3

In our environment, we have a Windows Certificate Authority server. We've distributed our CA to our folks, and generated some certificates with CSRs for internal websites. That works great. We tried to configure a GPO for our VMs to install the CA and also request and install an RDP certificate. I've followed some guides online, and I'm finding after about a month the server has just been nonstop issuing certificates. Every few minutes it seems. I now have well over 30,000 certificates issues when our environment only has 200 VMs. Has anyone seen this before? Is there anything I can check? I included some screenshots of the GPO we've configured. enter image description here

enter image description here

enter image description here

Jakob
  • 57
  • 4
  • 2
    I would check if client is able to successfully validate its own RDS certificate. For example, export RDS certificate on a client VM and run `certutil -verify -urlfetch rdscert.cer` and examine output. In addition, a screenshot of General tab of RDS certificate template would be helpful – Crypt32 Apr 28 '21 at 17:12
  • 2
    BTW, make sure that no principal has Autoenroll permissions on RDS template. – Crypt32 Apr 28 '21 at 17:41
  • @Crypt32 - The verify passed successfully. I didn't see any glaring errors there. I did notice the RDP cert went into the Local Computer -> Personal -> Certificates folder rather than the Remote Desktop -> Certificates folder. I'll try and get a screenshot posted of the General Tab. Looking at permissions, "Domain Computers" & "Domain Controllers" both have Auto Enroll permission allow checked. – Jakob Apr 28 '21 at 17:45
  • Edited the original post to add a screenshot of RDS General Tab – Jakob Apr 28 '21 at 17:52
  • 2
    You MUST uncheck `Autoenroll` permission for all principals in ACL. Thanks to General tab, it looks ok. – Crypt32 Apr 28 '21 at 17:54
  • Done, do you think that caused it to go nuts? Now I get to figure out how to revoke or delete all these 30,000 certificates... – Jakob Apr 28 '21 at 18:03
  • 1
    yes, autoenrollment can cause this. RDS implements its own automatic renewal mechanism and gets mad when autoenrollment is enabled. – Crypt32 Apr 28 '21 at 18:12
  • @Crypt32 It's fixed now! Thank you! – Jakob Apr 29 '21 at 15:31

1 Answers1

2

Just for the sake of posting the confirmed solution (I was suspecting on).

If you deploy RDS/RDP certificates using new dedicated RDS certificate deployment GPO, then you *MUST NOT* enable Autoenroll permissions on certificate template. GPO mechanism implements its own renewal process and goes into a conflict with Windows Certificate Autoenrollment mechanism.

Crypt32
  • 6,414
  • 1
  • 13
  • 32