Re: win2k3 ent with sp2 : configure terminal server to use TLS for server authentication is not work!!

Jiaqi,
What do you see, and what were you expecting to see, when you connect to the
server?
Anthony
http://www.airdesk.com


"Jiaqi Li" <> wrote in message
news:ad7c2782-58b5-4153-8877-...
> Dear all,
>
> I just finished a new install of a windows server 2003 ent with sp2,
> and followed the kb895433 to configure my win2k3 server to use TLS for
> remote desktop access. But when I finished the configure I found I can
> still access the win2k3 server via remote desktop and no CA
> certificate is needed.
>
> so what's wrong with my server or myself?
>
> -Jiaqi

Jiaqi,
Just assuming for a moment that everything is set up correctly, what happens
if you change the Advanced option in the client to "Do not connect if
authentication fails"?
Anthony
http://www.airdesk.com


"Jiaqi Li" <> wrote in message
news:18709866-bdc9-445a-8e5b-...
> Anthony,
>
> I want to protect my windows 2003 remote desktop access via SSL so
> configure all thins followed kb895433 and the windows server 2003 ent
> with sp2 is a new installation. When I finished everything, I use
> remote desktop client to visit the windows 2003 server from a windows
> xp pro sp3 without install the server's certificate, and I found
> everything is not change, I still can visit the remote desktop and
> nothing is different. As I know, if SSL is enable, the remote desktop
> float bar will show a SSL lock icon but i found nothing except a float
> icon.
>
> On Jun 3, 4:32 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> Jiaqi,
>> What do you see, and what were you expecting to see, when you connect to
>> the
>> server?
>> Anthonyhttp://www.airdesk.com
>>
>> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> news:ad7c2782-58b5-4153-8877-...
>>
>> > Dear all,
>>
>> > I just finished a new install of a windows server 2003 ent with sp2,
>> > and followed the kb895433 to configure my win2k3 server to use TLS for
>> > remote desktop access. But when I finished the configure I found I can
>> > still access the win2k3 server via remote desktop and no CA
>> > certificate is needed.
>>
>> > so what's wrong with my server or myself?
>>
>> > -Jiaqi
>

OK, that's good. It was just that previously you had a saved option to
connect without authenticating.
Your question about installing the certificate: this is just a standard
procedure when using private certificates. There is no certificate authority
so the client shows a warning. If you want to avoid the warning you need to
use public certificate authority, or else import the certificate chain. You
can find the details towards the end of that KB, but it is the same for any
certificate and not related to Terminal Services TLS.
Anthony
http://www.airdesk.com


"Jiaqi Li" <> wrote in message
news:641d6682-7342-4db5-ba46-...
> when I changed the security option to "no authentication" in the
> remote desktop client, the remote desktop client said "the remote
> computer requires authentication for you to connect. verify the
> authentication settings and try again"
>
> And when I changed it to "attempt authentication" and " require
> authentication", it's both show a security alert for my win2k3's
> certificate information.
>
> Now I sure my remote desktop access is enabled SSL, and everything is
> ok.
>
> and if I can control the server's SSL certificate and just install it
> on the desktop pc which I allow to visit my server via remote
> desktop ?
>
> On Jun 3, 3:52 pm, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> Jiaqi,
>> Just assuming for a moment that everything is set up correctly, what
>> happens
>> if you change the Advanced option in the client to "Do not connect if
>> authentication fails"?
>> Anthonyhttp://www.airdesk.com
>>
>> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> news:18709866-bdc9-445a-8e5b-...
>>
>> > Anthony,
>>
>> > I want to protect my windows 2003 remote desktop access via SSL so
>> > configure all thins followed kb895433 and the windows server 2003 ent
>> > with sp2 is a new installation. When I finished everything, I use
>> > remote desktop client to visit the windows 2003 server from a windows
>> > xp pro sp3 without install the server's certificate, and I found
>> > everything is not change, I still can visit the remote desktop and
>> > nothing is different. As I know, if SSL is enable, the remote desktop
>> > float bar will show a SSL lock icon but i found nothing except a float
>> > icon.
>>
>> > On Jun 3, 4:32 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> >> Jiaqi,
>> >> What do you see, and what were you expecting to see, when you connect
>> >> to
>> >> the
>> >> server?
>> >> Anthonyhttp://www.airdesk.com
>>
>> >> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> >>news:ad7c2782-58b5-4153-8877-...
>>
>> >> > Dear all,
>>
>> >> > I just finished a new install of a windows server 2003 ent with sp2,
>> >> > and followed the kb895433 to configure my win2k3 server to use TLS
>> >> > for
>> >> > remote desktop access. But when I finished the configure I found I
>> >> > can
>> >> > still access the win2k3 server via remote desktop and no CA
>> >> > certificate is needed.
>>
>> >> > so what's wrong with my server or myself?
>>
>> >> > -Jiaqi
>

