Configuring Remote Desktop certificates

Configuring Remote Desktop certificates

  • Comments 74

Starting with Windows Server 2003 SP1, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop server. This is easy to configure using the “Remote Desktop Session Host Configuration” tool on Server operating systems. Though no such tool is available on Client operating systems such as Windows Vista and Windows 7, it is still possible to provide them with certificates for Remote Desktop connections. There are two possible ways to accomplish this. The first method is using Group Policy and Certificate Templates, and the second one is using a WMI script.

[April 15, 2010: Updated to correct which certificates can be used.]

Part I: Using Group Policy and Certificate Templates.

This method allows you to install Remote Desktop certificates on multiple computers in your domain but it requires your domain to have a working public key infrastructure (PKI).

First, you need to create a Remote Desktop certificate template.

Creating Remote Desktop certificate template:

  1. On the computer that has your enterprise Certification Authority installed start MMC and open the “Certificate Templates” MMC snap-in.
  2. Find the “Computer” template, right-click on it, and then choose “Duplicate Template” from the menu.
  3. In the “Duplicate Template” dialog box, choose “Windows Server 2003 Enterprise” template version.
    clip_image001
  4. The “Properties of New Template” dialog box will appear.
  5. On the “General” page of this dialog box, set both “Template display name” and “Template name” to “RemoteDesktopComputer”. Note: it is important to use the same string for both properties.
  6. On the “Extensions” page, select “Application Policies”, and then click the “Edit…” button.
  7. The “Edit Application Policies Extension” dialog box appears.
    clip_image002
  8. Now you can either remove the “Client Authentication” policy leaving the “Server Authentication” policy, or you can use the special “Remote Desktop Authentication” policy. Doing the latter will prevent certificates based on this template from being used for any purpose other than Remote Desktop authentication.
  9. To create the “Remote Desktop Authentication” policy, first remove both the “Client Authentication” and “Server Authentication” policies, and then click “Add…”
  10. The “Add Application Policy” dialog box appears. In this dialog box click the “New…”
    clip_image003
  11. The “New Application Policy” dialog box appears. In this dialog box, set “Name” to “Remote Desktop Authentication” and “Object Identifier” to “1.3.6.1.4.1.311.54.1.2”, and then click “OK.”
    clip_image004
  12. Select “Remote Desktop Authentication” in the “Add Application Policy” dialog box, and then click “OK.”
  13. Now the “Edit Application Policies Extension” dialog box should look like this:
    clip_image005
  14. Click “OK” in this dialog box, and then click “OK” in the “Properties of New Template” dialog box.

The new template is now ready to use.

The next step is to publish the template.

Publishing the “RemoteDesktopComputer” certificate template:

  1. On the computer that has your enterprise Certification Authority installed, start the Certification Authority MMC snap-in.
  2. Right-click on “Certificate Templates”, then select “New\Certificate Template to Issue” from the menu that appears.
  3. The “Enable Certificate Templates” dialog box appears. Select “RemoteDesktopComputer”, and then click “OK.”

Now the “RemoteDesktopComputer” template is published and can be used in certificate requests.

The last step is to configure Group Policy to use certificates based on the “RemoteDesktopComputer” template for Remote Desktop authentication.

Configuring Group Policy:

Note: The following steps create the new policy to apply to all computers in the domain, but it can also be scoped to an Organizational Unit if needed.

  1. On the domain controller, start the “Group Policy Management” administrative tool.
  2. Right-click the “Default Domain Policy” and click on “Edit…” in the menu that appears. The “Group Policy Management Editor” appears.
  3. Navigate to “Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.”
  4. Double-click the “Server Authentication Certificate Template” policy.
  5. Enable the policy, type “RemoteDesktopComputer” in the “Certificate Template Name” box, and then click “OK.”
    clip_image006
  6. As soon as this policy is propagated to domain computers, every computer that has Remote Desktop connections enabled will automatically request a certificate based on the “RemoteDesktopComputer” template from the Certification Authority server and use it to authenticate to Remote Desktop clients. You can speed up the propagation to a specific computer by running the “gpupdate.exe” command line tool on that computer.

Part II: Using a WMI script.

