Windows has supported TLS for server authentication with RDP going back to Windows Server 2003 SP1. When connecting to a Windows PC, unless certificates have been configured, the remote PC presents a self-signed certificate, which results in a warning prompt from the Remote Desktop client. An environment with an enterprise certificate authority can enable certificate autoenrollment to enable trusted certificates on the RDP listener, thus removing the prompt. To get OS X clients to accept the certificate takes a little extra configuration not required on Windows clients.
CoRD was a Mac OS X remote desktop client for Microsoft Windows computers using the RDP protocol. It's easy to use, fast, and free for anyone to use or modify. 2020-04-13: This project is defunct. Most people will be happy with Microsoft's clients. Microsoft Remote Desktop for Mac. Download Microsoft Remote Desktop Connection Client. Next look for Microsoft Remote Desktop in the App Store to download the new application on your Mac running OS X Yosemite or higher. Once installed you can skip the first run experience. In the menu click connections and choose the option to import connections from the other app.
While I may only be configuring certificates in my lab environment, there’s not much effort required to remove these certificate warnings.
Download this app from Microsoft Store for Windows 10, Windows 8.1, Windows 10 Mobile, Windows Phone 8.1, Windows 10 Team (Surface Hub), HoloLens. See screenshots, read the latest customer reviews, and compare ratings for Microsoft Remote Desktop. Use Microsoft Remote Desktop for Mac to connect to a remote PC or virtual apps and desktops made available by your admin. With Microsoft Remote Desktop, you can be productive no matter where you are. GET STARTED Configure your PC for remote access using the information at https://aka.ms/rdsetup.
Client Warnings for Untrusted Certificates
Here are the client certificate warnings on various Microsoft Remote Desktop clients, including OS X. First up the original Remote Desktop Connection (mstsc) on Windows:
The new Remote Desktop Universal app on Windows 10:
Mac Os Remote Desktop Client
And the Remote Desktop client on OS X 10.11:
Configuring the Certificate Template
I won’t cover installing and configuring an enterprise certificate authority here; however, here are a number of articles worth reading on this topic:
To configure a certificate for use with Remote Desktop Services (or RDP into any Windows PC), you’ll need to create a new certificate template and enable both the Server Authentication and the Remote Desktop Authentication application policies. This was key for OS X clients - both of these policies must exist. Some articles will walk through this configuration and recommend removing the Server Authentication policy; however, the certificates will then not work on non-Windows clients.
This article has a great walk-through of the entire process and more: RDP TLS Certificate Deployment Using GPO. In my lab, I’ve created a ‘Remote Desktop Computer’ certificate template and enabled it to be autoenrolled via Group Policy.
Certificate Template Options
To create the new template, open the Certificate Templates console and duplicate the Computer template. Use this template because it already has the Server Authentication policy enabled.
Navigate to the Extensions tab, edit the ‘Application Policies’ extension and remove ‘Client Authentication’ from the list.
After you added the ‘Remote Desktop Authentication’ policy, you should see the policies and see in the following dialog box. See below for the actual ’Remote Desktop Authentication’ policy.
Adding the ’Remote Desktop Authentication’ policy requires adding a new extension named ‘Remote Desktop Authentication’ (or similar) with an object value of “184.108.40.206.4.1.3220.127.116.11” (excluding quotes). and enter the values as above.
Save the template and configure your CA to issue the new template. In my lab my certificate template display name ‘Remote Desktop Computer’. Since my first template failed, it’s actually called ‘Remote Desktop Computer v2’. However, the important name to note for the next step is the actual template name, which can be found on the General tab of the template. In my case this is ‘RemoteDesktopComputerv2’ (the display name, minus the spaces).
To configure autoenrollment, I’ve created a new GPO dedicated to the autoenrollment setting and linked it to the organisational units containing server and workstation computer account objects. Edit the policy and enable the following setting:
Computer Configuration / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security / Server authentication certificate template
Add the name of the certificate template and shown in the screenshot below:
Once a Group Poliy refresh occurs or on the next boot, the target Windows machines will autoenroll for the certificate and configure their RDP listener.
OS X Configuration
Now that my Remote Desktop certificates are configured for autoentrollment and Windows machines are picking up the certificates, I can import the root CA certificate into my MacBook running OS X.
Navigate to the URL of your certificate server (e.g. http://cert1/certsrv) and download the certificate via ‘Download a CA certificate, certificate chain, or CRL’. Download the CA certificate in DER format. Find the downloaded certificate in Finder and open the certificate to install it into Keychain.
Once installed the certificate is not automatically trused as you can see below:
Set the certificate to be trusted by selecting ‘Alway Trust’ from the ‘When using this certificate’ option. Close the certificate properties window and you should be prompted for your password to save the changes. Now when connecting to PCs via the Remote Desktop client, you should no longer receive certificate warnings.
This article shows how to install the root CA certificate via Terminal, which should assist in automating the import across a number of Macs.
The following page(s) contain instructions on using Remote Desktop to connect to Faculty & Staff Windows computers on the UMKC campus (from off-campus). Your campus computer must be powered on to receive connections.
Don't know your computer name or don't know if your account has the correct permissions? Find out here. If you need assistance, please contact the IS Technology Support Center or your IT Liaison.Please note: Before you attempt to connect to UMKC resources remotely, please make sure your operating system (Apple OS X) has all applicable security updates installed.
Remote Desktop For Mac
To connect to your campus Windows PC from a Mac you will need to use the Microsoft Remote Desktop application for Mac version 10.3.8 (or higher). If you are using a university-owned Mac, you may already have this app installed. Please contact the Technology Support Center or your IT Liaison if you have questions about using this software on a university-owned Mac.
|Supported||Default Icon||Client Name|
|Microsoft RDP v10|
Link to Download
|Microsoft RDP v8|
Mac OS X Remote Desktop Connection Instructions
- Open the Microsoft Remote Desktop application
- Click the '+' icon
- Select PC
- For PC Name, enter the name of the remote computer to connect to. Or check How to find my computer name
- For User Account, click the dropdown to change the setting
- Click Add User Account
- For User Name, type [email protected] in DomainUsername
- For Password, type your UMKC Username Password. Note: you will need to update your Remote Desktop settings every time you change your UMKC Username password.
- Click Save
- For Friendly Name, enter the PC name
- Click on no gateway to change the setting
- Select Add Gateway from the dropdown
- For Server Name, enter tsg.umkc.edu
- For User Account, click Use PC User account
- Select your UMKC username from the list
- Click Add
- Click Add again
- To initiate the connection, double click on your PC Name tile
- Click Show Certificate
- Click Always Trust to prevent seeing this warning again for the PC specified
- Click Continue
You are now connected!