To configure a TLS connection, you must configure both the terminal server and the client computer. To configure the terminal server, you must perform both the following steps:
- You must install a valid certificate on the terminal server.
- You must configure the authentication settings by using the Terminal Services Configuration tool.
- You must configure the client computer to trust the root Certification Authority that issued the terminal server's certificate.
- You must configure the authentication settings for the remote connection by using the Remote Desktop Connection program or by modifying the registry.
IN THIS TASK
- Prerequisites to configure server authentication
- To configure the terminal server
- To configure the client computer
If you use the Remote Desktop Protocol (RDP) to connect to a terminal server, RDP provides data encryption but it does not provide authentication. Therefore, you cannot verify the identity of the terminal server. You can use Microsoft Windows Server 2003 Service Pack 1 (SP1) together with Transport Layer Security (TLS) version 1.0 to help increase terminal server security by using TLS for server authentication and to encrypt terminal server communications.
This article describes how to configure Windows Server 2003 SP1 to use TLS 1.0 for server authentication to encrypt terminal server communications.
back to the top
back to the top
- Your terminal server must be running Windows Server 2003 SP1.
- You must obtain a certificate for your terminal server. To obtain a certificate, use one of the following methods:
- Visit the Web site for your certification authority. For example, visit http://servername/certsrv.
- Run the Windows Server 2003 Certificate Request Wizard or the Windows 2000 Server Certificate Request Wizard.
- Obtain a certificate from a third-party certification authority, and then manually install the certificate.
- The certificate must be a computer certificate.
- The intended purpose of the certificate must be for server authentication.
- The certificate must have a corresponding private key.
- Thecertificate must be stored in the computer account certificate store on the terminal server.
Note You can view this store by using the Microsoft Management Console (MMC) Certificates snap-in.
- The certificate must have a cryptographic service provider (CSP) that can be used for the TLS protocol. For example, the certificate must use a cryptographic service provider such as the Microsoft RSA SChannel Cryptographic Provider. For more information about Microsoft cryptographic service providers, visit the following Microsoft Web site:
- The client computer must be running Microsoft Windows 2000 or Microsoft Windows XP.
- The client computer must be upgraded to use the RDP 5.2 client program. The RDP 5.2 client program is included with Windows Server 2003 SP1. You can install this client-side Remote Desktop Connection package by using the %SYSTEMROOT%\System32\Clients\Tsclient\Win32\Msrdpcli.msi file. The Msrdpcli.msi file is located on Windows Server 2003-based terminal servers. If you install this file from the terminal server, the RDP 5.2 version of Remote Desktop Connection is installed in the %SYSTEMDRIVE%\Program files\Remote Desktop folder on the destination computer. For more information about the Remote Desktop Connection for Windows Server 2003, visit the following Microsoft Web site:
- The client computer must trust the root Certification Authority of your terminal server's certificate. Therefore, the client computer must have the certificate of the Certification Authority in the Trusted Root Certificate Certification Authorities folder of the client computer. You can view this folder by using the Certificates snap-in.
back to the top
- You want to obtain a certificate from a stand-alone certification authority.
- You want to obtain a certificate that is based on a certificate template that is configured to obtain the subject name from the subject.
- You want to obtain a certificate that requires administrator approval before the certificate is issued.
- Start Microsoft Internet Explorer, and then visit http://servername/certsrv, where servername is the name of your server that is running Microsoft Certificate Services.
- Under Select a task, click Request a certificate.
- Click advanced certificate request, and then click Create and submit a request to this CA.
- Type your identifying information in the boxes under Identifying Information, and then click Server Authentication Certificate in the Type of Certificate Needed list.
- Leave the Create new key set option selected, and then click Microsoft RSA SChannnel Cryptographic Provider in the CSP list.
Note This cryptographic service provider supports key derivation for the SSL2, PCT1, SSL3, and TLS1 protocols.
- Leave the Exchange option selected next to Key Usage. This option indicates that the private key can be used to enable the exchange of sensitive information.
- Click to select the Mark keys as exportable check box. When you do this, you can save the public key and the private key to a PKCS#12 file. Therefore, you can copy this certificate to another computer.
- Click to select the Store certificate in the local computer certificate store check box, and then click Submit.
Important For TLS authentication to function, you must store the certificate in the local computer certificate store.
