Will there be any operational issues if the GPO also has certificate enrollment under "Public Key Policies/Automatic Certificate Request Settings" enabled for the same 'Computer' template? Will this possibly cause the computer to get two redundant certificates based on the same template? Will there be any operational issues if I don't use a custom template, but instead specify the built-in 'Computer' template in the GPO setting? (The one under "Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security".) So I would much rather use a generic TLS certificate for RDP as well. However, some third-party clients always expect the certificate to have a "TLS server" extendedKeyUsage and have issues verifying servers which only have this OID. Practically all instructions on enabling certificates for Remote Desktop server authentication (and configuring auto-enrollment through Group Policy) say that you should create a new certificate template (named "RemoteDesktopComputer" or similar), adding only the RDP-specific OID 1.3.6.1.4.1.311.54.1.2 as an extendedKeyUsage.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |