Using CA certificate for Remote Desktop Connection
Solution 1
The question you found that mentions using wmic to set the certificate thumbprint value should work without any additional feature installation. I asked and answered a similar question here with a little more detail. It also has a PowerShell equivalent for the wmic command. But I'll add some more explanation here as well.
Since you're already using this certificate for MSSQL SSL, I assume it's already installed into one of the certificate stores on the system. If you installed it in the context of a service account that MSSQL is running as, you might also need to install it into the Personal or Remote Desktop store for the "Local Computer" as well.
Once it's in there, you just need to update the SSLCertificateSHA1Hash value in Win32_TSGeneralSetting to point to it using one of the commands in my previous question.
If you want to check what the value is currently set to and compare it to the self-signed certificate, you can change the wmic command to the following. You can also use this to validate that the new thumbprint value you tried to set is correct.
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash
The output should look something like this:
Solution 2
The guides referring to Remote Desktop Services / Terminal Services are also applicable to a server that's just running the default RDP service - it's just a more limited instance of the same service.
What you might be missing from those guides is the tools to administer the service - you'll want to install the role administration tools for Remote Desktop Services to be able to manage the service.
Install-WindowsFeature -Name RSAT-RDS-Tools
Related videos on Youtube
02 : 16
08 : 49
13 : 09
08 : 36
14 : 44
marce
Updated on September 18, 2022Comments
-
marce over 1 year
I’m connecting over the web to a remote Windows Server 2012 R2 via Remote Desktop Connection for administration needs. It is a single web and database server without an AD etc.
I’m not talking about Remote Desktop Services / Terminal Server, just the simple Remote Desktop feature activated through Control Panel > System > Remote Settings. The server will automatically create a self-signed certificate to encrypt the connection and the Remote Desktop Connection client will show a certificate error due to the untrusted CA.
I have a CA signed certificate issued to the FQDN of this server and valid for server authentication (I’m using it for MSSQL Server remote access).
I’d like to use that one for RDP connections too. All tutorials (like this question) I’ve found so far describe the process for the Remote Desktop Services or Terminal Service. I have found this question stating a
wmiccommand to set a certificate, but I don't want to try setting some values when I don't know what exactly I'm doing. What I have done is adding it to the Remote Desktop Certificates of Local Computer where the auto generated self-signed is located too.Is that possible? If yes, what do I have to do?
Thanks!
-
Zoredache over 10 yearsSince this is 2012R2, he could also just use the Powershell Commandlets to manage his certs. Set-RDCertificate, Get-RDCertificate, Add-RDCertificate, etc. He shouldn't need the role admin tools to configure it via powershell.
-
marce over 10 years@Zoredache Thanks for your hint. I tried a simple
Get-RDCertificateto get started but got the following error:A Remote Desktop Services deployment does not exist on <FQDN>. This operation can be performed after creating a deployment.So I'm afraid I do have to install at least something, right? Should I continue with the Features @ShaneMadden suggested? -
Zoredache over 10 yearsHrm, I hadn't actually tried it. I just tried running it on the 2012R2 server I have fully setup as a Desktop Services for testing purposes. I got the same error, so now I am confused, since that should have certainly worked.
-
marce over 10 years@ShaneMadden You are pointing in the right direction, but actually the whole package is required. Maybe you could update your answer to reflect that for those who'll come.
-
marce over 10 yearsThanks! that worked like I charm, don't know why I haven't found your original q/a in the first place. Don't have enough rep to upvote, but I'll keep it on the backlog until it works.
-
André Borie over 7 yearsAt least on Windows 7 there is no need to move the cert to the "Remote desktop" store. The "personal" certificate store works just fine.
-
Kyle Humfeld about 7 yearsWhat application is that screenshot from, with the red toolbox icon in the top left?
-
Ryan Bolger about 7 yearsIt's just the standard Windows mmc.exe (Microsoft Management Console) which is a generic host application for a bunch of mini applications written with the same UI constructs called snap-ins. The snap-in loaded in the screen shot is the Certificates snap-in.
