Skip to content

Table of Contents

Generating an SSO certificate

For the SSO to the desktop feature, a certificate must be generated. For more information on SSO to the desktop, review the article on configuring identity management settings.

To generate an SSO certificate for Windows, follow the steps below.

  1. Create a server in your Windows Server environment. If you already have a certificate authority (CA) in your domain, you can skip this step and go to step 2.
    1. Add the Active Directory Certificate Services – Certification Authority role.
    2. Configure it as enterprise root CA.
  2. Create a certificate template for the enrollment agent.
    1. Open the Certificate Templates Microsoft Management Console (MMC).
    2. Right-click on the “Enrollment Agent” template, and duplicate the template. Configure as detailed below.
      1. Compatibility

      2. General

      3. Request handling

      4. Cryptography

      5. Extensions – application policies

      6. Extensions – key usage

      7. Subject name

  3. Create a certificate template for enrollment.
    1. Open the Certificate Templates MMC.
    2. Right-click on the “Smartcard Logon” template, and duplicate the template. Configure as on the screenshots below.
      1. Compatibility

      2. General

      3. Request handling

      4. Cryptography

      5. Extensions – application policies

      6. Extensions – key usage

      7. Issuance requirements

      8. Subject name

  4. Create a certificate template for the Web application.
    1. Open the Certificate Templates MMC.
    2. Right-click on the “Web Server” template, and duplicate the template. Configure as on the screenshots below.
      1. General

      2. Compatibility

      3. Request handling

      4. Cryptography

      5. Server

      6. Subject name

      7. Issuance requirements

    3. Add the server where you are going to run RDPSSOCertGenSvc service.

  5. Select the templates.
    1. Open the Certification Authority MMC.
    2. Go to Certificate Templates, and right-click to select New – Certificate Template to Issue.
    3. Select all templates created above, and click OK.

  6. Create the ce_agent user in AD for certificate enrollment purposes. Add this user to the LocalAdmins AD group.
  7. Install the RDPSSOCertGenSvc service application.
  8. Login with the ce_agent user on the VM where you installed the RDPSSOCertGenSvc service and enroll Certificate request agent certificate.
    1. Open the MMC, add the Snap-In, add Certificates, and select My user account.
    2. Go to Certificates – Current User – Personal – Certificates.
    3. Right-click on this folder – All Tasks – Request new certificate.
    4. Leave defaults until Request Certificates. Select apporto-enroll-agent template and click Enroll.
    5. Open this certificate, go to the Details tab, and copy the Thumbprint field value.

  9. Open the MMC console on the VM where you installed RDPSSOCertGenSvc service (any user, it can be ce_agent) and enroll the Web certificate.
    1. Open the MMC, add Snap-In, add Certificates, and select Computer account.
    2. Go to Certificates – Personal – Certificates.
    3. Right-click on this folder – All Tasks – Request new certificate.
    4. Leave defaults until Request Certificates. Select Apporto-Web template and click Details-Properties.
    5. Fill the labels as on the screenshot below. Enter the FQDN of the server you are logged into in the “Value” field.

    6. Click Ok then click Enroll.

    7. Select the certificate you enrolled, and export it to PFX format with a private key. You will need it in the next step for the PFX_FILE and PFX_PASSPHRASE parameters.
  10. Open C:Program FilesApportoRDP SSO Certificate Generation Service.env and replace the following:
    1. ENABLE_HTTP: false
    2. PORT: 3000
    3. ENABLE_HTTPS: true
    4. HTTPS_PORT: port number of the HTTPS service, default 3443 if not set
    5. PFX_FILE: path to the domain root certificate in PFX format
    6. PFX_PASSPHRASE: password for the certificate
    7. CERTIFICATE_DIR_PATH: the path of temporary directory where the certificates will be generated
    8. CERTIFICATE_THUMBPRINT: the thumbprint of the enrollment agent certificate requested in the previous step
    9. CERTIFICATE_TEMPLATE_NAME: the template name of the certificate created in step 3
      Example .ENV settings (info can vary based on setup)

  11. Open the Service manager and find the RDPSSOCertGenSvc service.
    1. Go to Log On and switch the start account for this service to ce_agent as created in AD above.
    2. Restart the service.
    3. Check C:Program Files (x86)rdp-sso-cert-gen-svcservice-error.log if you have any issues.

Group policy object (GPO)

  1. Your root CA should be delivered on all the VMs in the domain.
    1. Open the Certification Authority MMC. Right-click on the root CA Name – Properties.
    2. In Properties, open the General tab and go to Certificate #0 (this is your root CA) – View Certificate.
    3. Open the Details tab, and click on Copy to File…

    4. Next – DER encoded library, and save the certificate on your drive.
    5. Move the certificate file to your Domain Controller and Open Group Policy Management Console.
    6. Select the Group Policy you want to apply and go to – Computer Configuration-Policies-Windows Settings-Security Settings-Public Key Policies-Trusted Root Certification Authorities to import certificate you exported above.
  2. Computer Configuration-Policies-Windows Settings-Security Settings-Local Policies/Security Options

  3. Computer Configuration-Policies-Administrative Templates

Note: If you have few root CA in your domain (you can check it by opening pkiview.msc – Manage AD Containers), you should check which CA you are going to use. When you are requesting a certificate, open the details of your certificate template and click on Properties, then go to the Certification Authority tab where you can select the necessary CA.