Active Directory Certificate Services CA Integration for RDP

Last modified on March 15, 2024

This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

This guide provides general information on how to add an Active Directory Certificate Services (AD CS) certificate authority (CA) as a third-party CA to StrongDM. This CA integration allows certificate-based RDP resources to authenticate with X.509 certificates issued by AD CS, instead of the default Strong CA managed by StrongDM.

Prerequisites

Before you begin, ensure that you have the following.

Administrator permission level in StrongDM
StrongDM relay or gateway ready to run
Configured AD Domain Services
Configured AD Certificate Services (AD CS) with Network Device Enrollment Service (NDES) configured
Username and password for the account that will be requesting a challenge password from ADCS/NDES (that is, not the account that the user uses to log in with using RDP), set as environment variables SDM_ADCS_USER and SDM_ADCS_PW on the StrongDM relay or gateway
Hostname of the server running ADCS/NDES (server must be accessible by the StrongDM relay or gateway)

StrongDM doesn’t manage or configure third-party CAs. It is up to you to configure AD CS appropriately for your organization and ensure that the appropriate CA is trusted by the target resources.

AD CS Configuration Considerations

This section briefly describes some limitations of AD CS to consider when integrating with StrongDM.

Certificate lifetime minimum

There is a certificate lifetime minimum of 1 hour for certificates in AD CS. If you need certificates to last minutes, not hours, you must use a different certificate authority service.

Challenge password cache

During the process of requesting a certificate, a challenge password needs to be generated. By default, AD CS allows five unredeemed challenge passwords to be active at any given time and will not issue more challenge passwords until they expire.

There is a setting in AD/registry that lets you increase the password cache limit on the NDES server. Consider increasing it if you have several gateways or relays, multiple users, and/or a high number of resources. Not doing so could cause some initial connections to fail.

Certificate Signing Requests

How does certificate signing work? StrongDM generates a key pair on the gateway or relay and generates a Certificate Signing Request (CSR) signed by the private key. The CSR is submitted to AD CS for signing. The resulting signed certificate is then used, along with the private key, to authenticate to the target resource. The private key never leaves the gateway or relay where it was created.

Add Active Directory Certificate Services CA in the Admin UI

To add an AD CS CA in the Admin UI, follow these steps.

From the Certificate Authorities page, click Add certificate authority.
Enter the Name for the CA (any name).
For Type, select Active Directory Certificate Services.
For Server, enter the address where the CA is stored (for example, https://ad.example.com:1234).
Click Create certificate authority.

Add the Active Directory Certificate Services CA to a Certificate-Based RDP Server

If you have not already done so, follow the instructions to add an RDP server with certificate authentication.
On the resource form, pay particular attention to Certificate Authority. For this field, select the newly added AD CS CA.
Complete all required fields and save.
Test the connection to the resource (for example, use Remote Desktop to connect).

Manage the CA

After you have added the CA and set a certificate-based server to use it, you may manage the CA and review its settings on the Certificate Authorities page of the Admin UI. You may select the CA from the list or click its Details button to view diagnostics, update its settings, or delete the CA configuration.

Deletion removes the CA configuration from StrongDM only, not from AD CS.

The Diagnostics tab shows all the nodes (gateways and relays) that are configured to access the CA, as well as health information for the nodes.

If the CA is unable to be accessed by any gateway or relay, please review the CA’s Settings tab and make sure the CA credentials are correct.

Every healthcheck for certificate-based resources configured to use a third-party CA generates a certificate with the CA provider.

Additional Information

Third-party CAs also may be added and managed in the CLI, SDKs, and Terraform. Note that third-party CAs are treated like secret stores in the CLI, SDKs, and Terraform. As such, they use secret store commands, domain objects, and resources.

Activities related to third-party CAs are logged in the same way as secret store activities. For example, adding a third-party RDP CA in Terraform produces an activity similar to API Account example-terraform-key (cc1e23eb-e456-7891-23c4-edf5678c9123) created a secret store named example-tf-rdp-ca.

Add Active Directory Certificate Services CA in the CLI

To add an AD CS CA in the CLI instead of the Admin UI, use the sdm admin secretstores create CLI command. Choose the activeDirectory secret store type and set the correct options/properties.

The activeDirectory secret store type corresponds to the Active Directory Certificate Services CA type. In the CLI, the options are the same as the Active Directory Certificate Services CA properties set in the Admin UI.

CLI example

# Create AD CS CA
sdm admin secretstores create activeDirectory
--name="Example AD CS CA"
--server-address="https://ad.example.com:1234"

# Create RDP (Certificate Based) server
sdm admin servers create rdp-cert
--name="Example RDP AD"
--hostname="https://ad.example.com:1234"
--secret-store-id="se-e1b2"
--username="username"

# Run secret store healthcheck
sdm admin secretstores healthcheck se-e1b2

# Check that the secret store is reachable
sdm admin secretstores status

# Check the connection to the resource
sdm connect "Example RDP AD CS"

Add AD CS CA in Terraform

In addition to using the Admin UI and CLI, you may use Terraform to add an AD CS CA for use with certificate-based RDP servers. This section includes a Terraform example.

For additional information, see our Terraform provider documentation.

Terraform example

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "7.1.1"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
    # Add API access key and secret key from Admin UI
    api_access_key = "njjSn...5hM"
    api_secret_key = "ziG...="
}

variable "prefix" {
  type = string
  default = "example-tf-"
}

# Create AD CS RDP CA
resource "sdm_secret_store" "example-tf-rdp-ca" {
  ad_token_cert_x509 {
    name = "${var.prefix}rdp-ca"
    server_address = "https://ad.example.com:1234"
  }
}

# Create RDP (Certificate Based) server
resource "sdm_resource" "example-rdp-cert-based" {
  rdp {
    name = "${var.prefix}rdp-adcs-ca"
    hostname = "https://ad.example.com:1234"
    secret_store_id = sdm_secret_store.example-tf-rdp-ca.id
    username = "username"
  }
}

Add AD CS CA with the SDKs

To add an AD CS CA with the StrongDM SDKs, please see the SDKs on GitHub:

Active Directory Certificate Services CA Integration for RDP

Prerequisites #

AD CS Configuration Considerations #

Certificate lifetime minimum #

Challenge password cache #

Certificate Signing Requests #

Add Active Directory Certificate Services CA in the Admin UI #

Add the Active Directory Certificate Services CA to a Certificate-Based RDP Server #

Manage the CA #

Additional Information #

Add Active Directory Certificate Services CA in the CLI #

CLI example #

Add AD CS CA in Terraform #

Terraform example #

Add AD CS CA with the SDKs #