Hello AskPerf! Kiran Kadaba here to talk about configuring Listener Certificates.
When we have the Remote Desktop Session Host role installed on a server, or have the server as part of an RDS collection/deployment, it’s quite easy to configure certificate through the connection broker UI.
We have received a high amount of inquires on how we can configure certificates if the server is not part of a deployment, and is simply being configured for ‘Remote Desktop for Administration’.
In Windows 2003/2008/2008 R2, we had the ‘Remote Desktop Configuration Manager’ MMC snap-in which allowed us direct access to the RDP Listener. Here we could bind a certificate to the listener and in turn, enforce SSL security for the RDP sessions.
In Windows 2012, we no longer have this MMC snap-in, nor do we have direct access to the RDP listener. You can follow the below steps to configure the certificates on Windows 2012/2012 R2.
This can be achieved in 2 ways:
Method 1: Using WMI
The configuration data for the RDS Listener is stored in the ‘Win32_TSGeneralSetting’ class in WMI under the ‘Root\CimV2\TerminalServices’ namespace.
The certificate for the RDS listener is referenced through the ‘Thumbprint’ value of that certificate on a property called ‘SSLCertificateSHA1Hash’.
This thumbprint value is unique to each certificate. You can find the value using the following steps:
1. Open the properties dialog for your certificate and select the Details tab
2. Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
Here is what the certificate thumbprint will look like in the certificate properties:
Once I copy this into notepad, it will look as follows:
After I remove the spaces, it will still contain the invisible ASCII character that will only be visible in the command prompt (shown below):
Ensure that this ASCII character is removed before we run the command to import the certificate
3. Remove all the spaces from the string. (Keep in mind that there may be an ‘invisible’ ACSII character that also gets copied. This is not visible in Notepad. Only way to validate, would be to copy directly into the command prompt window.)
4. This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.
Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
This solution would work on Windows 7 and Windows 8 systems as well.
Note: The certificate you want to use, must be imported to the 'Personal' Certificate Store for the Machine account, before you run the above commands. Failure to do so will result in a “Invalid Parameter” error.
Option 2: Registry edits
3. The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS (referenced by the certificate named in the SSLCertificateSHA1Hash registry value) to include NETWORK SERVICE with "Read" permissions. To modify the permissions follow the steps below:Open the Certificates snap-in for the local computer: