We have an environment where we use smartcards to log in to remote resources. It works just fine when we try to remote desktop from a machine that is domain joined, but does not work at our homes or on personal machines brought to work.
Things start working from home when we disable NLA though... but we would like to use NLA for an extra layer of security. OR if we leave NLA on, but only use a username and password it works (but again, we want to use smartcards for the extra layer of security with multifactor blah blah blah).
Stuff I have tried that has not worked:
Installing the internal Domain CA's certs to the off-domain machine and user cert store.
Issuing a "real" certificate from a major 3rd party CA and configuring RDS to use this certificate.
Tweaked some certificate properties, tested CRL paths off-location, anything I could find on BI-NGLE that was related... (shot-in-the-dark methods).
I wrote on the Technet forum (
https://social.technet.microsoft.com/Fo ... inserverTS), and "Amy" from Microsoft wrote:
"Based on my research, if we use the credential SSP(with NLA enabled) to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller."
So two questions:
1) anyone solved this, and if so, how?
2) Assuming no one has, does anyone know how to import a Root Cert from a domain controller onto the key along with my personal cert?
Login
FAQ
Search
