I understand the basics and SSL and also the basics of Kerberos (the Kerberos part I'll explain in a moment). When I make a Remote Desktop connection over the internet, to a remote RDP Gateway server, it will eventually encrypt the connection and give me a warning that the certificate isn't from a trusted authority (didn't install a certificate on my end, or use a well-known CA). (I think this is called self-signed?) Anyways, I assume this is a bad security model because of potential man-in-the-middle attacks, for one. Could someone get my password (or password hash?) My question is: Is there a way to setup RDP (or similar connections) so that it functions more like Kerberos; in which, your password (hash) encrypts the connection attempt, and the server can only read it because it knows your password (hash), thus making the secret key your password. Or is it doing that and I'm confused? To me, it seems to first establish a connection using a SSL cert, way before it passes authentication information. Any ideas on this?

RDP SSL security is enabled by default with a self-signed certificate on Windows Server 2008 and above and that is why you receive the certificate validation error. RDP SSL works the same way HTTP SSL does, this means that the connection is always encrypted and authenticated if the server certificate can be successfully verified. In other words, a certificate error may indicate a man-in-the-middle situation unless the certificate is already known to be not trusted. There are two types of authentication available in RDP today, RDP uses network level authentication if it is possible/enabled/supported otherwise it uses the standard RDP authentication that occurs within the RDP session. In both cases authentication data is protected using encryption, for more details about encryption and protection levels please check the technet article: http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx http://technet.microsoft.com/en-us/library/cc732713.aspx /Hasain

RDP SSL security is enabled by default with a self-signed certificate on Windows Server 2008 and above and that is why you receive the certificate validation error. RDP SSL works the same way HTTP SSL does, this means that the connection is always encrypted and authenticated if the server certificate can be successfully verified. In other words, a certificate error may indicate a man-in-the-middle situation unless the certificate is already known to be not trusted. There are two types of authentication available in RDP today, RDP uses network level authentication if it is possible/enabled/supported otherwise it uses the standard RDP authentication that occurs within the RDP session. In both cases authentication data is protected using encryption, for more details about encryption and protection levels please check the technet article: http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx http://technet.microsoft.com/en-us/library/cc732713.aspx /Hasain