Using certificates in Remote Desktop Services

Remote Desktop Services uses certificates to sign the communication between two computers. When a client connects to a server, the identity of the server and the information from the client is validated using certificates.

Using certificates for authentication prevents possible man-in-the-middle attacks. When a communication channel is set up between the client and the server, the authority that generates the certificates vouches that the server is authentic. As long as the client trusts the server it is communicating with, the data being sent to and from the server is considered secure.

Certificates in Remote Desktop Services need to meet the following requirements:

The certificate is installed in the local computer’s “Personal” certificate store.

The certificate has a corresponding private key.

The Enhanced Key Usage extension has a value of either “Server Authentication” or “Remote Desktop Authentication” (1.3.6.1.4.1.311.54.1.2). You can also use certificates with no Enhanced Key Usage extension.

Create a Server Authentication certificate

As the name suggests, a Server Authentication certificate is required. You can use the Workstation Authentication template to generate this certificate, if necessary.

Here are the steps for creating the Server Authentication certificate from the template:

Open CERTSRV.MSC and configure certificates.

Open the Certificate Authority.

In the Details pane, expand the computer name.

Right-click Certificate Templates, and then click Manage. Right-click Workstation Authentication, and then click Duplicate Template.

On the General tab, change the Template display name to Client Server Authentication, and select Publish certificate in Active Directory.

On the Extensions tab, click Application Policies > Edit. Click Add, and then select Server Authentication. Click OK until you get back to the Properties page.

On the Security tab, select Allow Autoenroll next to Domain Computers. Click OK, and then close the Certificates Templates console.

In the certsrv snap-in right-click Certificate Templates, and then click New > Certificate Template.

Select Client-Server Authentication, and then click OK.

You can validate that the certificate was created in the Certificates MMC snap-in. When you open the new certificate, the General tab of the certificate will list the purpose as “Server Authentication.”

The easiest way to get certificates, if you control the client computers, is by using Active Directory Certificate Services. You can request and deploy your own certificates, and they will be trusted by every computer in the AD domain.

If you are going to let users to connect externally, and they are not part of your AD domain, you need to deploy certificates from a public CA, such as GoDaddy, Verisign, Entrust, Thawte, or DigiCert.

Certificate contents

In Windows 2008 and Windows 2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, then to the connection broker, and finally to the server that hosts your session.

In Windows 2012, you connect to the connection broker, and it then routes you to the collection by using the collection name.

The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to. For example, for Publishing, the certificate needs to contain the names of all the RDSH servers in the collection. The certificate for RDWeb needs to contain the FQDN or the URL, based on the name the users connect to. If you have users connecting externally, this needs to be an external name (it needs to match what they connect to). If you have users connecting internally to RDWeb, the name needs to match the internal name. For Single Sign On, the subject name needs to match the servers in the collection.

For example, imagine a Remote Desktop deployment with the following computers:

Get SSL Certificate from Server (Site URL) – Export & Download

Someday you may need to get the SSL certificate of a website and save it locally.

For example, you could get an error saying that you can’t clone a Git repository due to a self-signed certificate and to resolve this issue you would need to download the SSL certificate and make it trusted by your Git client.

In the following article i am showing how to export the SSL certificate from a server (site URL) using Google Chrome, Mozilla Firefox and Internet Explorer browsers as well as how to get SSL certificate from the command line, using openssl command.

Cool Tip: Create a self-signed SSL Certificate! Read more →

Export SSL Certificate

Google Chrome

Export the SSL certificate of a website using Google Chrome:

1. Click the Secure button (a padlock) in an address bar
2. Click the Show certificate button
3. Go to the Details tab
4. Click the Export button
5. Specify the name of the file you want to save the SSL certificate to, keep the “Base64-encoded ASCII, single certificate” format and click the Save button

Mozilla Firefox

Export the SSL certificate of a website using Mozilla Firefox:

1. Click the Site Identity button (a padlock) in an address bar
2. Click the Show connection details arrow
3. Click the More Information button
4. Click the View Certificate button
5. Go to the Details tab
6. Click the Export button
7. Specify the name of the file you want to save the SSL certificate to, keep the “X.509 Certificate (PEM)” format and click the Save button

Cool Tip: Check the expiration date of the SSL Certificate from the Linux command line! The fastest way! Read more →

Internet Explorer

Download and save the SSL certificate of a website using Internet Explorer:

1. Click the Security report button (a padlock) in an address bar
2. Click the View Certificate button
3. Go to the Details tab
4. Click the Copy to File. button
5. Click the Next button
6. Select the “Base-64 encoded X.509 (.CER)” format and click the Next button
7. Specify the name of the file you want to save the SSL certificate to
8. Click the Next and the Finish buttons

OpenSSL

Get the SSL certificate of a website using openssl command:

Managing SSL Certificates in AD FS and WAP in Windows Server 2016

This article describes how to deploy a new SSL certificate to your AD FS and WAP servers.

The recommended way to replace the SSL certificate going forward for an AD FS farm is to use Azure AD Connect. For more information see Update the SSL certificate for an Active Directory Federation Services (AD FS) farm

Obtaining your SSL Certificates

For production AD FS farms a publicly trusted SSL certificate is recommended. This is usually obtained by submitting a certificate signing request (CSR) to a third party, public certificate provider. There are a variety of ways to generate the CSR, including from a Windows 7 or higher PC. Your vendor should have documentation for this.

