Starting with Windows Server 2003 SP1, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop server. This is easy to configure using the “Remote Desktop Session Host Configuration” tool on Server operating systems. Though no such tool is available on Client operating systems such as Windows Vista and Windows 7, it is still possible to provide them with certificates for Remote Desktop connections. There are two possible ways to accomplish this. The first method is using Group Policy and Certificate Templates, and the second one is using a WMI script.
[April 15, 2010: Updated to correct which certificates can be used.]
This method allows you to install Remote Desktop certificates on multiple computers in your domain but it requires your domain to have a working public key infrastructure (PKI).
First, you need to create a Remote Desktop certificate template.
The new template is now ready to use.
The next step is to publish the template.
Now the “RemoteDesktopComputer” template is published and can be used in certificate requests.
The last step is to configure Group Policy to use certificates based on the “RemoteDesktopComputer” template for Remote Desktop authentication.
Note: The following steps create the new policy to apply to all computers in the domain, but it can also be scoped to an Organizational Unit if needed.
This method allows you to use a server certificate of your choice with Remote Desktop connections but the certificate needs to be manually installed on the computer first. For example, this method can be used if you bought your certificate from a public certificate authority.
First check that your certificate meets the requirements for Remote Desktop certificates. Certificates that don’t meet these requirements won’t work and will be ignored.
In order for a certificate to be used for Remote Desktop connections you first need to obtain the certificate’s thumbprint.
Now you have the thumbprint string ready to use. It should look like this: 0e2a9eb75f1afc321790407fa4b130e0e4e223e2
Once you have the thumbprint you can use the following script to cause the certificate to be used for Remote Desktop connections.
var strComputer = ".";
var strNamespace = "\\root\\CIMV2\\TerminalServices";
var wbemChangeFlagUpdateOnly = 1;
var wbemAuthenticationLevelPktPrivacy = 6;
var Locator = new ActiveXObject("WbemScripting.SWbemLocator");
Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;
var Service = Locator.ConnectServer (strComputer, strNamespace);
var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");
if (WScript.Arguments.length >= 1 )
TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);
TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";
To run this sample, copy/paste the above code into a “rdconfig.js” file, start cmd.exe as the Administrator, and then run the following command: “cscript rdconfig.js <thumbprint of your certificate>”. Running this script without a parameter will revert Remote Desktop back to using the default self-signed certificate.
I am trying to setup a certificate for a Windows 2008 R2 RDS host server. I have installed a Web Server certificate in the COmputer Store from a Enterprise Internal CA. Is there any reason why I can't select this certificate in the Remote Desktop Session COnfiguration tool? The error I am getting is "There are no certificates installed on this remote desktop session host server"
Any ideas what I'm doing wrong?
I'd suggest you to check what you use for a subject name in that certificate. It should be either a Common Came or a DNS name (as a Subject Alternative Name). It cannot be any other type of a name (URL, etc.)
I'm also getting the "There are no certificates installed on this remote desktop session host server" like Michael when attempting to apply the certifacte to RDP-tcp connections withing the Remote Destktop Session Host config scree.
It is happening on both of my Host servers.
Has anyone seen this elsewhere or know of a work around. The certificate is installed for us with RemoteApps and working fine but not here
I got this error (There are no certificates installed on this remote desktop session host server) as well for a while.
Turns out, it was happening because I was moving the certificate I received from our CA by drag-and-drop, and that causes you to silently lose the Private Key associated with it. I don't know if this is the problem for you guys too, but if you don't put it in the store by Export... followed by Import... it won't show up in RDSHC. Exporting and then importing to Local Machine/Personal makes it show up for me.
Is it possible to use a public certificate?
Yes, it is possible to use a public certificate, but it has to be installed on the computer manually and then configured for the Remote Desktop usage using a WMI script as shown above.
I also have just found that, on some of my servers, certificates are only visible if you log on with the account that installed the certificate into the Personal store. We were able to use a Comodo certificate for Remote Desktop by opening Terminal Services Configuration with the same user that installed the certificate to the Local Machine.
I get an errror when opening a remote App saying "A revocation check could not be performed for this certificate.Any ides
90% of world companies are small or medium sized.
we don't want idiotic complications!
Malli, The error that you are getting is likely because the web address for certificate revocation list (CRL) checking is not accessible by the client computer. I also got the same error until I updated my internal Certificate Authority to publish the CRL to an external website.
We setup a Server 2008 R2 Remote Desktop Server. I was attempting to configure the certificates under group policy. Under the Group Policy Management Console, I don't see “Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\" on my PCD. I do see the Terminal Server section. Have I done something wrong?
If your DC is a Win 2008 machine, the path to the policy will be "Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security\
when I run the command "cscript rdconfig.js <thumbprint of your certificate>" as suggexted, I've got the followin error:
C:\>cscript rdconfig.js <cef8...................ca7cf>
The syntax of the command is incorrect.
Can you please advise where is actually wrong?
You need to remove "<" and ">" from around the thumbprint.
Why not just use smart card based authentication for your RDP sessions instead? Can easily be done using FIM CM. This would provide a kerberized authentication for your RDP session that could be used inside and from outside your organization.