Jiaqi,
Certificates don't really work that way.
The Server certificate enables the Client to be sure that the server is the
one it says it is.
If you want clients to only be able to connect to an authenticated server,
then you need to edit the client registry (or use a tool to automate it) so
that authentication is enforced.
Anthony
http://www.airdesk.com
,

"Jiaqi Li" <> wrote in message
news:42cc0850-3e07-408f-a6f9-...
> And still a question. If I can configure the server just accept SSL
> and deny any other insecure remote desktop connection ?
>
> On Jun 3, 3:52 pm, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> Jiaqi,
>> Just assuming for a moment that everything is set up correctly, what
>> happens
>> if you change the Advanced option in the client to "Do not connect if
>> authentication fails"?
>> Anthonyhttp://www.airdesk.com
>>
>> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> news:18709866-bdc9-445a-8e5b-...
>>
>> > Anthony,
>>
>> > I want to protect my windows 2003 remote desktop access via SSL so
>> > configure all thins followed kb895433 and the windows server 2003 ent
>> > with sp2 is a new installation. When I finished everything, I use
>> > remote desktop client to visit the windows 2003 server from a windows
>> > xp pro sp3 without install the server's certificate, and I found
>> > everything is not change, I still can visit the remote desktop and
>> > nothing is different. As I know, if SSL is enable, the remote desktop
>> > float bar will show a SSL lock icon but i found nothing except a float
>> > icon.
>>
>> > On Jun 3, 4:32 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> >> Jiaqi,
>> >> What do you see, and what were you expecting to see, when you connect
>> >> to
>> >> the
>> >> server?
>> >> Anthonyhttp://www.airdesk.com
>>
>> >> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> >>news:ad7c2782-58b5-4153-8877-...
>>
>> >> > Dear all,
>>
>> >> > I just finished a new install of a windows server 2003 ent with sp2,
>> >> > and followed the kb895433 to configure my win2k3 server to use TLS
>> >> > for
>> >> > remote desktop access. But when I finished the configure I found I
>> >> > can
>> >> > still access the win2k3 server via remote desktop and no CA
>> >> > certificate is needed.
>>
>> >> > so what's wrong with my server or myself?
>>
>> >> > -Jiaqi
>

Jiaqi,
What you are looking for is strong authentication to the server. This is
where a username and password is not enough, and you want to restrict
authentication to known computers, or some other restriction: client
certificates, smartcard etc.
You can add third-party products to strengthen authentication.
Anthony
http://www.airdesk.com