This method allows you to use a server certificate of your choice with Remote Desktop connections but the certificate needs to be manually installed on the computer first. For example, this method can be used if you bought your certificate from a public certificate authority.

First check that your certificate meets the requirements for Remote Desktop certificates. Certificates that don’t meet these requirements won’t work and will be ignored.

Basic requirements for Remote Desktop certificates:

  1. The certificate is installed into computer’s “Personal” certificate store.
  2. The certificate has a corresponding private key.
  3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.

In order for a certificate to be used for Remote Desktop connections you first need to obtain the certificate’s thumbprint.

Getting the certificate’s thumbprint:

  1. Double-click on the certificate.
  2. Click the “Details” tab.
  3. Select the “Thumbprint” entry from the list.
    clip_image007
  4. Copy the thumbprint value into Notepad.
  5. Delete all the spaces between the numbers.

Now you have the thumbprint string ready to use. It should look like this: 0e2a9eb75f1afc321790407fa4b130e0e4e223e2

Once you have the thumbprint you can use the following script to cause the certificate to be used for Remote Desktop connections.

WMI script for configuring Remote Desktop certificate:

 

 

var strComputer = ".";

var strNamespace = "\\root\\CIMV2\\TerminalServices";

var wbemChangeFlagUpdateOnly = 1;

var wbemAuthenticationLevelPktPrivacy = 6;


var Locator = new ActiveXObject("WbemScripting.SWbemLocator");


Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;


var Service = Locator.ConnectServer (strComputer, strNamespace);

var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");


if (WScript.Arguments.length >= 1 )

{

    TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);

}

else

{

     TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";

}


TSSettings.Put_(wbemChangeFlagUpdateOnly);

To run this sample, copy/paste the above code into a “rdconfig.js” file, start cmd.exe as the Administrator, and then run the following command: “cscript rdconfig.js <thumbprint of your certificate>”. Running this script without a parameter will revert Remote Desktop back to using the default self-signed certificate.

Leave a Comment
  • Please add 3 and 4 and type the answer here:
  • Post
  • Including a short (NetBIOS) name in a certificate, automatically generated from a template is not possible, unfortunately.

    You could create a template that allows adding names to SAN, but you'd have to install such certificicates manually.

    Thx,

    Sergey.

  • Hi,  I got this error on a Windows server 2003 when running the cscript:

    SWebmLocator :  invalid namespace

    any clue...?

    Thanks..!

  • Hello,

    I saw this post:

    Question: Is there anyway to deny connection if the certificate is not installed in the client computer?

    Answer: A self-signed certificate is always installed and is used when there are no other certificates.

    However, RDP client can always enforce server authentication and break the connection if certificate is not trusted. If you open mstsc.exe , click on "Options" and then navigate to "Advanced" tab, there will be "server authentication" property which you can set to "Do not connect".

    With this configuration my client windows 7 non-domain unfortunately connect. I need block this connection without certificate root.

    Any idea?

  • this is in response to Tharinda  posting about smartcards.  If your talking about authenticating to the Server, then yes, Smartcards work great (we use it all the time, and even got CLM's certificate Renew working though a Terminal server).  but if your talking about the certificate used by the remote server for encrypting it's connection.  Then I don't think Smartcards would work very well.  That certificate (as I understand it) needs to be on the server.

  • i tried to run the js file but got the following error even though i am running cmd in administrator mode.

    C:\rdconfig.js (38, 1) SWbemObjectEx: Access is denied.

    The account i used to run my CMD is a domain admin account... anyone knows how to solve this?

  • This didn't work for our DCs because they aren't part of the Domain Computers group.

    Adding the Domain Controllers group to the Security Tab of the RemoteDesktopComputer template is therefore crucial.

  • I ran this, no errors but it didn't do anything.  The script isn't in the remote desktop store.  I had ran it previously and it worked, but I had to run it without the parameter and reset it.  Now it's not doing anything.

  • When the policy is applied in a w2003, the certificate is not created and the event viewer shows the following error

    Event ID 5378

    The Terminal Server is configured to use SSL, however, no usable certificate was found on the server. Please check the security settings by using the Terminal Services Configuration tool in the Administrative Tools folder.

