Starting with Windows Server 2003 SP1, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop server. This is easy to configure using the “Remote Desktop Session Host Configuration” tool on Server operating systems. Though no such tool is available on Client operating systems such as Windows Vista and Windows 7, it is still possible to provide them with certificates for Remote Desktop connections. There are two possible ways to accomplish this. The first method is using Group Policy and Certificate Templates, and the second one is using a WMI script.
[April 15, 2010: Updated to correct which certificates can be used.]
This method allows you to install Remote Desktop certificates on multiple computers in your domain but it requires your domain to have a working public key infrastructure (PKI).
First, you need to create a Remote Desktop certificate template.
The new template is now ready to use.
The next step is to publish the template.
Now the “RemoteDesktopComputer” template is published and can be used in certificate requests.
The last step is to configure Group Policy to use certificates based on the “RemoteDesktopComputer” template for Remote Desktop authentication.
Note: The following steps create the new policy to apply to all computers in the domain, but it can also be scoped to an Organizational Unit if needed.
This method allows you to use a server certificate of your choice with Remote Desktop connections but the certificate needs to be manually installed on the computer first. For example, this method can be used if you bought your certificate from a public certificate authority.
First check that your certificate meets the requirements for Remote Desktop certificates. Certificates that don’t meet these requirements won’t work and will be ignored.
In order for a certificate to be used for Remote Desktop connections you first need to obtain the certificate’s thumbprint.
Now you have the thumbprint string ready to use. It should look like this: 0e2a9eb75f1afc321790407fa4b130e0e4e223e2
Once you have the thumbprint you can use the following script to cause the certificate to be used for Remote Desktop connections.
var strComputer = ".";
var strNamespace = "\\root\\CIMV2\\TerminalServices";
var wbemChangeFlagUpdateOnly = 1;
var wbemAuthenticationLevelPktPrivacy = 6;
var Locator = new ActiveXObject("WbemScripting.SWbemLocator");
Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;
var Service = Locator.ConnectServer (strComputer, strNamespace);
var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");
if (WScript.Arguments.length >= 1 )
TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);
TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";
To run this sample, copy/paste the above code into a “rdconfig.js” file, start cmd.exe as the Administrator, and then run the following command: “cscript rdconfig.js <thumbprint of your certificate>”. Running this script without a parameter will revert Remote Desktop back to using the default self-signed certificate.
I don't think that smart cards would work for this. you can use them to authenticate to the computer. but the computer needs access to the certificates, so the smartcards pin would get in the way. you could use a HSM for this, but thats probebly overkil.
I have gotten the above to work (great posting by the way), but have run into a weird issue. it looks like my workstation is requesting a new certificate each time the GPO process. I re-used a certificate that was configured for wireless EAP-TLS (already had the server authentication OID). and granted the test computer both Enroll and Auto Enroll to the template.
Has anyone else seen this problem?
To Script Kitty.
It's a known implementation issue.
As a workaround you need to set “Template display name” and “Template name” of the certificate template to exactly the same string (including spaces). See step 5 of "Creating Remote Desktop certificate template:" for more info.
I have a Problem concerning Terminal Services and I think it could be related to SSL certificate issues. I have no other idea anymore...
I re-installed a Windows 2003 Server with same name and same ip. the terminal services run in admin-mode. the service is up and running and the port is listening. it is the same config, as it was before reinstall, when it worked. is it possible, that the client ends the connection because he assumes a man in the middle attack, because the server certificate is different than stored for that name and ip?
how can i delete the Terminal services server certificates on the client?
Help is VERY appceciated, because I have no other idea, but must get this running.
Tanks a lot,
Is there anyway to deny connection if the certificate is not installed in the client computer?
A self-signed certificate is always installed and is used when there are no other certificates.
However, RDP client can always enforce server authentication and break the connection if certificate is not trusted. If you open mstsc.exe , click on "Options" and then navigate to "Advanced" tab, there will be "server authentication" property which you can set to "Do not connect".
I got an error message after I run the script in Part II in Windows 2008 R2 SP1. That machine is fresh and just enabled RDP functionality. The error information is "SWbemObjectEx: Invalid parameter". BTW, if I run it without fingerprint parameter, it has not such error; it only happens with fingerprint parameter. I also added an echo diagnostic statement before the last line, it indicates the the error happens when it is running the last line.
I get the same as smallbarrow. Same server config, same error. Does the certificate need to be installed in a specific certificate store?
The certificate needs to be installed into the local computer's "Personal" store.
When running the script, please, make sure that there are no extra characters around the certificate's thumprint. There should not be "<" and ">" around it. Also, there should not be any spaces within the thumbprint itself.
Getting the following error:
C:\Users\Administrator\Documents\rdconfig.js(38, 1) SWbemObjectEx: Invalid parameter
I have taken out all special characters, received the same error with or without the parameter.
I get the same error:
rdconfig.js(17, 1) SWbemObjectEx: Invalid parameter
I was also getting invalid parameter untill I placed the certificate into the correct store
I noticed an issue with the GPO seting "Server Authentication Certificate Template". This GPO setting can cause multiple/duplciate certificates. This causes a mess in your certificate store and CA database.
GPO setting "Server Authentication Certificate Template" causes duplicate certificate requests!
What is supposed to happen when the certificate is renewed? Is it automatically picked up by RD server?
Here's what happened to me:
I deployed RemoteDesktopComputer certificates to 2008 R2 servers by specifying the template name using Group Policy. I've been without an issue for these 11 months.
Recently the connections started to be unverified.
I checked RDP-Tcp Properties on Remote Desktop Session Host Configuration. When I click the blue [Group Policy based certificate] link, nothing opens.
Then I checked the issued certificates and noticed they had been renewed, as the certificate template defines the validity period is 1 year and the renewal period is 6 weeks. (I believe these are the default periods by following the procedure described here.)
So the RD server should pick up the new certificate, but it seems it doesn't.
Next I checked "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations" and noticed TemplateCertificate value still held the thumbprint of the old certificate.
I deleted the value and restarted Windows.
TemplateCertificate value was updated to the thumbprint of the new certificate. Now everything seems to be back to normal.
But... do I have to do this on all the machines on every 11 months?
The certificate template should not be set up for auto enrollment. Remote Desktop renews certificates through a different mechanism. The computer account needs to have "Enroll" permission to the template, (Note: not “Autoenroll”). Please, also check that Template display name and Template name are the same. If Remote Desktop fails to renew a template-based certificate it logs an event into the System event log, that may give you some insight regarding the cause of the failure.