HomeDocumentationAPI Reference
Log In
These docs are for v17. Click to read the latest docs for v33.

RDP Certificate Authentication

Suggest Edits

This section describes the procedures for enabling certificate authentication for RDP connections.

Prerequisites

Before enabling certificate authentication for RDP, check and execute the following:

  • Target hosts must belong to a Windows domain. The domain must include:

    • A domain controller with the server role ​Active Directory Domain Services​​, for handling authentication requests.

    • A Certificate Authority Server (CA server), with the server role ​Active Directory Certificate Services​​, including the role service ​Certificate authority​​.

      The CA server must also have a service for certificate-revocation-status checks, for example, HTTP CRL with ​Certificate Enrollment Web Service​ or ​Web Server IIS​ role, or alternatively OCSP with the ​Online Responder​​ role service.

    • Ensure that users' group policy allows RDP login. When enabling login with personal accounts, also ensure target-host local policy allows users to log on locally.

  • Both the domain controller and the CA server must run on one of the platforms where RDP certificate authentication is supported, described in Preparing for Deployment.

  • The domain policy must enable ​server certificate auto-enrollment​​. For instructions about enabling this, please refer to Microsoft documentation at ​https://docs.microsoft.com​​ (search title: configure server certificate autoenrollment).

  • Firewalls for the domain must allow HTTP access to PrivX server port 80, for obtaining the Certificate Revocation List.

  • PrivX server's IPs and FQDNs should be recorded in the ​shared-config.toml​​ file. All listed IPs and FQDNs will be used as Certificate Revocation List Distribution Points.

  • Hosts in the target domain must be able to resolve PrivX server FQDNs.

RDP Certificate-Authentication-Setup

After ensuring the prerequisites, enable certificate authentication for RDP by performing the following:

  1. For target hosts to trust PrivX certificates, you must publish the PrivX CA certificate in the Windows domain.

    To obtain the PrivX CA certificate, go to the PrivX GUI. On the ​Settings→Deployment→Configure a Windows Domain for RDP Access​ page, click ​Download Certificate​​.

  2. Add the PrivX CA certificate to the Trusted Root Certification Authorities for the domain.

    For improved security, also restrict the purposes of the PrivX CA: In the general properties of the PrivX CA certificate, select ​Enable only the following purposes​​, then select the following purposes:

    • Smart Card Logon

    • Client Authentication

    Save your changes to the certificate.

    For more information, please refer to Microsoft documentation at ​https://docs.microsoft.com​​ (search title: distribute certificates to client computers by using group policy).

  3. Publish the PrivX CA certificate to the domain (replace ​privx_ca.crt​​ with the path of the PrivX CA-certificate file):

    $ certutil -dspublish -f ​privx_ca.pem​​ NTAuthCA

    Also ensure that the registry is updated by running:

    $ certutil -addstore -enterprise NTAuth ​privx_ca.pem​​

  4. On all target hosts, ensure that the host allows remote connections without Network Level Authentication.

  5. Define which roles are allowed to access the target hosts, and as which target accounts. For more information about mapping roles to target accounts, see Setting up Hosts.

  6. Certificates issued by PrivX are very time-sensitive. Even a clock skew of few minutes may prevent certificates from working correctly.

    Verify that the system times on the target hosts, Domain Controller and PrivX instances is correct. Adjust as necessary.

RDP connections to target hosts are now be authenticated by just-in-time certificates provided by PrivX, without needing to provide target-user passwords.

Updated over 3 years ago