How many certificates are needed

It is recommended that you use a common SSL certificate across all AD FS and Web Application Proxy servers. For detailed requirements see the document AD FS and Web Application Proxy SSL certificate requirements

SSL Certificate Requirements

For requirements including naming, root of trust and extensions see the document AD FS and Web Application Proxy SSL certificate requirements

Replacing the SSL certificate for AD FS

The AD FS SSL certificate is not the same as the AD FS Service communications certificate found in the AD FS Management snap-in. To change the AD FS SSL certificate, you will need to use PowerShell.

First, determine which certificate binding mode your AD FS servers are running: default certificate authentication binding, or alternate client TLS binding mode.

Replacing the SSL certificate for AD FS running in default certificate authentication binding mode

AD FS by default performs device certificate authentication on port 443 and user certificate authentication on port 49443 (or a configurable port that is not 443). In this mode, use the powershell cmdlet Set-AdfsSslCertificate to manage the SSL certificate.

Follow the steps below:

First, you will need to obtain the new certificate. This is usually done by submitting a certificate signing request (CSR) to a third party, public certificate provider. There are a variety of ways to generate the CSR, including from a Windows 7 or higher PC. Your vendor should have documentation for this.

Once you get the response from your certificate provider, import it to the Local Machine store on each AD FS and Web Application Proxy server.

On the primary AD FS server, use the following cmdlet to install the new SSL certificate

The certificate thumbprint can be found by executing this command:

Additional Notes

• The Set-AdfsSslCertificate cmdlet is a multi-node cmdlet; this means it only has to run from the primary and all nodes in the farm will be updated. This is new in Server 2016. On Server 2012 R2 you had to run Set-AdfsSslCertificate on each server.
• The Set-AdfsSslCertificate cmdlet has to be run only on the primary server. The primary server has to be running Server 2016 and the Farm Behavior Level should be raised to 2016.
• The Set-AdfsSslCertificate cmdlet will use PowerShell Remoting to configure the other AD FS servers, make sure port 5985 (TCP) is open on the other nodes.
• The Set-AdfsSslCertificate cmdlet will grant the adfssrv principal read permissions to the private keys of the SSL certificate. This principal represents the AD FS service. It’s not necessary to grant the AD FS service account read access to the private keys of the SSL certificate.

Replacing the SSL certificate for AD FS running in alternate TLS binding mode

When configured in alternate client TLS binding mode, AD FS performs device certificate authentication on port 443 and user certificate authentication on port 443 as well, on a different hostname. The user certificate hostname is the AD FS hostname pre-pended with «certauth», for example «certauth.fs.contoso.com». In this mode, use the powershell cmdlet Set-AdfsAlternateTlsClientBinding to manage the SSL certificate. This will manage not only the alternative client TLS binding but all other bindings on which AD FS sets the SSL certificate as well.

Follow the steps below:

First, you will need to obtain the new certificate. This is usually done by submitting a certificate signing request (CSR) to a third party, public certificate provider. There are a variety of ways to generate the CSR, including from a Windows 7 or higher PC. Your vendor should have documentation for this.

Once you get the response from your certificate provider, import it to the Local Machine store on each AD FS and Web Application Proxy server.

On the primary AD FS server, use the following cmdlet to install the new SSL certificate

The certificate thumbprint can be found by executing this command:

Additional Notes

• The Set-AdfsAlternateTlsClientBinding cmdlet is a multi-node cmdlet; this means it only has to run from the primary and all nodes in the farm will be updated.
• The Set-AdfsAlternateTlsClientBinding cmdlet has to be run only on the primary server. The primary server has to be running Server 2016 and the Farm Behavior Level should be raised to 2016.
• The Set-AdfsAlternateTlsClientBinding cmdlet will use PowerShell Remoting to configure the other AD FS servers, make sure port 5985 (TCP) is open on the other nodes.
• The Set-AdfsAlternateTlsClientBinding cmdlet will grant the adfssrv principal read permissions to the private keys of the SSL certificate. This principal represents the AD FS service. It’s not necessary to grant the AD FS service account read access to the private keys of the SSL certificate.

Replacing the SSL certificate for the Web Application Proxy

For configuring both the default certificate authentication binding or alternate client TLS binding mode on the WAP we can use the Set-WebApplicationProxySslCertificate cmdlet. To replace the Web Application Proxy SSL certificate, on each Web Application Proxy server use the following cmdlet to install the new SSL certificate:

If the above cmdlet fails because the old certificate has already expired, reconfigure the proxy using the following cmdlets:

Enter the credentials of a domain user who is local administrator on the AD FS server

Get certificate from windows server

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

I try to request a webserver certificate for an ADFS WAP from local CA using following command:

and getting the following error

I can’t find any example for that scenario.

I only find old ms KB’s for GUI issues:

Answers

Based on my further research, please also have a try with the Request-Certificate.ps1 to request a certificate with the specified subject name and specified template. The following article for your reference, hope it is helpful to you:
Request certificates from a Enterprise CA (an export it directly to a pfx)
https://gallery.technet.microsoft.com/scriptcenter/Request-certificates-from-b6a07151

If you need further help, please feel free to let us know.

Best Regards,
Albert Ling

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

All replies

Based on my research, you might need to change the permissions on the template you are attempting to enroll for Web Server and it might hard to be done via PowerShell. In this case, I recommend you could have a try with the New-CertificateRequest function from the following article. Hope it is helpful to you:
SSL SAN Certificate Request and Import from PowerShell
https://blog.kloud.com.au/2013/07/30/ssl-san-certificate-request-and-import-from-powershell/

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

If you need further help, please feel free to let us know.