Certifikáty pro RDC

1. On the computer that has your enterprise Certification Authority installed start MMC and open the “Certificate Templates” MMC snap-in.

Find the “Computer” template, right-click on it, and then choose “Duplicate Template” from the menu.

1. In the “Duplicate Template” dialog box, choose “Windows Server 2003 Enterprise” template version.
2. The “Properties of New Template” dialog box will appear.
3. On the “General” page of this dialog box, set both “Template display name” and “Template name” to “RemoteDesktopComputer”. Note: it is important to use the same string for both properties.
4. On the “Extensions” page, select “Application Policies”, and then click the “Edit…” button.
5. The “Edit Application Policies Extension” dialog box appears.
6. Now you can either remove the “Client Authentication” policy leaving the “Server Authentication” policy, or you can use the special “Remote Desktop Authentication” policy. Doing the latter will prevent certificates based on this template from being used for any purpose other than Remote Desktop authentication.
7. To create the “Remote Desktop Authentication” policy, first remove both the “Client Authentication” and “Server Authentication” policies, and then click “Add…”
8. The “Add Application Policy” dialog box appears. In this dialog box click the “New…”
9. The “New Application Policy” dialog box appears. In this dialog box, set “Name” to “Remote Desktop Authentication” and “Object Identifier” to “1.3.6.1.4.1.311.54.1.2”, and then click “OK.”
10. Select “Remote Desktop Authentication” in the “Add Application Policy” dialog box, and then click “OK.”
11. Now the “Edit Application Policies Extension” dialog box should look like this:
12. Click “OK” in this dialog box, and then click “OK” in the “Properties of New Template” dialog box.

• On the computer that has your enterprise Certification Authority installed, start the Certification Authority MMC snap-in.
• Right-click on “Certificate Templates”, then select “New\Certificate Template to Issue” from the menu that appears.
• The “Enable Certificate Templates” dialog box appears. Select “RemoteDesktopComputer”, and then click “OK.”
• Now the “RemoteDesktopComputer” template is published and can be used in certificate requests.

The last step is to configure Group Policy to use certificates based on the “RemoteDesktopComputer” template for Remote Desktop authentication.

• On the domain controller, start the “Group Policy Management” administrative tool.
• Right-click the “Default Domain Policy” and click on “Edit…” in the menu that appears. The “Group Policy Management Editor” appears.
• Navigate to “Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.”
• Double-click the “Server Authentication Certificate Template” policy.
• Enable the policy, type “RemoteDesktopComputer” in the “Certificate Template Name” box, and then click “OK.”

As soon as this policy is propagated to domain computers, every computer that has Remote Desktop connections enabled will automatically request a certificate based on the “RemoteDesktopComputer” template from the Certification Authority server and use it to authenticate to Remote Desktop clients. You can speed up the propagation to a specific computer by running the “gpupdate.exe” command line tool on that computer.

Zdroje:

• http://3techies.com/?p=27
• http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx