This is my conundrum.
Recently (in the past year) the company I work for implemented NAP (2012) and on that front all is fine.
I came onboard about 2 months ago and was asked to take over a project to secure RDP sessions, and that was going fine. The engineer I took this over from has set up a GPO to push all settings and the required cert (auto enroll) to servers (security level SSL (TLS 1.0) using cert from our CA and the encryption level is set to high). All this works fine.
The issue is when I push this policy to servers that are running a NPS the RDP cert replaces the cert assigned to the NPS. This is an issue because the application policies on these two certs are not the same, which causes NPS to stop functioning properly. Not to mention the fact that the RDP cert should not be used for any other application. I can come up with several workarounds, none of which are appealing to me, but I would rather understand what is going on here so in the future when we need to push certs with GPO’s I will not run into this issue again.
Any input would be greatly appreciated.. I have looked around and looked up what the settings should be for auto enrollment but I just can seem to see what the maleficence is here…
Recently (in the past year) the company I work for implemented NAP (2012) and on that front all is fine.
I came onboard about 2 months ago and was asked to take over a project to secure RDP sessions, and that was going fine. The engineer I took this over from has set up a GPO to push all settings and the required cert (auto enroll) to servers (security level SSL (TLS 1.0) using cert from our CA and the encryption level is set to high). All this works fine.
The issue is when I push this policy to servers that are running a NPS the RDP cert replaces the cert assigned to the NPS. This is an issue because the application policies on these two certs are not the same, which causes NPS to stop functioning properly. Not to mention the fact that the RDP cert should not be used for any other application. I can come up with several workarounds, none of which are appealing to me, but I would rather understand what is going on here so in the future when we need to push certs with GPO’s I will not run into this issue again.
Any input would be greatly appreciated.. I have looked around and looked up what the settings should be for auto enrollment but I just can seem to see what the maleficence is here…