web services to 127.0.0.1, restricting access to the
> console)
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -=3D F1 is the key =3D-
>
> *http://sl.mvps.org*http://msmvps.com/blogs/sp*
>
> "DavidB" <bidd...@gmail.com> wrote in message
>
> news:1dcddb0f-6518-4e8d-9239-99fc3bfdc67a@8g2000hse.googlegroups.com...
>
>
>
> > Cross posting from micorosft.public.security.crypto:
>
> > I need to issue some certificates to my terminal servers so I can
> > secure RDP sessions. =A0I want to use the negotiate TLS and I want to
> > get rid of the warning messages from the new RDP client. =A0I've been
> > having a difficult time issuing a certificate which will have all the
> > names I need for a particular server.
>
> > The default certificate only includes the FQDN of the server which is
> > not too smart in my opinion because locally connected machines use
> > the
> > common or short name or ip address to connect up.
>
> > From Exchange 2007 certificates I know that we need a SAN or subject
> > alternative name to get these to authenticate correctly. =A0I wanted to
> > enter the dns entry for the server short name and the ip address if
> > possible to the SAN.
>
> > I can't get these issued correctly using the mmc console because it
> > just streamlines the process and never asks me for the SAN entries.
> > I've tried the command line certreq but that certificate always gets
> > issued to the administrator and the terminal server won't allow me to
> > use it! I don't have the IIS pages installed for security.
>
> > Anyone else run into this issue and solve it? =A0Driving me nuts!!
>
> > Thanks in advance,
> > DavidB- Hide quoted text -
>
> - Show quoted text -

The web pages worked. I created a duplicate of the web server
template and added client authentication. I also chose the option to
specify the SAN entries instead of pulling them from Active
Directory. It took a few tries but I finally got the syntax correct,
in the attributes box for the web enrollment I had to enter
"SAN:dns=3Dsvr&dns=3Dsvr.domain.com&ipaddress=3Dx.x.x.x"
Once I installed the certificate, I assigned it to the rdp protocol
and chose to negotiate security. Now the short name and FQDN don't
generate errors when connecting up via rdp. I was hoping to also use
the IP address without error but that didn't work. Perhaps entering
another "&dns=3Dx.x.x.x" would get around that.
Thanks again for your help!