Hello,
in several networks (several separate customers) I have this weird behaviour. I have created a new Remote Desktop Authentication certificate (1.3.6.1.4.1.311.54.1.2) and assigned it through the GPO policy "Server Authentication Certificate Template" to my RDP servers to be obtained automatically. Thre problem I face is that each time any Remote Desktop Configuration or Terminal Services Configuration service restarts, it enrolls for a new certificate of the same template.
Every time I receve a successfull event about it happened (1064, Information, TerminalServices-RemoteConnectionManager): A new template-based certificate to be used by the terminal server for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption has been installed. The name for this certificate is Alfa.xxx.local. The SHA1 hash of the certificate is provided in the event data.
The certificate is normally assigned to RDP and everything works fine except the next restart of the server/service, another certificate is pulled. No error messages apear, everything looks to be in order.
This happens on both 2008 and 2008 R2 boxes. The template is version 2003 or 2008 (either tested). The template can be exportable or non-exportable (both types tested without effect). It also does not depend on what Subject field contains. There is also no difference to the behavior whether the servers are allowed to Autoenroll in addition to the Enroll permission or not. The behavior also does not depend on the expiration of the certificates (I have tested 2 years, 1 year, 6 months). The authority is SHA1, issues SHA1 certificates. It looks just like the computers on the next restart just cannot find a suitable certificate and enroll again.
How could I stop the clients enroll for the certificate every time of their restart?
thank you.
ondrej.