Configuring Remote Desktop certificates

Configuring Remote Desktop certificates

  • Comments 69

Starting with Windows Server 2003 SP1, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop server. This is easy to configure using the “Remote Desktop Session Host Configuration” tool on Server operating systems. Though no such tool is available on Client operating systems such as Windows Vista and Windows 7, it is still possible to provide them with certificates for Remote Desktop connections. There are two possible ways to accomplish this. The first method is using Group Policy and Certificate Templates, and the second one is using a WMI script.

[April 15, 2010: Updated to correct which certificates can be used.]

Part I: Using Group Policy and Certificate Templates.

This method allows you to install Remote Desktop certificates on multiple computers in your domain but it requires your domain to have a working public key infrastructure (PKI).

First, you need to create a Remote Desktop certificate template.

Creating Remote Desktop certificate template:

  1. On the computer that has your enterprise Certification Authority installed start MMC and open the “Certificate Templates” MMC snap-in.
  2. Find the “Computer” template, right-click on it, and then choose “Duplicate Template” from the menu.
  3. In the “Duplicate Template” dialog box, choose “Windows Server 2003 Enterprise” template version.
    clip_image001
  4. The “Properties of New Template” dialog box will appear.
  5. On the “General” page of this dialog box, set both “Template display name” and “Template name” to “RemoteDesktopComputer”. Note: it is important to use the same string for both properties.
  6. On the “Extensions” page, select “Application Policies”, and then click the “Edit…” button.
  7. The “Edit Application Policies Extension” dialog box appears.
    clip_image002
  8. Now you can either remove the “Client Authentication” policy leaving the “Server Authentication” policy, or you can use the special “Remote Desktop Authentication” policy. Doing the latter will prevent certificates based on this template from being used for any purpose other than Remote Desktop authentication.
  9. To create the “Remote Desktop Authentication” policy, first remove both the “Client Authentication” and “Server Authentication” policies, and then click “Add…”
  10. The “Add Application Policy” dialog box appears. In this dialog box click the “New…”
    clip_image003
  11. The “New Application Policy” dialog box appears. In this dialog box, set “Name” to “Remote Desktop Authentication” and “Object Identifier” to “1.3.6.1.4.1.311.54.1.2”, and then click “OK.”
    clip_image004
  12. Select “Remote Desktop Authentication” in the “Add Application Policy” dialog box, and then click “OK.”
  13. Now the “Edit Application Policies Extension” dialog box should look like this:
    clip_image005
  14. Click “OK” in this dialog box, and then click “OK” in the “Properties of New Template” dialog box.

The new template is now ready to use.

The next step is to publish the template.

Publishing the “RemoteDesktopComputer” certificate template:

  1. On the computer that has your enterprise Certification Authority installed, start the Certification Authority MMC snap-in.
  2. Right-click on “Certificate Templates”, then select “New\Certificate Template to Issue” from the menu that appears.
  3. The “Enable Certificate Templates” dialog box appears. Select “RemoteDesktopComputer”, and then click “OK.”

Now the “RemoteDesktopComputer” template is published and can be used in certificate requests.

The last step is to configure Group Policy to use certificates based on the “RemoteDesktopComputer” template for Remote Desktop authentication.

Configuring Group Policy:

Note: The following steps create the new policy to apply to all computers in the domain, but it can also be scoped to an Organizational Unit if needed.

  1. On the domain controller, start the “Group Policy Management” administrative tool.
  2. Right-click the “Default Domain Policy” and click on “Edit…” in the menu that appears. The “Group Policy Management Editor” appears.
  3. Navigate to “Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.”
  4. Double-click the “Server Authentication Certificate Template” policy.
  5. Enable the policy, type “RemoteDesktopComputer” in the “Certificate Template Name” box, and then click “OK.”
    clip_image006
  6. As soon as this policy is propagated to domain computers, every computer that has Remote Desktop connections enabled will automatically request a certificate based on the “RemoteDesktopComputer” template from the Certification Authority server and use it to authenticate to Remote Desktop clients. You can speed up the propagation to a specific computer by running the “gpupdate.exe” command line tool on that computer.

Part II: Using a WMI script.

This method allows you to use a server certificate of your choice with Remote Desktop connections but the certificate needs to be manually installed on the computer first. For example, this method can be used if you bought your certificate from a public certificate authority.

First check that your certificate meets the requirements for Remote Desktop certificates. Certificates that don’t meet these requirements won’t work and will be ignored.

Basic requirements for Remote Desktop certificates:

  1. The certificate is installed into computer’s “Personal” certificate store.
  2. The certificate has a corresponding private key.
  3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.

In order for a certificate to be used for Remote Desktop connections you first need to obtain the certificate’s thumbprint.

Getting the certificate’s thumbprint:

  1. Double-click on the certificate.
  2. Click the “Details” tab.
  3. Select the “Thumbprint” entry from the list.
    clip_image007
  4. Copy the thumbprint value into Notepad.
  5. Delete all the spaces between the numbers.

Now you have the thumbprint string ready to use. It should look like this: 0e2a9eb75f1afc321790407fa4b130e0e4e223e2

Once you have the thumbprint you can use the following script to cause the certificate to be used for Remote Desktop connections.

