question

YounisGeorge-8929 avatar image
0 Votes"
YounisGeorge-8929 asked CarlFan-MSFT answered

Authentication Method in Remote Desktop

We are running Windows Server 2012 R2. We have installed PKI issued SSL certificate assign to RDP in certificate store. In registry it shows the correct certificate thumbprint. When we try to connect to server via RDP it uses Kerberos method instead of SSL Certificate. Would anybody help to identify what to change so that RDP use certificate method instead of Kerberos.



Thank you

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
Have you tried to set the group policy below:
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Session Host -> Security. The option you want to set is “Server Authentication certificate template.” Simply type in the name of your custom certificate template, and close the policy to save it. As soon as this policy is propagated to the respective domain computers (or forced via gpupdate.exe), every machine the GPO is scoped to that allows Remote Desktop Connections will use it to authenticate RDP connections.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/remote-desktop-connection-rdp-certificate-warnings/ba-p/259301

Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YounisGeorge-8929 avatar image
0 Votes"
YounisGeorge-8929 answered

Thank you for answer. I am looking for a setting in registry or GPO for RDP to specify which authentication method it should use either Kerberos or SSL certificate.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
Thank you for your information.
I'm sorry to see your message when I just came back from vacation.
I consider that you could check the registry below.
https://serverfault.com/questions/83884/require-tls-on-rdp-for-all-connections
For GPO, I consider that you could try to use "Require use of specific security layer for remote (RDP) connections" GPO.
https://dispel.io/blog/forcing-rdp-to-use-tls-encryption/
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.