Starting with Windows Server 2003 SP1, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop server. This is easy to configure using the “Remote Desktop Session Host Configuration” tool on Server operating systems. Though no such tool is available on Client operating systems such as Windows Vista and Windows 7, it is still possible to provide them with certificates for Remote Desktop connections. There are two possible ways to accomplish this. The first method is using Group Policy and Certificate Templates, and the second one is using a WMI script.
[April 15, 2010: Updated to correct which certificates can be used.]
This method allows you to install Remote Desktop certificates on multiple computers in your domain but it requires your domain to have a working public key infrastructure (PKI).
First, you need to create a Remote Desktop certificate template.
The new template is now ready to use.
The next step is to publish the template.
Now the “RemoteDesktopComputer” template is published and can be used in certificate requests.
The last step is to configure Group Policy to use certificates based on the “RemoteDesktopComputer” template for Remote Desktop authentication.
Note: The following steps create the new policy to apply to all computers in the domain, but it can also be scoped to an Organizational Unit if needed.
This method allows you to use a server certificate of your choice with Remote Desktop connections but the certificate needs to be manually installed on the computer first. For example, this method can be used if you bought your certificate from a public certificate authority.
First check that your certificate meets the requirements for Remote Desktop certificates. Certificates that don’t meet these requirements won’t work and will be ignored.
In order for a certificate to be used for Remote Desktop connections you first need to obtain the certificate’s thumbprint.
Now you have the thumbprint string ready to use. It should look like this: 0e2a9eb75f1afc321790407fa4b130e0e4e223e2
Once you have the thumbprint you can use the following script to cause the certificate to be used for Remote Desktop connections.
var strComputer = ".";
var strNamespace = "\\root\\CIMV2\\TerminalServices";
var wbemChangeFlagUpdateOnly = 1;
var wbemAuthenticationLevelPktPrivacy = 6;
var Locator = new ActiveXObject("WbemScripting.SWbemLocator");
Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;
var Service = Locator.ConnectServer (strComputer, strNamespace);
var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");
if (WScript.Arguments.length >= 1 )
TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);
TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";
To run this sample, copy/paste the above code into a “rdconfig.js” file, start cmd.exe as the Administrator, and then run the following command: “cscript rdconfig.js <thumbprint of your certificate>”. Running this script without a parameter will revert Remote Desktop back to using the default self-signed certificate.
Including a short (NetBIOS) name in a certificate, automatically generated from a template is not possible, unfortunately.
You could create a template that allows adding names to SAN, but you'd have to install such certificicates manually.
Hi, I got this error on a Windows server 2003 when running the cscript:
SWebmLocator : invalid namespace
I saw this post:
Question: Is there anyway to deny connection if the certificate is not installed in the client computer?
Answer: A self-signed certificate is always installed and is used when there are no other certificates.
However, RDP client can always enforce server authentication and break the connection if certificate is not trusted. If you open mstsc.exe , click on "Options" and then navigate to "Advanced" tab, there will be "server authentication" property which you can set to "Do not connect".
With this configuration my client windows 7 non-domain unfortunately connect. I need block this connection without certificate root.
this is in response to Tharinda posting about smartcards. If your talking about authenticating to the Server, then yes, Smartcards work great (we use it all the time, and even got CLM's certificate Renew working though a Terminal server). but if your talking about the certificate used by the remote server for encrypting it's connection. Then I don't think Smartcards would work very well. That certificate (as I understand it) needs to be on the server.
i tried to run the js file but got the following error even though i am running cmd in administrator mode.
C:\rdconfig.js (38, 1) SWbemObjectEx: Access is denied.
The account i used to run my CMD is a domain admin account... anyone knows how to solve this?
This didn't work for our DCs because they aren't part of the Domain Computers group.
Adding the Domain Controllers group to the Security Tab of the RemoteDesktopComputer template is therefore crucial.
I ran this, no errors but it didn't do anything. The script isn't in the remote desktop store. I had ran it previously and it worked, but I had to run it without the parameter and reset it. Now it's not doing anything.
