Authentication Method in Remote Desktop

Question

We are running Windows Server 2012 R2. We have installed PKI issued SSL certificate assign to RDP in certificate store. In registry it shows the correct certificate thumbprint. When we try to connect to server via RDP it uses Kerberos method instead of SSL Certificate. Would anybody help to identify what to change so that RDP use certificate method instead of Kerberos.

Thank you

Answer 1

Hi,
Have you tried to set the group policy below:
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Session Host -> Security. The option you want to set is “Server Authentication certificate template.” Simply type in the name of your custom certificate template, and close the policy to save it. As soon as this policy is propagated to the respective domain computers (or forced via gpupdate.exe), every machine the GPO is scoped to that allows Remote Desktop Connections will use it to authenticate RDP connections.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/remote-desktop-connection-rdp-certificate-warnings/ba-p/259301

Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

Answer 2

Thank you for answer. I am looking for a setting in registry or GPO for RDP to specify which authentication method it should use either Kerberos or SSL certificate.

Answer 3

Hi,
Thank you for your information.
I'm sorry to see your message when I just came back from vacation.
I consider that you could check the registry below.
https://serverfault.com/questions/83884/require-tls-on-rdp-for-all-connections
For GPO, I consider that you could try to use "Require use of specific security layer for remote (RDP) connections" GPO.
https://dispel.io/blog/forcing-rdp-to-use-tls-encryption/
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl