Enabling RDP File Signing

To do so you need to edit the Rdp section of the Core configuration file located along the path listed below:

Windows

C:\inetpub\wwwroot\pam\core

 "Rdp": {
    "UseRemoteApp": false,
    "SignRdpFile": true,
    "Certificate": "16c214ba7dec702a7ce5e4ac727502b0c0d448e2",
    "Password": ""
  },

Linux

/etc/indeed/indeed-pam/core

 "Rdp": {
    "UseRemoteApp": false,
    "SignRdpFile": true,
    "Certificate": "/etc/",
    "Password": "1234"
  },

Description of the Parameters of the Rdp Section of Configuration File

• SignRdpFile — enable RDP file signature
• Certificate — certificate thumbprint or path to the certificate itself
• Password — certificate password. Should be specified if Certificate is a path to the certificate itself

After editing the configuration file restart the Core component.

Windows

Restart IIS.

Linux

Go to the folder /etc/indeed/indeed-pam:

cd /etc/indeed/indeed-pam

Restart the Indeed Identity PAM Core component:

sudo docker compose -f docker-compose.management-server.yml up -d core --force-recreate
or
sudo docker-compose -f docker-compose.management-server.yml up -d core --force-recreate

Certificate Setup

To enable RDP file signing, you need a certificate issued by a certification authority.

Windows with Fingerprint

1. Add the certificate to your computer's personal storage.
   
   
2. Open certificate menu, select All Tasks → Manage Private Keys....
   
3. Click Add..., in the window that opens, click Locations..., select local computer → OK.
4. In the Enter the object names to select field enter IIS_IUSRS → OK.
   
   
5. Edit the configuration file by specifying the certificate thumbprint without a password.

Linux with Key Importing in PFX Format

Import a certificate in PFX format with a private key and password in the folder: /etc/indeed/indeed-pam/keys/rdp-sign.pfx.

Edit the configuration file, specifying the path to the certificate and the password.

To the following file /etc/indeed/indeed-pam/docker-compose.management-server.yml in the core - volumes section add the following line to organize certificate forwarding to the container:

volumes:
      - ./core/events:/var/lib/indeed/indeed-pam/events
      - ./core/appsettings.json:/app/appsettings.json:ro
      - ./keys/shared/protector:/etc/indeed/indeed-pam/keys/shared/protector:ro
      - ./keys/core:/etc/indeed/indeed-pam/keys/core:ro
      - ./ca-certificates:/usr/local/share/ca-certificates:ro
      - ./logs/core:/app/logs
      - ./keys/rdp-sign.pfx:/etc/indeed/indeed-pam/keys/rdp-sign.pfx