RDP Certificate Authentication

This section describes the procedures for enabling certificate authentication for RDP connections.

Prerequisites

Before enabling certificate authentication for RDP, check and execute the following:

  • Target hosts must belong to a Windows domain. The domain must include:

    • A domain controller with the server role ​Active Directory Domain Services​​, for handling authentication requests.

    • A Certificate Authority Server (CA server), with the server role ​Active Directory Certificate Services​​, including the Role Service ​Certification authority​​.

      The CA server must also have a service for certificate-revocation-status checks, for example, HTTP CRL with ​Certificate Enrollment Web Service​ or ​Web Server IIS​ role, or alternatively OCSP with the ​Online Responder​​ role service.

    • Ensure that users' group policy allows RDP login. When enabling login with personal accounts, also ensure target-host local policy allows users to log on locally.

  • Both the domain controller and the CA server must run on one of the platforms where RDP certificate authentication is supported, described in Preparing for Deployment.

  • The domain policy must enable ​server certificate auto-enrollment​​. For instructions about enabling this, please refer to Microsoft documentation at ​https://docs.microsoft.com​​ (search title: configure server certificate autoenrollment).

  • Firewalls for the domain must allow HTTP access to PrivX server port 80, for obtaining the Certificate Revocation List.

  • PrivX server's IPs and FQDNs should be recorded in the ​shared-config.toml​​ file. All listed IPs and FQDNs will be used as Certificate Revocation List Distribution Points.

  • Hosts in the target domain must be able to resolve PrivX server FQDNs.

  • We recommend disabling smartcard-certificate propagation, which prevents users from using the certificate for further RDP/SSH connections.

    📘

    Note

    Even with smartcard-certificate propagation disabled, users can still install the ephemeral certificate by running certutil on the target host. After that the user can use the certificate for further connections as long as the certificate is valid.

    Ephemeral RDP certificates are typically valid for the user's entire domain.

RDP Certificate-Authentication-Setup

After ensuring the prerequisites, enable certificate authentication for RDP by performing the following:

  1. For target hosts to trust PrivX certificates, you must publish the PrivX CA certificate in the Windows domain.

    To obtain the PrivX CA certificate, go to the PrivX GUI. On the ​Settings→Deployment→Configure a Windows Domain for RDP Access​ page, click ​Download Certificate​​.

  2. Add the PrivX CA certificate to the Trusted Root Certification Authorities for the domain.

    For improved security, also restrict the purposes of the PrivX CA: In the general properties of the PrivX CA certificate, select ​Enable only the following purposes​​, then select the following purposes:

    • Smart Card Logon

    • Client Authentication

    Save your changes to the certificate.

    For more information, please refer to Microsoft documentation at ​https://docs.microsoft.com​​ (search title: distribute certificates to client computers by using group policy).

  3. Publish the PrivX CA certificate to the domain (replace ​privx_ca.crt​​ with the path of the PrivX CA-certificate file):

    $ certutil -dspublish -f ​privx_ca.pem​​ NTAuthCA
    

    Also ensure that the registry is updated by running:

    $ certutil -addstore -enterprise NTAuth ​privx_ca.pem​​
    
  4. On all target hosts, ensure that the host allows remote connections without Network Level Authentication.

  5. Define which roles are allowed to access the target hosts, and as which target accounts. For more information about mapping roles to target accounts, see Setting up Hosts.

  6. Certificates issued by PrivX are very time-sensitive. Even a clock skew of few minutes may prevent certificates from working correctly.

    Verify that the system times on the target hosts, Domain Controller and PrivX instances is correct. Adjust as necessary.

RDP connections to target hosts are now be authenticated by just-in-time certificates provided by PrivX, without needing to provide target-user passwords.


Did this page help you?