- If you receive a Certificate Issued Web page, click Install this certificate. If you receive a Certificate Pending Web page, you must wait until an administrator approves the certificate request. In this scenario, you must again visit the Certificate Services Web site to obtain and install this certificate.
- You want to request a certificate from an Enterprise Certification Authority.
- You want to request a certificate that is based on a template where the subject name is generated by Windows.
- You want to obtain a certificate that does not require administrator approval before the certificate is issued.
- Click Start, click Run, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- Click Add, click Certificates, and then click Add.
- Click Computer account, and then click Next.
- If you want to add a certificate to the local computer, click Local computer. If you want to add a certificate to a remote computer, click Another computer, and then type the name of that remote computer in the Another computer box.
- Click Finish.
- In the Add Standalone Snap-in dialog box, click Close, and then click OK in the Add/Remove Snap-in dialog box.
- Under Console Root, click Certificates (Local Computer).
Note If you configured the Certificates MMC snap-in to manage a remote computer, click Certificates (servername) instead of Certificates (Local Computer).
- On the View menu, click Options.
- In the View Options dialog box, click Certificate purpose, and then click OK.
- In the right pane, right-click Server Authentication, point to All Tasks, and then click Request New Certificate.
- In the Certificate Request Wizard that starts, click Next.
- In the Certificate types list, click Server Authentication, click to select the Advanced check box, and then click Next.
- In the Cryptographic Service Providers list, click Microsoft RSA SChannel Cryptographic Provider.
Note This cryptographic service provider supports key derivation for the SSL2, PCT1, SSL3, and TLS1 protocols.
- In the Key Length list, leave the default option of 1024 selected or click the key length that you want to use.
- Click to select the Mark this key as exportable check box. When you do this, you can save the public key and the private key to a PKCS#12 file. Therefore, you can copy this certificate to another computer.
- If you want to enable "strong private key protection," click to select the Enable strong private key protection check box.
- Click Next, type the name of your Certification Authority in the CA box, click Next, type a name for this certificate in the Friendly name box, click Next, and then click Finish.
back to the top
- You must select a certificate that meets the requirements that are mentioned in the "Server prerequisites" section.
- You must set the Security layer value to Negotiate or to SSL.
- You must set the Encryption level value to High, or you must enable Federal Information Processing Standard (FIPS)-compliant encryption.
Note You can also enable FIPS-compliant encryption by using Group Policy. However, you cannot enable TLS by using Group Policy.
- Set the Security layer value to SSL.
- Set the Security layer value to Negotiate. If you set the Security layer to Negotiate, TLS authentication is only enabled if the client computer supports TLS authentication.
- Start the Terminal Services Configuration tool. To do this, click Start, point to Administrative Tools, and then click Terminal Services Configuration.
- In the left pane, click Connections.
- In the right pane, right-click the connection that you want to configure, and then click Properties.
- On the General tab, click Edit next to Certificate.
- In the Select Certificate dialog box, click the certificate that you want to use.
NoteServer Authentication must appear in the Intended Purpose column for this certificate. Additionally, this certificate must be an X.509 certificate with a corresponding private key. To determine whether the certificate has a private key, click View Certificate. The following message text appears at the bottom of the certificate information: Click OK.
- Click OK.
- In the Security layer list, click one of the following options:
- Negotiate: This security method uses TLS 1.0 to authenticate the server if TLS is supported. If TLS is not supported, the server is not authenticated.
- RDP Security Layer: This security method uses Remote Desktop Protocol encryption to help secure communications between the client computer and the server. If you select this setting, the server is not authenticated.
- SSL: This security method requires TLS 1.0 to authenticate the server. If TLS is not supported, you cannot establish a connection to the server. This method is only available if you select a valid certificate.
- Set the encryption level to High.
- Configure FIPS-compliant encryption.
- In the Encryption level list, click one of the following options:
- FIPS Compliant: If you use this setting, or if you set the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing option by using Group Policy, data is encrypted and decrypted between the client computer and the server that has FIPS 140-1 encryption algorithms by using Microsoft cryptographic modules.
- High If you use this setting, data that is sent between the client computer and the server is encrypted by using 128-bit encryption.
- Client Compatible If you use this setting, data that is sent between the client computer and then server is encrypted by using the maximum key strength that is supported by the client computer.
- Low If you use this setting, data that is sent between the client computer and the server is encrypted by using 56-bit encryption.
