2

My windows server 2012 currently seems to have gone on holiday and is ignoring the SSL certificate I have asked it to use for Remote Desktop connections via 

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="cb727b4dca34651444afbd939555e6c65f8434c4"

where cb727b4dca34651444afbd939555e6c65f8434c4 is the thumbprint of an existing valid SSL certificate that was generated via Group Policy from a local CA.

The server continues to issue a self signed certificate every time I delete the previous self-signed one from the "Local Computer -> Remote Desktop" certificate store. The RDP connection info continues to say "The identity of the remote desktop is verified by Kerberos" instead of "verified by a certificate"

So yes, it's ignoring the group policy I have setup as well as directly via WMI. The output of 

Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

is

__GENUS                                : 2
__CLASS                                : Win32_TSGeneralSetting
__SUPERCLASS                           : Win32_TerminalSetting
__DYNASTY                              : CIM_ManagedSystemElement
__RELPATH                              : Win32_TSGeneralSetting.TerminalName="RDP-Tcp"
__PROPERTY_COUNT                       : 20
__DERIVATION                           : {Win32_TerminalSetting, CIM_Setting, CIM_ManagedSystemElement}
__SERVER                               : OVERWATCHD
__NAMESPACE                            : root\cimv2\terminalservices
__PATH                                 : \\OVERWATCHD\root\cimv2\terminalservices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"
Caption                                : 
CertificateName                        : OVERWATCHD.labs.xxx.co.nz
Certificates                           : {0, 0, 0, 0...}
Comment                                : 
Description                            : 
InstallDate                            : 
MinEncryptionLevel                     : 3
Name                                   : 
PolicySourceMinEncryptionLevel         : 1
PolicySourceSecurityLayer              : 1
PolicySourceUserAuthenticationRequired : 1
SecurityLayer                          : 2
SSLCertificateSHA1Hash                 : CB727B4DCA34651444AFBD939555E6C65F8434C4
SSLCertificateSHA1HashType             : 2
Status                                 : 
TerminalName                           : RDP-Tcp
TerminalProtocol                       : Microsoft RDP 8.0
Transport                              : tcp
UserAuthenticationRequired             : 0
WindowsAuthentication                  : 0
PSComputerName                         : OVERWATCHD

It was working a month ago. Any ideas how I can troubleshoot this? The windows event logs doesn't seem to give much information. If only there was a debug/verbose flag I could set.

sean
  • 131
  • 1
  • 4

1 Answers1

1

You shouldn't need to delete the self-signed certificate to get Windows to use your CA generated certificate. It's possible Windows needs that self-signed cert for other non-RDP related things as well.

What group policy are you using to generate the certificate? Is it the auto-enrollment policies? Have you verified that the certificate whose thumbprint you're referencing actually exists on the target system in the Local Computer's store?

If it was working a month ago and not now, might the certificate have been renewed? If so, it would have a new thumbprint value.

If the right certificate is there, you should also check that it has a valid private key. There would be a little key icon on top of the normal cert icon in the Certificates snap-in. It would also say that in the certificate details window similar to this screenshot:
enter image description here

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59