WMI script for configuring Remote Desktop certificate:

 

 

var strComputer = ".";

var strNamespace = "\\root\\CIMV2\\TerminalServices";

var wbemChangeFlagUpdateOnly = 1;

var wbemAuthenticationLevelPktPrivacy = 6;


var Locator = new ActiveXObject("WbemScripting.SWbemLocator");


Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;


var Service = Locator.ConnectServer (strComputer, strNamespace);

var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");


if (WScript.Arguments.length >= 1 )

{

    TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);

}

else

{

     TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";

}


TSSettings.Put_(wbemChangeFlagUpdateOnly);

To run this sample, copy/paste the above code into a “rdconfig.js” file, start cmd.exe as the Administrator, and then run the following command: “cscript rdconfig.js <thumbprint of your certificate>”. Running this script without a parameter will revert Remote Desktop back to using the default self-signed certificate.

Leave a Comment
  • Please add 1 and 4 and type the answer here:
  • Post
  • I don't think that smart cards would work for this.  you can use them to authenticate to the computer.  but the computer needs access to the certificates, so the smartcards pin would get in the way.  you could use a HSM for this,  but thats probebly overkil.

    I have gotten the above to work (great posting by the way),  but have run into a weird issue.  it looks like my workstation is requesting a new certificate each time the GPO process.  I re-used a certificate that was configured for wireless EAP-TLS (already had the server authentication OID).  and granted the test computer both Enroll and Auto Enroll to the template.

    Has anyone else seen this problem?

  • To Script Kitty.

    It's a known implementation issue.

    As a workaround you need to set “Template display name” and “Template name” of the certificate template to exactly the same string (including spaces). See step 5 of "Creating Remote Desktop certificate template:" for more info.

    Thx,

    Sergey.

  • Hi,

    I have a Problem concerning Terminal Services and I think it could be related to SSL certificate issues. I have no other idea anymore...

    I re-installed a Windows 2003 Server with same name and same ip. the terminal services run in admin-mode. the service is up and running and the port is listening. it is the same config, as it was before reinstall, when it worked. is it possible, that the client ends the connection because he assumes a man in the middle attack, because the server certificate is different than stored for that name  and ip?

    how can i delete the Terminal services server certificates on the client?

    Help is VERY appceciated, because I have no other idea, but must get this running.

    Tanks a lot,

    Peter

  • Is there anyway to deny connection if the certificate is not installed in the client computer?

    Regards

  • A self-signed certificate is always installed and is used when there are no other certificates.

    However, RDP client can always enforce server authentication and break the connection if certificate is not trusted. If you open mstsc.exe , click on "Options" and then navigate to "Advanced" tab, there will be "server authentication" property which you can set to "Do not connect".

    Thx,

    Sergey.

  • HI There,

    I got an error message after I run the script in Part II in Windows 2008 R2 SP1. That machine is fresh and just enabled RDP functionality. The error information is "SWbemObjectEx: Invalid parameter". BTW, if I run it without fingerprint parameter, it has not such error; it only happens with fingerprint parameter. I also added an echo diagnostic statement before the last line, it indicates the the error happens when it is running the last line.

    Thx.

  • I get the same as smallbarrow. Same server config, same error. Does the certificate need to be installed in a specific certificate store?

  • The certificate needs to be installed into the local computer's "Personal" store.

    When running the script, please, make sure that there are no extra characters around the certificate's thumprint. There should not be "<" and ">" around it. Also, there should not be any spaces within the thumbprint itself.

    Thx,

    Sergey.

  • Getting the following error:

    C:\Users\Administrator\Documents\rdconfig.js(38, 1) SWbemObjectEx: Invalid parameter

    I have taken out all special characters, received the same error with or without the parameter.

  • I get the same error:

    rdconfig.js(17, 1) SWbemObjectEx: Invalid parameter

  • I get the same error:

    rdconfig.js(17, 1) SWbemObjectEx: Invalid parameter

  • I was also getting invalid parameter untill I placed the certificate into the correct store

  • I noticed an issue with the GPO seting "Server Authentication Certificate Template". This GPO setting can cause multiple/duplciate certificates. This causes a mess in your certificate store and CA database.

    GPO setting "Server Authentication Certificate Template" causes duplicate certificate requests!

    social.technet.microsoft.com/.../407fc154-d2bb-40f8-a4b6-673c2e36a223

  • What is supposed to happen when the certificate is renewed? Is it automatically picked up by RD server?

    Here's what happened to me:

    I deployed RemoteDesktopComputer certificates to 2008 R2 servers by specifying the template name using Group Policy. I've been without an issue for these 11 months.

    Recently the connections started to be unverified.

    I checked RDP-Tcp Properties on Remote Desktop Session Host Configuration. When I click the blue [Group Policy based certificate] link, nothing opens.

    Then I checked the issued certificates and noticed they had been renewed, as the certificate template defines the validity period is 1 year and the renewal period is 6 weeks. (I believe these are the default periods by following the procedure described here.)

    So the RD server should pick up the new certificate, but it seems it doesn't.

    Next I checked "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations" and noticed TemplateCertificate value still held the thumbprint of the old certificate.

    I deleted the value and restarted Windows.

    TemplateCertificate value was updated to the thumbprint of the new certificate. Now everything seems to be back to normal.

    But... do I have to do this on all the machines on every 11 months?

  • The certificate template should not be set up for auto enrollment. Remote Desktop renews certificates through a different mechanism. The computer account needs to have "Enroll" permission to the template, (Note: not “Autoenroll”). Please, also check that Template display name and Template name are the same. If Remote Desktop fails to renew a template-based certificate it logs an event into the System event log, that may give you some insight regarding the cause of the failure.

    Thx,

    Sergey.

Page 2 of 5 (69 items) 12345