When installing an Remote Desktop farm with a RD Gateway on Windows Server 2012, you install a certificate for the Broker, Web Access and Gateway roles using Server Manager. However, this does not add the certificate to the Remote Desktop Session Host (RDSH) servers. This means that you get a warning when connecting to a RemoteApp or desktop, because the RDSH severs will have a self-signed certificate. You can replace this certificate using a valid certificate. You will continue to get warnings for the following reasons:
- The name on the certificate does not match the RDSH server name
- The certificate is not from a trusted root certificate authority
The best way to resolve this is to purchase a single wilcard certificate e.g. *.domain.com that covers both the RDWeb URL, as well as the server names. This also requires that your internal domain is a subdomain of your external domain. So you might use domain.com on the web, and internal.domain.com as your AD domain. Your RDSH server is then e.g. rdsh01.internal.domain.com. You could also use a SAN certificate.
Note that you should NOT replace the certificates on the RDSH servers as listed below, if you are using self-signed certificates and you want to be able to connect from clients which are not joined to your domain. Even if you trust the root manually, the revocation information will not be available, and clients will not be able to connect, and will give a 0x607 error. See http://social.technet.microsoft.com/Forums/ru-RU/94780a11-23ba-4a3c-b11a-734007c2d2fd/an-authentication-error-has-occured-code-0x607?forum=winserverTS for more info on this error.
If you are just connecting internally from clients in the same domain, you should be able to use an internal Enterprise CA to create a SAN or wildcard certificate which you can use on your servers. So, only replace the certificates on the RDSH servers if:
- Clients are all in the same domain and you are using internal certificates
- Clients are outside the domain, but you have purchased commercial certificates
It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.
- Open the MMC and open the Certificates snapin
- Add the Local Computer
- Import the certificate into Computer\Personal
- Open the certificate and find the thumbprint on the details tab. Copy the thumbprint to notepad and delete all the spaces.
- Open up an elevated PowerShell prompt and write:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”PASTE_THUMBPRINT_STRING”
You can check the certificate by running:
Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName='RDP-tcp'"
Note that sometimes for the last command, you may need to remote the end quotes around RDP-tcp and type them in again if posting.
See http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx for more information.
holy shit this saved my life.
Hmmmm, I get access denied while trying to change the thumbprint hash
This just saved my bacon… thank you so much… been working on this for way too long, and here is the solution to my cert warning issues after passing the gateway and getting to each RDS Host.