none
Assign certificate to RD Session Host role in Windows Server 2012

    Question

  • How can I assign a certificate to the Remote Desktop Session Host role?

    I have assigned a certificate to RD Connection bruker - Enable Single Sign On, RD Connection Broker - Publishing, RD Web Access and RD Gateway, but still the old certificate is assigned to the Session Host.


    -ae

    Friday, October 12, 2012 7:09 AM

Answers

  • Hi,

    You may set the certificate using wmi.  Please import the certificate and its private key into each RDSH server's Local Computer\Personal store (using Certificates mmc snapin), then run the following command in an administrator command prompt:

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"

    Please substitute your certificate's thumbprint in the above command.  The easiest way I know to get the thumbprint correct is to view your certificate, copy the thumbprint to the clipboard, paste it into the command, and then delete out the spaces.

    Please note that it is not necessary to set the certificate on each RDSH server to support RDP8 clients.  Currently Windows 8 and Server 2012 are the only operating systems that include Remote Desktop Client 8.  There should be an updated Remote Desktop Client for Windows 7 SP1 that supports RDP8 released before the end of the year.

    Thanks.

    -TP

    Friday, October 12, 2012 7:52 AM
    Moderator

All replies

  • Hi,

    You may set the certificate using wmi.  Please import the certificate and its private key into each RDSH server's Local Computer\Personal store (using Certificates mmc snapin), then run the following command in an administrator command prompt:

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"

    Please substitute your certificate's thumbprint in the above command.  The easiest way I know to get the thumbprint correct is to view your certificate, copy the thumbprint to the clipboard, paste it into the command, and then delete out the spaces.

    Please note that it is not necessary to set the certificate on each RDSH server to support RDP8 clients.  Currently Windows 8 and Server 2012 are the only operating systems that include Remote Desktop Client 8.  There should be an updated Remote Desktop Client for Windows 7 SP1 that supports RDP8 released before the end of the year.

    Thanks.

    -TP

    Friday, October 12, 2012 7:52 AM
    Moderator
  • Unfortunately for my machines this did not work at all. My config is as follos:

    I have 2 2012 RDS servers in a collection and I have 2 A records with the name ts.mydomain.tld that point to the IPs of each server. Now when I try to connect to ts.mydomain.tld I get a certificate warning as the RDS certificates are self signed certs for each RDS. Why can't I assign a certficate per RDP-Listener anymore? In my scenario RDGateway is also not working anymore because of this cert issue.

    Cheers


    Sebastian Bammer

    Monday, November 12, 2012 6:04 PM
  • Unfortunately for my machines this did not work at all. My config is as follos:

    I have 2 2012 RDS servers in a collection and I have 2 A records with the name ts.mydomain.tld that point to the IPs of each server. Now when I try to connect to ts.mydomain.tld I get a certificate warning as the RDS certificates are self signed certs for each RDS. Why can't I assign a certficate per RDP-Listener anymore? In my scenario RDGateway is also not working anymore because of this cert issue.

    Cheers


    Sebastian Bammer

    By the way, the error I'm getting is:

    Set-WmiInstance : Invalid parameter
    At line:1 char:1
    + Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="5B683AE3C1A7B502 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Set-WmiInstance], ManagementException
        + FullyQualifiedErrorId : SetWMIManagementException,Microsoft.PowerShell.Commands.SetWmiInstance

    When I run the command with the already existing (self signed) thumbprint the command does not bring any error. The cert I try to use is placed in the Remote Desktop folder of the local machine's cert store and does have a private key.


    Sebastian Bammer

    Monday, November 12, 2012 6:30 PM
  • Ok, here's the solution that worked for me (Don't know why the one above did not work, as I used the same thumbprint):

    $pass = ConvertTo-SecureString "PasswordFoThePFXFile" -AsPlainText -Force
    $thumbprint = (Import-PfxCertificate -Password $pass -CertStoreLocation cert:\localMachine\my -FilePath '\\server\share\certificatewithprivatekey.pfx').thumbprint
    $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
    Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$Thumbprint"}

    Cheers


    Sebastian Bammer

    Monday, November 12, 2012 9:04 PM
  • Hi Sebastian,

    The basic problem - first way would work if you start the powershell as a Admin - (UAC!) - i tried myself and the error with every tool (wmic, wbemtest,...) is always "invalid parameter" even if it should tell you "Access Denied"

    BG Christoph

    Thursday, July 11, 2013 7:25 AM
  • Hi Sebastian,

    Some time ago your post, but I successfully changed it the first time, then I wanted to refer to the old cert and thumbprint, but that resulted in invalid parameter.

    Any idea?

    Grtz

    Wednesday, April 30, 2014 10:59 PM
  • Try placing the thumprint letters in UPPERCASE instead of lowercase. In Server 2012 R2, for some reason it doesn't take lower case characters in the thumbprint for the wmic command, so e.g. ‎e2f034c171b92afc96b23b7f4da15728c1e461a9

    should be: E2F034C171B92AFC96B23B7F4DA15728C1E461A9

    Easiest way for me to get the thumbprint "as it should be", was to open powershell and get the thumbprint with the following command:

    Get-Childitem "Cert:\LocalMachine\My"

    It will display the thumbprints for the local machine certificates without spaces and letters in caps.

    So then do it this way:

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="E2F034C171B92AFC96B23B7F4DA15728C1E461A9"


    Thursday, July 20, 2017 9:18 PM
  • Freek's wmi command was spot on, but for some reason, Server 2012 R2 doesn't like lower case thumbprints, I struggled with this problem for a while until I saw the thumprint output from the powershell console had the letters in upper case, see my answer below for details!
    Sunday, October 29, 2017 5:36 AM