When the policy is applied in a w2003, the certificate is not created and the event viewer shows the following error
Event ID 5378
The Terminal Server is configured to use SSL, however, no usable certificate was found on the server. Please check the security settings by using the Terminal Services Configuration tool in the Administrative Tools folder.
In a w2008 R2 worked correctly and in a w2012 nothing happened
I have problem with WMI script... same problem as many here. Certificate is in computer store, not in users, but I get same
1 PC which I want to access with RD via certificate.
And I constantly receive "Line:38, Error: Invalid parameter, Code: 80041008 Source: SWbemObjectEx" :(
Any other method?
When running this script, please, make sure that you remove all the space characters from the certificate thumbprint, or put it inside "".
This command will work: cscript rdconfig.js f3780ca87033c1a1010adc87fa839d5e1a21ed7a
This command will work: cscript rdconfig.js "f3 78 0c a8 70 33 c1 a1 01 0a dc 87 fa 83 9d 5e 1a 21 ed 7a"
This command won't work: cscript rdconfig.js f3 78 0c a8 70 33 c1 a1 01 0a dc 87 fa 83 9d 5e 1a 21 ed 7a
Also, please, make sure that the certificate is installed into your local computer's (not user's) "Personal" certificate store and that it has a corresponding private key.
If for some reason the script keeps returning errors no matter what you do, you can try setting it up manually. There are 3 things you need to do:
1. Grant "NETWORK SERVICE" account "Read" access to the certificate's private key. This can be done using Certificates MMC snap-in. Right-click on the certificate, then select "All tasks\Manage Private Keys..." from the menu.
2. Set the registry value "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash" to the thumbprint of your certificate. The value type is Binary.
3. reboot the machine.
10x for replies!
Machine I'm using for these tests is running 2008R2 standart server, currently installed roles are Remote Desktop Services (RDSessionHost + Licensing) installed.
running rdconfig did not help - still Invalid Parameter.
Gave READ permissions to Network Service, wrote in registry the thumbprint value, restarted.
After restart i read the thumbprint value:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash
It returns 978CF2266D1D595D6A0F3A63B050FCC326677092
Value I had written was 825A7DCA62A1D69E8ADA747772790CFDCD3815E3
On top of this , going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\ - there was NO key named SSLCertificateSHA1Hash :/
Made this key again, wrote the value, restart - same result :O
- my certificate is installed in Computer Personal store, but it also resides in local users store - simply the cryptovision utility automatically inserts it there when certificate is inserted and connected to the machine. Could this be a problem?
Maybe I should reinstall with "fresh" Windows? :(
Also details what properties my certificate has:
Signature algorythm sha1RSA
Subject Alternative name: user@Server (it is corect , I can login locally with the certificate)
Thumbprint algorythm sha1
Enhanced Key Usage: Client Authentication (220.127.116.11.18.104.22.168.2)
Server Authentication (22.214.171.124.126.96.36.199.1)
KDC Authentication (188.8.131.52.184.108.40.206)
Unknown Key Usage (220.127.116.11.4.1.318.104.22.168)
Smart Card Logon (22.214.171.124.4.1.3126.96.36.199)
Secure Email (188.8.131.52.184.108.40.206.4)
IP security end system (220.127.116.11.18.104.22.168.5)
IP security tunnel termination (22.214.171.124.126.96.36.199.6)
IP security user (188.8.131.52.184.108.40.206.7)
IP security IKE intermediate (220.127.116.11.18.104.22.168.2)
All checks (crl, certificate chain etc) passing OK
I would not try reinstalling Windows just yet :-)
It looks like Remote Desktop service finds some problem with your certificate and replaces it with the default one.
Please check the System event log for error events from "TerminalServices-RemoteConnectionManager". They might give you some clues as to what is wrong exactly with your certificate.
I don't know how cryptovision utility works. I know, though, that copy/pasting a certificate from the user to computer store does not work. So I usually import certificates directly into the computer store from .pfx files using "Certificates" MMC snap-in.
One other thing you might want to check is the certificate "Valid from" and "Valid to" dates, just in case. I did not find them in the certificate details you provided.
I hope that helps.
Looks like importing certificate WAS the problem, I was trying to use certificate from crypto card, where the private key is in the card, while Windows needs direct access to private key.