"Jiaqi Li" <> wrote in message
news:e641f8ac-9826-4827-8619-...
> Anthony,
>
> If I can control the server's remote desktop access via the
> certificate? or maybe I can make a client certificate to pair the
> server certificate ?
> In fact, I want to control the computers whose allowable can visit the
> server's remote desktop and the computers whose unallowable can't
> connect to the server's remote desktop port.
>
> On Jun 4, 9:15 pm, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> OK, that's good. It was just that previously you had a saved option to
>> connect without authenticating.
>> Your question about installing the certificate: this is just a standard
>> procedure when using private certificates. There is no certificate
>> authority
>> so the client shows a warning. If you want to avoid the warning you need
>> to
>> use public certificate authority, or else import the certificate chain.
>> You
>> can find the details towards the end of that KB, but it is the same for
>> any
>> certificate and not related to Terminal Services TLS.
>> Anthonyhttp://www.airdesk.com
>>
>> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> news:641d6682-7342-4db5-ba46-...
>>
>> > when I changed the security option to "no authentication" in the
>> > remote desktop client, the remote desktop client said "the remote
>> > computer requires authentication for you to connect. verify the
>> > authentication settings and try again"
>>
>> > And when I changed it to "attempt authentication" and " require
>> > authentication", it's both show a security alert for my win2k3's
>> > certificate information.
>>
>> > Now I sure my remote desktop access is enabled SSL, and everything is
>> > ok.
>>
>> > and if I can control the server's SSL certificate and just install it
>> > on the desktop pc which I allow to visit my server via remote
>> > desktop ?
>>
>> > On Jun 3, 3:52 pm, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> >> Jiaqi,
>> >> Just assuming for a moment that everything is set up correctly, what
>> >> happens
>> >> if you change the Advanced option in the client to "Do not connect if
>> >> authentication fails"?
>> >> Anthonyhttp://www.airdesk.com
>>
>> >> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> >>news:18709866-bdc9-445a-8e5b-...
>>
>> >> > Anthony,
>>
>> >> > I want to protect my windows 2003 remote desktop access via SSL so
>> >> > configure all thins followed kb895433 and the windows server 2003
>> >> > ent
>> >> > with sp2 is a new installation. When I finished everything, I use
>> >> > remote desktop client to visit the windows 2003 server from a
>> >> > windows
>> >> > xp pro sp3 without install the server's certificate, and I found
>> >> > everything is not change, I still can visit the remote desktop and
>> >> > nothing is different. As I know, if SSL is enable, the remote
>> >> > desktop
>> >> > float bar will show a SSL lock icon but i found nothing except a
>> >> > float
>> >> > icon.
>>
>> >> > On Jun 3, 4:32 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> >> >> Jiaqi,
>> >> >> What do you see, and what were you expecting to see, when you
>> >> >> connect
>> >> >> to
>> >> >> the
>> >> >> server?
>> >> >> Anthonyhttp://www.airdesk.com
>>
>> >> >> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> >> >>news:ad7c2782-58b5-4153-8877-...
>>
>> >> >> > Dear all,
>>
>> >> >> > I just finished a new install of a windows server 2003 ent with
>> >> >> > sp2,
>> >> >> > and followed the kb895433 to configure my win2k3 server to use
>> >> >> > TLS
>> >> >> > for
>> >> >> > remote desktop access. But when I finished the configure I found
>> >> >> > I
>> >> >> > can
>> >> >> > still access the win2k3 server via remote desktop and no CA
>> >> >> > certificate is needed.
>>
>> >> >> > so what's wrong with my server or myself?
>>
>> >> >> > -Jiaqi
>

Its a pleasure, glad to help, and I hope you get it working
Anthony
http://www.airdesk.com


