How do I reissue machine certificates for my Active Directory members now that I have a private CA?

active-directory remote-desktop-services ad-certificate-services
13,133

Solution 1

You need to enroll for a machine certificate on the workstation. You can setup autoenrollment via group policy or you can navigate to the cert enrollment website on your CA (https://yourCA/certenroll and enroll manually.
Autoenrollment is set under Computer Config -> Policies -> Windows Settings -> Security Settings -> Public Key Policies.

EDIT After getting a certificate that can be used for "Client Authentication" you need to setup RDP to use the cert. Follow instructions here for a WMI script to do this.

Solution 2

This microsoft documentation might help you: http://support.microsoft.com/kb/281271

"In the following scenarios, if a user from the same domain as a certification authority (CA) requests a certificate, the issued certificate is published in Active Directory. However, if the user is from a child domain, this process is not successful. Also, when users from the same domain as a CA request a certificate, the issued certificate may not be published in Active Directory. "

Share:
13,133
Eric Falsken
Author by

Eric Falsken

This is me...or at least the part of it that is on the internet.

Updated on September 18, 2022

Comments

  • Eric Falsken
    Eric Falsken almost 2 years

    So I have a working Active Directory. I've recently added a new machine to act as an Active Directory Certificate Authority.

    I've added a Group Policy (Computer level) for automatic certificate enrollment according to this document. And verified that my CA appears in all of my domain members' Trusted Root Certificates.

    I've exported the CA's root certificate and added it to my workstation's (computer) Trusted Root CA list.

    When I want to remote desktop into my remote servers, it still pops up a warning like this: Remote Desktop Connection untrusted certificate warning

    When I view the certificate, it's clear that the certificate that is being sent is the default machine self-signed certificate. How do I get Windows to re-issue machine certificates based on my new trusted root CA? I'm guessing that I need to create an auto-approval policy for machine certificates somewhere with some constraint maybe on who/how such requests can be made. And then I would guess that I need to push a domain policy that somehow instructs all my domain members to get their machine certificate.

    Does this sound familiar to anyone? I think the reason I can't find a document on this is because I don't know the correct terminology.

    • Eric Falsken
      Eric Falsken over 12 years
      Ok, so I've updated my group policy, and I see in the (local computer)/Personal certificates, I now have a machine certificate that looks correct, issued by my CA. But Remote Desktop still gives me the old certificate without the CA server in the certificate path.
    • Paul Ackerman
      Paul Ackerman over 12 years
      see my updated answer. You need to configure rdp to use the cert.
    • Eric Falsken
      Eric Falsken over 12 years
      I followed the first part of that document, and ended up having to restart the RDP service. I now get the correct certificate. But the warning now reads A recovation check could not be performed for the certificate.
  • ravi yarlagadda
    ravi yarlagadda over 12 years
    To add to that, auto-enrollment will need to be enabled in the ACL on the certificate template as well.
  • vonbrand
    vonbrand about 11 years
    Please supply a summary for later.
  • slm
    slm about 11 years
    Welcome to Server Fault! Generally we like answers on the site to be able to stand on their own - Links are great, but if that link ever breaks the answer should have enough information to still be helpful. Please consider editing your answer to include more detail. See the FAQ for more info.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

After installing RDS on WinServer 2016 I still can only connect with two users?
Domain Controller promotion and certificate autoenrollment
How to autoenroll certificates from a Certification Authority in a trusted domain?
Installing Terminal Server (Remote Desktop Services) on a Domain Controller (Active Directory)
Does a domain computer trust certs from domain CA
how to fix remote desktop access in Windows Server 2012 R2
Child domain new cert request - certificate template permissions do not allow current user to enroll 0x80094012
realm `! Cannot set computer password: Access denied`
Smartcard Logon: The domain specified is not available. Please try again later
AD CS: Certificate Template not available