|
Posted by DavidB on July 3, 2008, 8:45 am
If you were Registered and logged in, you could reply and use other advanced thread options > Yes you can put short name and IP as SANs, no restrictions there, I think=
.
> As to fast and easy way of enrolling - install the Web pages. Having the
> pages installed doesn't compromise security (if you're eccentricalyy
> paranoid - only bind Web services to 127.0.0.1, restricting access to the
> console)
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -=3D F1 is the key =3D-
>
> *http://sl.mvps.org*http://msmvps.com/blogs/sp*
>
>
>
>
>
> > Cross posting from micorosft.public.security.crypto:
>
> > I need to issue some certificates to my terminal servers so I can
> > secure RDP sessions. =A0I want to use the negotiate TLS and I want to
> > get rid of the warning messages from the new RDP client. =A0I've been
> > having a difficult time issuing a certificate which will have all the
> > names I need for a particular server.
>
> > The default certificate only includes the FQDN of the server which is
> > not too smart in my opinion because locally connected machines use
> > the
> > common or short name or ip address to connect up.
>
> > From Exchange 2007 certificates I know that we need a SAN or subject
> > alternative name to get these to authenticate correctly. =A0I wanted to
> > enter the dns entry for the server short name and the ip address if
> > possible to the SAN.
>
> > I can't get these issued correctly using the mmc console because it
> > just streamlines the process and never asks me for the SAN entries.
> > I've tried the command line certreq but that certificate always gets
> > issued to the administrator and the terminal server won't allow me to
> > use it! I don't have the IIS pages installed for security.
>
> > Anyone else run into this issue and solve it? =A0Driving me nuts!!
>
> > Thanks in advance,
> > DavidB- Hide quoted text -
>
> - Show quoted text -
The web pages worked. I created a duplicate of the web server
template and added client authentication. I also chose the option to
specify the SAN entries instead of pulling them from Active
Directory. It took a few tries but I finally got the syntax correct,
in the attributes box for the web enrollment I had to enter
"SAN:dns=3Dsvr&dns=3Dsvr.domain.com&ipaddress=3Dx.x.x.x"
Once I installed the certificate, I assigned it to the rdp protocol
and chose to negotiate security. Now the short name and FQDN don't
generate errors when connecting up via rdp. I was hoping to also use
the IP address without error but that didn't work. Perhaps entering
another "&dns=3Dx.x.x.x" would get around that.
Thanks again for your help!
| 
XML site map