Starting with Windows Server 2003 SP1, it is possible to provide server authentication by issuing a Secure Sockets Layer (SSL) certificate to the Remote Desktop server. This is easy to configure using the “Remote Desktop Session Host Configuration” tool on Server operating systems. Though no such tool is available on Client operating systems such as Windows Vista and Windows 7, it is still possible to provide them with certificates for Remote Desktop connections. There are two possible ways to accomplish this. The first method is using Group Policy and Certificate Templates, and the second one is using a WMI script.
[April 15, 2010: Updated to correct which certificates can be used.]
This method allows you to install Remote Desktop certificates on multiple computers in your domain but it requires your domain to have a working public key infrastructure (PKI).
First, you need to create a Remote Desktop certificate template.
Creating Remote Desktop certificate template:The new template is now ready to use.
The next step is to publish the template.
Publishing the “RemoteDesktopComputer” certificate template:Now the “RemoteDesktopComputer” template is published and can be used in certificate requests.
The last step is to configure Group Policy to use certificates based on the “RemoteDesktopComputer” template for Remote Desktop authentication.
Configuring Group Policy:Note: The following steps create the new policy to apply to all computers in the domain, but it can also be scoped to an Organizational Unit if needed.
This method allows you to use a server certificate of your choice with Remote Desktop connections but the certificate needs to be manually installed on the computer first. For example, this method can be used if you bought your certificate from a public certificate authority.
First check that your certificate meets the requirements for Remote Desktop certificates. Certificates that don’t meet these requirements won’t work and will be ignored.
Basic requirements for Remote Desktop certificates:In order for a certificate to be used for Remote Desktop connections you first need to obtain the certificate’s thumbprint.
Getting the certificate’s thumbprint:Now you have the thumbprint string ready to use. It should look like this: 0e2a9eb75f1afc321790407fa4b130e0e4e223e2
Once you have the thumbprint you can use the following script to cause the certificate to be used for Remote Desktop connections.
WMI script for configuring Remote Desktop certificate:
var strComputer = "."; var strNamespace = "\root\CIMV2\TerminalServices"; var wbemChangeFlagUpdateOnly = 1; var wbemAuthenticationLevelPktPrivacy = 6; var Locator = new ActiveXObject("WbemScripting.SWbemLocator"); Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy; var Service = Locator.ConnectServer (strComputer, strNamespace); var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName="RDP-Tcp""); if (WScript.Arguments.length >= 1 ) { TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0); } else { TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000"; } TSSettings.Put_(wbemChangeFlagUpdateOnly); .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }
To run this sample, copy/paste the above code into a “rdconfig.js” file, start cmd.exe as the Administrator, and then run the following command: “cscript rdconfig.js <thumbprint of your certificate>”. Running this script without a parameter will revert Remote Desktop back to using the default self-signed certificate.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.