"Jiaqi Li" <> wrote in message
news:0f36022d-6357-42eb-b66b-...
> Anthony,
>
> thanks for your reply. You are really a good man.
>
> On Jun 6, 7:18 pm, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> Jiaqi,
>> What you are looking for is strong authentication to the server. This is
>> where a username and password is not enough, and you want to restrict
>> authentication to known computers, or some other restriction: client
>> certificates, smartcard etc.
>> You can add third-party products to strengthen authentication.
>> Anthony http://www.airdesk.com
>>
>> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> news:e641f8ac-9826-4827-8619-...
>>
>> > Anthony,
>>
>> > If I can control the server's remote desktop access via the
>> > certificate? or maybe I can make a client certificate to pair the
>> > server certificate ?
>> > In fact, I want to control the computers whose allowable can visit the
>> > server's remote desktop and the computers whose unallowable can't
>> > connect to the server's remote desktop port.
>>
>> > On Jun 4, 9:15 pm, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> >> OK, that's good. It was just that previously you had a saved option to
>> >> connect without authenticating.
>> >> Your question about installing the certificate: this is just a
>> >> standard
>> >> procedure when using private certificates. There is no certificate
>> >> authority
>> >> so the client shows a warning. If you want to avoid the warning you
>> >> need
>> >> to
>> >> use public certificate authority, or else import the certificate
>> >> chain.
>> >> You
>> >> can find the details towards the end of that KB, but it is the same
>> >> for
>> >> any
>> >> certificate and not related to Terminal Services TLS.
>> >> Anthony http://www.airdesk.com
>>
>> >> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> >>news:641d6682-7342-4db5-ba46-...
>>
>> >> > when I changed the security option to "no authentication" in the
>> >> > remote desktop client, the remote desktop client said "the remote
>> >> > computer requires authentication for you to connect. verify the
>> >> > authentication settings and try again"
>>
>> >> > And when I changed it to "attempt authentication" and " require
>> >> > authentication", it's both show a security alert for my win2k3's
>> >> > certificate information.
>>
>> >> > Now I sure my remote desktop access is enabled SSL, and everything
>> >> > is
>> >> > ok.
>>
>> >> > and if I can control the server's SSL certificate and just install
>> >> > it
>> >> > on the desktop pc which I allow to visit my server via remote
>> >> > desktop ?
>>
>> >> > On Jun 3, 3:52 pm, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> >> >> Jiaqi,
>> >> >> Just assuming for a moment that everything is set up correctly,
>> >> >> what
>> >> >> happens
>> >> >> if you change the Advanced option in the client to "Do not connect
>> >> >> if
>> >> >> authentication fails"?
>> >> >> Anthony http://www.airdesk.com
>>
>> >> >> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> >> >>news:18709866-bdc9-445a-8e5b-...
>>
>> >> >> > Anthony,
>>
>> >> >> > I want to protect my windows 2003 remote desktop access via SSL
>> >> >> > so
>> >> >> > configure all thins followed kb895433 and the windows server 2003
>> >> >> > ent
>> >> >> > with sp2 is a new installation. When I finished everything, I use
>> >> >> > remote desktop client to visit the windows 2003 server from a
>> >> >> > windows
>> >> >> > xp pro sp3 without install the server's certificate, and I found
>> >> >> > everything is not change, I still can visit the remote desktop
>> >> >> > and
>> >> >> > nothing is different. As I know, if SSL is enable, the remote
>> >> >> > desktop
>> >> >> > float bar will show a SSL lock icon but i found nothing except a
>> >> >> > float
>> >> >> > icon.
>>
>> >> >> > On Jun 3, 4:32 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> >> >> >> Jiaqi,
>> >> >> >> What do you see, and what were you expecting to see, when you
>> >> >> >> connect
>> >> >> >> to
>> >> >> >> the
>> >> >> >> server?
>> >> >> >> Anthony http://www.airdesk.com
>>
>> >> >> >> "Jiaqi Li" <lij...@gmail.com> wrote in message
>>
>> >> >> >>news:ad7c2782-58b5-4153-8877-...
>>
>> >> >> >> > Dear all,
>>
>> >> >> >> > I just finished a new install of a windows server 2003 ent
>> >> >> >> > with
>> >> >> >> > sp2,
>> >> >> >> > and followed the kb895433 to configure my win2k3 server to use
>> >> >> >> > TLS
>> >> >> >> > for
>> >> >> >> > remote desktop access. But when I finished the configure I
>> >> >> >> > found
>> >> >> >> > I
>> >> >> >> > can
>> >> >> >> > still access the win2k3 server via remote desktop and no CA
>> >> >> >> > certificate is needed.
>>
>> >> >> >> > so what's wrong with my server or myself?
>>
>> >> >> >> > -Jiaqi
>