    In a w2008 R2 worked correctly and in a w2012 nothing happened

  • I have problem with WMI script... same problem as many here. Certificate is in computer store, not in users, but I get same

    My Setup:

    1 PC which I want to access with RD via certificate.

    And I constantly receive "Line:38, Error: Invalid parameter, Code: 80041008 Source: SWbemObjectEx" :(

    Any other method?

  • Hi Chavdar,

    When running this script, please, make sure that you remove all the space characters from the certificate thumbprint, or put it inside "".

    This command will work: cscript rdconfig.js f3780ca87033c1a1010adc87fa839d5e1a21ed7a

    This command will work: cscript rdconfig.js "f3 78 0c a8 70 33 c1 a1 01 0a dc 87 fa 83 9d 5e 1a 21 ed 7a"

    This command won't work: cscript rdconfig.js f3 78 0c a8 70 33 c1 a1 01 0a dc 87 fa 83 9d 5e 1a 21 ed 7a

    Also, please, make sure that the certificate is installed into your local computer's (not user's) "Personal" certificate store and that it has a corresponding private key.

    Thx,

    Sergey.

  • Hi Chavdar,

    If for some reason the script keeps returning errors no matter what you do, you can try setting it up manually. There are 3 things you need to do:

    1. Grant "NETWORK SERVICE" account "Read" access to the certificate's private key. This can be done using Certificates MMC snap-in. Right-click on the certificate, then select "All tasks\Manage Private Keys..." from the menu.

    2. Set the registry value "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash" to the thumbprint of your certificate. The value type is Binary.

    3. reboot the machine.

    Thx,

    Sergey.

  • 10x for replies!

    Machine I'm using for these tests is running 2008R2 standart server, currently installed roles are Remote Desktop Services (RDSessionHost + Licensing) installed.

    running rdconfig did not help - still Invalid Parameter.

    Gave READ permissions to Network Service, wrote in registry the thumbprint value, restarted.

    After restart i read the thumbprint value:

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

    It returns 978CF2266D1D595D6A0F3A63B050FCC326677092

    Value I had written was 825A7DCA62A1D69E8ADA747772790CFDCD3815E3

    On top of this , going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\ - there was NO key named SSLCertificateSHA1Hash :/

    Made this key again, wrote the value, restart - same result :O

    - my certificate is installed in Computer Personal store, but it also resides in local users store - simply the cryptovision utility automatically inserts it there when certificate is inserted and connected to the machine. Could this be a problem?

    Maybe I should reinstall with "fresh" Windows? :(

  • Also details what properties my certificate has:

    2048 bits

    Signature algorythm sha1RSA

    Subject Alternative name: user@Server (it is corect , I can login locally with the certificate)

    Thumbprint algorythm sha1

    Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)

    Server Authentication (1.3.6.1.5.5.7.3.1)

    KDC Authentication (1.3.6.1.5.2.3.5)

    Unknown Key Usage (1.3.6.1.4.1.311.54.1.2)

    Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

    Secure Email (1.3.6.1.5.5.7.3.4)

    IP security end system (1.3.6.1.5.5.7.3.5)

    IP security tunnel termination (1.3.6.1.5.5.7.3.6)

    IP security user (1.3.6.1.5.5.7.3.7)

    IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

    All checks (crl, certificate chain etc) passing OK

  • Hi Chavdar,

    I would not try reinstalling Windows just yet :-)

    It looks like Remote Desktop service finds some problem with your certificate and replaces it with the default one.

    Please check the System event log for error events from "TerminalServices-RemoteConnectionManager". They might give you some clues as to what is wrong exactly with your certificate.

    I don't know how cryptovision utility works. I know, though, that copy/pasting a certificate from the user to computer store does not work. So I usually import certificates directly into the computer store from .pfx files using "Certificates" MMC snap-in.

    One other thing you might want to check is the certificate "Valid from" and "Valid to" dates, just in case. I did not find them in the certificate details you provided.

    I hope that helps.

    Thx,

    Sergey.

  • Looks like importing certificate WAS the problem, I was trying to use certificate from crypto card, where the private key is in the card, while Windows needs direct access to private key.

Page 4 of 5 (74 items) 12345