Note This option is not available when you click SSL in the Security layer list.
- Click to select the Use standard Windows logon interface check box to specify that users log on to the terminal server by typing their credentials in the default Windows logon dialog box.
- Click OK.
- To configure these options, you must be a member of the Administrators group on the local computer or you must be delegated the appropriate rights. If the computer is joined to a domain, members of the Domain Admins security group have sufficient permissions to follow these steps.
- Encryption levels that you configure by using Group Policy override the configuration options that you set by using the Terminal Services Configuration tool. Additionally, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing policy, the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing policy overrides the Set client connection encryption level Group Policy setting.
- When you change the encryption level, the new encryption level that you configure takes effect the next time a user logs on. If you require multiple encryption levels, install multiple network adaptors, and then configure each network adaptor with a different encryption level.
- Start Internet Explorer, and then visit http://servername/certsrv.
- Click Download a CA certificate, certificate chain, or CRL.
- Click install this CA certificate chain to configure your client computer to trust all the certificates that are issued by this certification authority.
- Click Yes if you are prompted to add the certificates from the Certification Authority Web site.
- After you receive the following message, quit Internet Explorer:
- You do not have to be logged on to the computer that has administrative privileges to perform this operation.
- You install the CA certificate chain to make sure that the client computers trust the root of the terminal server's certificate. This means that the certificate of the root CA that issued the terminal server's certificate is stored in the client computer's local computer Trusted Root Certification Authorities certificate store. This is required for TLS to be used for server authentication when client computers connect to the terminal server.
- You can use the install this CA certificate chain option to establish trust in a subordinate certification authority if you do not currently have the certificate of the root CA in your certificate store.
- Start Remote Desktop Connection.
- Click Options, and then click the Security tab.
Note The Security tab appears if you install the Windows Server 2003 SP1 version of Remote Desktop Connection.
- In the Authentication list, click one of the following options:
- No authentication: This is the default option. If you select this option, the terminal server is not authenticated.
- Attempt authentication: If you select this option, and if TLS is supported and correctly configured, TLS 1.0 is used to authenticate the terminal server.
If you click Attempt authentication, you can choose to continue your Terminal Services connection without TLS authentication if one of the following authentication errors occur:
- The server certificate is expired.
- The server certificate is not issued by a trusted root Certification Authority.
- The name in the certificate does not match the name of the client computer.
- Require authentication: If you click this option, TLS is required to authenticate the terminal server. If TLS is not supported, or if TLS is not correctly configured, the connection attempt is not successful. This option is only available for client computers that connect to terminal servers that are running Windows Server 2003 SP1.
An .rdp file contains all the information for the connection to the terminal server. This includes the security settings that you configure on the Security tab. You can customize your connections to a particular terminal server by creating different .rdp files that correspond to the settings that you want to use when you connect to that terminal server. Additionally, you can change the .rdp file by using any text editor, such as Notepad. To modify the security settings of an .rdp file by using Notepad, follow these steps:
- Locate the .rdp file that you want to modify, and then open it by using Notepad.
- Locate the authentication level line in the RDP file.
- Set the authentication level value to one of the following values:
- 0 This value corresponds to "No authentication."
- 1 This value corresponds to "Require authentication."
- 2 This value corresponds to "Attempt authentication."
- Save the changes to the file, and then quit Notepad.
- Click Start, click Run, type regedit, and then click OK.
- Use one of the following methods:
- To modify the registry settings for all the users who log on to the computer, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client
- To modify the registry settings for only the currently logged on user, locate and then click the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client
- To modify the registry settings for all the users who log on to the computer, locate and then click the following registry subkey:
- On the Edit menu, point to New, and then click DWORD Value.
- In the New Value #1 box, type AuthenticationLevelOverride, and then press ENTER.
- Right-click AuthenticationLevelOverride, and then click Modify.
- In the Value data box, type one of the following values, and then click OK:
- 0 Type this value to configure an authentication level of "No authentication."
- 1 Type this value to configure an authentication level of "Require authentication."
- 2 Type this value to configure an authentication level of "Attempt authentication."
- If you configure the authentication level by using the registry, users who are logged on to the client computer cannot modify the authentication settings.
- The authentication level that you set by using the HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client registry subkey overrides an authentication level that might be configured in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client registry subkey.