How to configure a certificate distribution policy by an Active Directory domain controller
Kaspersky Thin Client can securely connect to remote machines via RDP using automatically generated SSL and TLS certificates. If you want a domain controller to distribute certificates to machines in the domain for RDP connections, configure a certificate distribution policy. In this case, the certificate will be signed by your internal corporate Certification Authority.
Make sure that the corporate Microsoft Certification Authority is already deployed in the domain.
Step 1. Configure a certificate distribution policy
- Open Control Panel. Type Certification Authority in the search bar and open the local Certification Authority.
- Right-click Certificate Templates and select Manage.
- Right-click the Computer template and select Duplicate Template.
- Go to the General tab and enter the name for a new certificate in the Template display name and Template name fields. The names in these fields must match.
- Go to the Compatibility tab and select the earliest version of the certificate recipient in your domain. The later the Windows version specified, the stronger encryption algorithms will be used.
- Go to the Extensions tab. Select Key Usage and click Edit.
- Click New to add a new policy.
- Type Remote Desktop Authentication in the Name field. Type 1.3.6.1.4.1.311.54.1.2 in the Subject key identifier field. Click ОК.
- Select Remote Desktop Authentication in the policies list and click ОК.
- In the Description of Application Policies block, remove all policies except Remote Desktop Authentication. Click ОК.
- Right-click Certificate Templates and select New → Certificate Template to Issue.
- Select the created template and click ОК.
Step 2. Configure a domain policy
Make sure that the root certificate is added to the Trusted Root Certification Authorities folder.
Configure a domain policy that automatically assigns a certificate to RDP computers or servers based on a configured template:
- Click the search icon on the taskbar and type gpmc.msc. Open the Group Policy Management console.
- Right-click the required domain with RDP machines for which you want to automatically issue TLS certificates. Select Create a GPO in this domain, and Link it here.
- Name a new group policy object and click ОК.
- Right-click the created object and select Enforced to activate it.
- Right-click the created object again and select Edit.
- Go to Remote Desktop Services → Remote Desktop Session Host → Security and open the Server authentication certificate template policy.
- Select the Enabled checkbox. In the Certificate Template Name field, type the name of the Certification Authority template that you created earlier. Click ОК.
- Open the Require use of specific security layer for remote (RDP) connections policy.
- Select the Enabled checkbox. In the Security Layer drop-down list, select SSL (TLS 1.0) and click ОК.
Step 3. Update policies on the machines
Open the command line on each machine and run the command:
gpupdate
If you see the User Policy update has completed successfully message, the policies have been updated successfully.
To use the created certificate when connecting to a remote machine, download it from the certificate storage on the local machine and upload it to Kaspersky Security Center using the instruction.
To check that the machines have received new certificates, see the instructions.
How to check that the machines have received new certificates
- Click the search icon on the taskbar and type certlm.msc. Open the computer certificate console.
- Go to Personal → Certificates. Find the certificate for the Remote Desktop Authentication policy issued by your Certification Authority based on the selected template.
Below is the window for a machine with the full domain name remotewin10.ksrw.ru that was issued a certificate for the Remote Desktop Authentication policy based on the RDPTemplate3 template.
Make sure that only the required certificate is in the folder. We recommend removing other certificates.