Replacing the default (self signed) certificate on a RD Session Host server

Many times I wanted to get rid of that annoying certificate warning message when I make a RDP connection to a RD Session Host server or a workstation. If you are using RDP inside an Active Directory network, the warning is gone, because the connection is using kerberos for security, but if you are connecting from outside to the inside, well…you will be prompted to accept the server certificate, and this is because the certificate is self signed and is not trusted. The following method works for clients OS (Win XP, Vista,7) too, not just for RD Session Host servers.

To install a trusted certificate I will use a script that I found on Microsoft technet. For this guide an Enterprise Internal CA will issue the certificates since is cheaper and much easy to work with, but if you have a lot of external clients a commercial certificate is recommended. To start we need to request and install a certificate on the local computer store on the RD Session Host server. For that open the Certificates Store console (Start > Run > mmc), select Certificates and click the Add button. On the wizard that just popped-up choose Computer Account > Local Computer.

If you click the Personal folder inside Certificates Store you can see that is empty. Now we need to request a certificate from our Internal CA.

Right click the folder and choose All Tasks > Request New Certificate.

Since we have an Active Directory infrastructure here, we are going with Active Directory Enrollment Policy, so leave the default selection and press Next to continue.

Check the Computer box, then click the Enroll button. Is useless to click the Properties button for further customization of the certificate (eg: SAN attribute, exportable key, etc) because the template from AD Certificates Services is configured to take the information from AD. If you want to have a certificate that you can further customize you will need to create a new template in AD Certificates Services.

If the operation is successful, click Finish to close the wizard.

Now the certificate is installed in our local computer Certificates Store. The next step is to replace the default self-signed certificate with this one, which is trusted by all our internal clients, and external ones if the root certificate is installed on them.

Now what do you do if you want to install a commercial certificate on the server ? Well…instead of choosing Request New Certificate from the menu, choose Import Certificate then provide the certificate you downloaded from the Certification Authority.

Be aware that the certificate needs to have the Server Authentication policy, or is not going to work.

Now open the certificate properties and go to the Details tab. Here, if you scroll down there is a Thumbprint field; click on it and copy to a notepad file the thumbprint. Remove the spaces between the numbers.

Copy the bellow script and save it in a file with a js extension on your RD Session Host C drive. This is not an absolute path, but is easier to work with, you can save it anywhere you want to.

 

var strComputer = ".";

var strNamespace = "\\root\\CIMV2\\TerminalServices";

var wbemChangeFlagUpdateOnly = 1;

var wbemAuthenticationLevelPktPrivacy = 6;

var Locator = new ActiveXObject("WbemScripting.SWbemLocator");

Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;

var Service = Locator.ConnectServer (strComputer, strNamespace);

var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");

if (WScript.Arguments.length >= 1 )

{

 TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);

}

else

{

 TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";

}

TSSettings.Put_(wbemChangeFlagUpdateOnly);

 

Open a terminal, go to the script location (in my case is the root of the C drive) and put the following command, then press ENTER:

cscript scriptname.js thumbprint

in my case is:

cscript replacecert.js 2f63fae0ab4fa989bacfa55a4848b5c6ade915fd

Now if you create a RD connection the certificate warning should not appear any more, because the connection is trusted. Off course you will need to use the FQDN that you put in the certificate, or the warning is back.

Want content like this delivered right to your

email inbox?


12 thoughts on “Replacing the default (self signed) certificate on a RD Session Host server

  • 05/09/2019 at 23:40
    Permalink

    Hello Adrian.

    I am getting this error on a Windows 2016 server.

    Microsoft (R) Windows Script Host Version 5.812
    Copyright (C) Microsoft Corporation. All rights reserved.

    C:\Vault\rdpcert.js(17, 33) Microsoft JScript compilation error: Expected ‘)’

    Do you know why that would happen?

    In the script, line 29, do we leave as is, or enter my hash?

    Thanks!

    Reply
  • 20/09/2018 at 21:08
    Permalink

    Is RD Service restart required for certificate change to take effect?

    Reply
  • 25/09/2013 at 11:53
    Permalink

    Adrian, I have installed a UCC SAN cert on a server that contains the following Subject/SANS:

    Subject: http://www.domain.com
    SAN1: host2.domain.com
    SAN2: host3.domain.com
    SAN3: host4.domain.com

    The FQDN I want to use to access the server is host4.domain.com, however when I make a RDP connection, the server is using the certificate subject name of “www.domain.com”. How can I set RDP to use one of the SANs?

    Reply
    • 03/10/2013 at 15:46
      Permalink

      Hi,
      It should work, because I tested on my lab and it works just fine. Make sure you replace the default certificate by using the script in the article. Also make sure the certificate is trusted. Some certification authorities requires admins to install some root and intermediate certificates, besides the one issued to you. Open the certificate and see if is trusted. Let me know if you need more help.

      Reply
  • 22/10/2012 at 21:40
    Permalink

    As in the previous post the problem will be buying a public SAN or UCC or whatever public certificate that include no public domain name but local one (the one I use for internal server). In this case what should be the best affordable way to get SSO in the entire remote app infrastructure ?

    Reply
    • 23/10/2012 at 09:07
      Permalink

      If you plan not to use public domains, the best way is to install an internal Certification Authority and work with that.

      Reply
  • 08/10/2012 at 18:04
    Permalink

    Hi Adrian, due to the new security policy, SAN certificate containing local domain server name will not be available in the next future. In this situation the separate certificate also would not work until the AD domain still in the form domainname.local… In this situation I don’t mind to ask the external user to install a self signed certificate but I do not have clear wich certificate and the server to include in. I tough farm certificate (I use windows load balancing for the 2 session hosts) was needed even because the rdp files points to the farm name and not the servers it selfs . What about using the external domain (rdweb site) public cert for signing the hosts as well as the gateway server? Sounds crazy I guess but this will allow me to save the credential once on rd web without receiving multiple annoying nag screens.

    Reply
    • 09/10/2012 at 12:57
      Permalink

      Yes, you can use a public certificate for those hosts. On the common name of the certificate the RD Session Host FQDN name needs to be present (not the farm name). For the gateway you need a proper and trusted certificate also or users will not be able to connect. You can test this in a lab, if you have the resources, and I recommend you do before paying for a commercial certificate.

      Reply
  • 07/10/2012 at 22:44
    Permalink

    Very good article! Can you also explain how to create and apply a self signed certificate for a RD Session host farm? Supposing to have 2 hosts SH1 and SH2 the certificate applied on each rdp session Host should match the farm fqdn name in stead of the single server one… In order to use a public auth company certificate when you are publishing internal domain server name (es. SH1.domain.local or farm.domain.local) do you need a SAN certificate or you can live with internal CA certs?

    Reply
    • 08/10/2012 at 16:33
      Permalink

      If you have multiple RD Session Hosts servers the certificate name should match the server name (FQDN), not the farm name. I recommend you use a SAN certificate that you install on every RD Session Host server, but you can also use a separate certificate for every server. I like to work with SAN certificates, but this is just my way of doing things. You can also create SAN certificates using the Internal CA (just search the blog) but your external clients will need to have the Root certificate installed.
      Thanks for passing by.

      Reply

Leave a Reply to Damian Stalls Cancel reply

Your email address will not be published. Required fields are marked *

*

css.php