Starting with Windows Server 2003 SP1, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop server. This is easy to configure using the “Remote Desktop Session Host Configuration” tool on Server operating systems. Though no such tool is available on Client operating systems such as Windows Vista and Windows 7, it is still possible to provide them with certificates for Remote Desktop connections. There are two possible ways to accomplish this. The first method is using Group Policy and Certificate Templates, and the second one is using a WMI script.
[April 15, 2010: Updated to correct which certificates can be used.]
This method allows you to install Remote Desktop certificates on multiple computers in your domain but it requires your domain to have a working public key infrastructure (PKI).
First, you need to create a Remote Desktop certificate template.
The new template is now ready to use.
The next step is to publish the template.
Now the “RemoteDesktopComputer” template is published and can be used in certificate requests.
The last step is to configure Group Policy to use certificates based on the “RemoteDesktopComputer” template for Remote Desktop authentication.
Note: The following steps create the new policy to apply to all computers in the domain, but it can also be scoped to an Organizational Unit if needed.
This method allows you to use a server certificate of your choice with Remote Desktop connections but the certificate needs to be manually installed on the computer first. For example, this method can be used if you bought your certificate from a public certificate authority.
First check that your certificate meets the requirements for Remote Desktop certificates. Certificates that don’t meet these requirements won’t work and will be ignored.
In order for a certificate to be used for Remote Desktop connections you first need to obtain the certificate’s thumbprint.
Now you have the thumbprint string ready to use. It should look like this: 0e2a9eb75f1afc321790407fa4b130e0e4e223e2
Once you have the thumbprint you can use the following script to cause the certificate to be used for Remote Desktop connections.
var strComputer = ".";
var strNamespace = "\\root\\CIMV2\\TerminalServices";
var wbemChangeFlagUpdateOnly = 1;
var wbemAuthenticationLevelPktPrivacy = 6;
var Locator = new ActiveXObject("WbemScripting.SWbemLocator");
Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;
var Service = Locator.ConnectServer (strComputer, strNamespace);
var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");
if (WScript.Arguments.length >= 1 )
TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);
TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";
To run this sample, copy/paste the above code into a “rdconfig.js” file, start cmd.exe as the Administrator, and then run the following command: “cscript rdconfig.js <thumbprint of your certificate>”. Running this script without a parameter will revert Remote Desktop back to using the default self-signed certificate.
After successfully adding thumbprint, attempt to logon with smartcard gives error in Event log:
"This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate."
On logon screen i get "System could not log you in. Cannot use smart card logon because smart card logon isn't supported for your user account. Contact your system administrator ....."
User is member of Remote Desktop Users, certificate has Subject Alt Name set to email@example.com,
also has Enhanced Key Usage:
Client Authentication (126.96.36.199.188.8.131.52.2)
Server Authentication (184.108.40.206.220.127.116.11.1)
KDC Authentication (18.104.22.168.22.214.171.124)
Unknown Key Usage (126.96.36.199.4.1.3188.8.131.52)
Smart Card Logon (184.108.40.206.4.1.3220.127.116.11)
Looks like I'm missing something important :S
Is installing Terminal Services Role mandatory?
Are you able to logon locally to the same machine using the same smartcard?
Answering your question: Installing Terminal Services Role (did you mean Remote Desktop Host role?) is not required in order to use smartcard.
All is running fine :D, looks like I had CRL-accessing problems :(
Thanks for the support!
Thank you for all you've put into this. Do you know of any way to stop the self signed cert from being re-generated after a reboot? It appears that I've got everything setup to use my CA cert and I can delete the self signed cert but after a reboot it keeps coming back. The system is still using the CA cert but the problem we have is that the security scans that we must use keeps picking up the self signed cert and reporting it as a problem. Any ideas?
Unfortunately, there is no way to turn off the self-signed certificate regeneration.
Thanks and as an update, I was mistaken, the security scans don't report the self signed cert as I was expecting it to. Good to know about the auto self signed generation process.
A revocation check could not be performed for this certificate
And I can get to URL of the .crl with NO problems at all!
Using enablecredsspsupport:i:0 as per
"fixes" it, but that is not really a solution!
Anybody any ideas?
Regarding the question I posted in three years ago, I'm guessing KB2752618 would be the solution.
Ok, I have implemented this using part 1, some of my Windows 2012R2 servers are getting the following error:
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0/Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The system cannot find the file specified.
I have been searching for over 6 hours and I still cannot determine which file it is referring to...
I am searching for Windows Server 2012 R2 and you provide Windows 2003.
Either Microsoft don't have enough information on 2012 R2 or the links are not correct.
The same should work on Win 2012 R2 as well.
Though, it is now simpler to configure. For example, you can use “Computer” template without changes.
I have made a powershell equivalent of the script. It would be nice of you to add this to the article as windows script host is deprecated in favor of Powershell based solutions.
I've got this working perfect on 2008 Servers. However my 2003 servers autoenroll and a certificate shows up in local computer/personal store but does not autoselect it to use for RDP. I dont want to have to touch hundreds of servers and select the certificate to use.
Unfortunately, this feature was not yet implemented in Win 2003.
A WMI script might work, but you'll need to find a way to obtain the cert hash from each machine.
Is it possible to create a template on a Domain CA for use with non-domain joined computer, such that domain joined computers that need to use the RDP services on the non-domain joined machine will trust the cert? Or should a request simply be made for a normal server based cert (Say Web Server), then use the WMI script to make the alterations?