24

I’m connecting over the web to a remote Windows Server 2012 R2 via Remote Desktop Connection for administration needs. It is a single web and database server without an AD etc.

I’m not talking about Remote Desktop Services / Terminal Server, just the simple Remote Desktop feature activated through Control Panel > System > Remote Settings. The server will automatically create a self-signed certificate to encrypt the connection and the Remote Desktop Connection client will show a certificate error due to the untrusted CA.

I have a CA signed certificate issued to the FQDN of this server and valid for server authentication (I’m using it for MSSQL Server remote access).

I’d like to use that one for RDP connections too. All tutorials (like this question) I’ve found so far describe the process for the Remote Desktop Services or Terminal Service. I have found this question stating a wmic command to set a certificate, but I don't want to try setting some values when I don't know what exactly I'm doing. What I have done is adding it to the Remote Desktop Certificates of Local Computer where the auto generated self-signed is located too.

Is that possible? If yes, what do I have to do?

Thanks!

Community
  • 1
marce
  • 343
  • 1
  • 2
  • 8

2 Answers2

27

The question you found that mentions using wmic to set the certificate thumbprint value should work without any additional feature installation. I asked and answered a similar question here with a little more detail. It also has a PowerShell equivalent for the wmic command. But I'll add some more explanation here as well.

Since you're already using this certificate for MSSQL SSL, I assume it's already installed into one of the certificate stores on the system. If you installed it in the context of a service account that MSSQL is running as, you might also need to install it into the Personal or Remote Desktop store for the "Local Computer" as well.
enter image description here

Once it's in there, you just need to update the SSLCertificateSHA1Hash value in Win32_TSGeneralSetting to point to it using one of the commands in my previous question.

If you want to check what the value is currently set to and compare it to the self-signed certificate, you can change the wmic command to the following. You can also use this to validate that the new thumbprint value you tried to set is correct.

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

The output should look something like this:
enter image description here

Community
  • 1
Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • 2
    Thanks! that worked like I charm, don't know why I haven't found your original q/a in the first place. Don't have enough rep to upvote, but I'll keep it on the backlog until it works. – marce Jan 11 '14 at 11:25
  • At least on Windows 7 there is no need to move the cert to the "Remote desktop" store. The "personal" certificate store works just fine. – André Borie Aug 23 '16 at 20:41
  • What application is that screenshot from, with the red toolbox icon in the top left? – Kyle Humfeld Feb 15 '17 at 20:29
  • It's just the standard Windows mmc.exe (Microsoft Management Console) which is a generic host application for a bunch of mini applications written with the same UI constructs called snap-ins. The snap-in loaded in the screen shot is the Certificates snap-in. – Ryan Bolger Feb 16 '17 at 03:48
3

The guides referring to Remote Desktop Services / Terminal Services are also applicable to a server that's just running the default RDP service - it's just a more limited instance of the same service.

What you might be missing from those guides is the tools to administer the service - you'll want to install the role administration tools for Remote Desktop Services to be able to manage the service.

Install-WindowsFeature -Name RSAT-RDS-Tools
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • 1
    Since this is 2012R2, he could also just use the Powershell Commandlets to manage his certs. [Set-RDCertificate](http://technet.microsoft.com/en-us/library/jj215464.aspx), Get-RDCertificate, Add-RDCertificate, etc. He shouldn't need the role admin tools to configure it via powershell. – Zoredache Jan 10 '14 at 23:37
  • @Zoredache Thanks for your hint. I tried a simple `Get-RDCertificate` to get started but got the following error: `A Remote Desktop Services deployment does not exist on . This operation can be performed after creating a deployment.` So I'm afraid I do have to install at least something, right? Should I continue with the Features @ShaneMadden suggested? – marce Jan 10 '14 at 23:52
  • Hrm, I hadn't actually tried it. I just tried running it on the 2012R2 server I have fully setup as a Desktop Services for testing purposes. I got the same error, so now I am confused, since that should have certainly worked. – Zoredache Jan 10 '14 at 23:59
  • @Zoredache So it's not me at least... Well, I'll try with the `Install-WindowsFeature -Name RSAT-RDS-Tools` next and report back. – marce Jan 11 '14 at 00:20
  • 1
    @ShaneMadden You are pointing in the right direction, but actually the whole package is required. Maybe you could update your answer to reflect that for those who'll come. – marce Jan 11 '14 at 00:50