3

Few days ago I witnessed a strange problem within my domain:

  • During RDP connection I see warnings about certificate being not trusted (and I see self-signed certificate, not issued by domain CA)

  • I can no longer connect by RDP to servers with enabled NLA (Network Layer Authentication).

This problem is omnipresent - I experience it on different workstations and on different servers, including Windows Server 2012R2|2008R2, Windows 7 and Windows 10.

About CA infrastructure: one offline Root CA and one Domain Level Issuing CA. pkiview.msc says everything is OK: both Root and Issuer have valid Certificates, CDP's, IAI's and DeltaCRL's (issuer only). I've updated Root CRLs and republished them in AD because I thought that might be the case but no luck.

Custom Certificate Template with Client|Server|RDP Auth still exists and I can confirm that servers in question have such certificates in Personal folder in MMC Certificates Applet (and can request new ones from there), although only self-signed certificate is present in RDP folder.

Using MMC Certificates applet I also see that both Root and Issuer certificates are trusted.

So.. I don't really know what to do and how fix it, and why it's broken in first place. Any help is appreciated.

PS. Also some time ago I modified Default Domain GPO enforcing private network IP ranges. Can it be the reason? Anyway, I turned those back to default and no luck either.

UPDATE Some pics to clarify a bit:

1) Security Warning

Security Warning

2) ...because servers presents Self-Signed Certificate

...because it present Self-Signed Certificate

3) However we can see proper CA-certificate in Personal storage on server in question

However we can see proper CA-certificate in Personal storage on server in question

4) In Remote Desktop certificate storage I can see just Self-Signed Cert. I copied proper one there as well, but no effect. And if I delete Self-Signed Cert from there I won't be able to connect to server over RDP at all.

In Remote Desktop certificate storage I can see just Self-Signed Cert. I copied proper one there as well, but no effect. And if I delete Self-Signed Cert from there it won't connect to server over RDP at all.

5) Also you can see that my local CAs are trusted by server:

Also you can see that my local CAs are trusted by server

6) And that is the error I get when I try to RDP to NLA-enabled server. So client for some reason can't or won't willingly use CredSSP. It worked a week before so I think it's connected to cert problem.

And that is the error I get when I try to RDP to NLA-enabled server. So client for some reason can't or won't willingly use CredSSP. I think it's connected to cert problem.

7) Finally some screens from Issuing CA. It seems to be OK.

Finally some screens from Issuing CA.

enter image description here

user2838376
  • 179
  • 1
  • 5
  • 15
  • What about date and certificate purpose? What do you mean: `I can no longer connect by RDP to servers with enabled NLA (Network Layer Authentication).` Do you see any error message? – Michal Sokolowski May 14 '18 at 06:38
  • I've updated my question with images to clarify things – user2838376 May 14 '18 at 07:23
  • Can you please translate yellow exclamation marks from 1st image, and error message from 4th image? I see creessp problem in 4th image, so it may be: https://serverfault.com/questions/911590/this-could-be-due-to-credssp-encryption-oracle-remediation-rdp-to-windows-10-p/911595#911595 – Michal Sokolowski May 14 '18 at 07:46
  • As far as I remember, you need to install CA cert and valid CRL in local computer certificate storage (client side), not in personal. – Michal Sokolowski May 14 '18 at 07:55
  • 1) Wrong server name in certificate (in cert is FDQN, but I addressed server by name without domain part) and Cert issued by not trusted CA 2) 4th image says that function is not supported (implying that CredSSP in not enabled) – user2838376 May 14 '18 at 07:56
  • It's local computer storage, not personal account. – user2838376 May 14 '18 at 08:00
  • So you have to update client and server to get rid of CredSPP thing (details in the linka above), enable NLA and reboot. Make sure that installed certificate has the same fingerprint as the certificate exposed to client. – Michal Sokolowski May 14 '18 at 08:03
  • It's normally a good idea to ask for help with screenshots in English :) – FoxDeploy May 18 '19 at 16:04

3 Answers3

2

Sometimes RDS loose certificate binding for static certificates (which are not assigned via GPO). You may need to execute the following command:

$path = (Get-WmiObject "Win32_TSGeneralSetting" -ComputerName "<RDS Server Name>" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="<Thumbprint>"}

Replace <RDS Server Name> with actual server name (if executed remotely) and <Thumbprint> with actual certificate's thumbprint. Thumbprint must specified in hex with no spaces, e.g. F02B346CDC02165543936A37B50F2ED9D5285F62.

For internal machines (which are part of AD forest and accessed via internal names), it is recommended to use GPO-assigned RDS certificates: Configuring Remote Desktop certificates

Crypt32
  • 6,414
  • 1
  • 13
  • 32
1

OK, I solved it. Michal Sokolowski was right when he pointed on CredSSP May 2018 update. Apparently everything I saw was because of it. As soon as I modified local GPO on client workstation everything went well.

So, solution is:

1) run gpedit.msc on client

2) open Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

3) enable Encryption Oracle Remediation and set it to Vulnerable

4) run gpupdate /force

And everything goes back to normal.

user2838376
  • 179
  • 1
  • 5
  • 15
1

Apply all patches to the server and clients and this will fix your credssp error.