none
Assign certificate to RD Session Host role in Windows Server 2012

    Question

  • How can I assign a certificate to the Remote Desktop Session Host role?

    I have assigned a certificate to RD Connection bruker - Enable Single Sign On, RD Connection Broker - Publishing, RD Web Access and RD Gateway, but still the old certificate is assigned to the Session Host.


    -ae

    Friday, October 12, 2012 7:09 AM

Answers

  • Hi,

    You may set the certificate using wmi.  Please import the certificate and its private key into each RDSH server's Local Computer\Personal store (using Certificates mmc snapin), then run the following command in an administrator command prompt:

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"

    Please substitute your certificate's thumbprint in the above command.  The easiest way I know to get the thumbprint correct is to view your certificate, copy the thumbprint to the clipboard, paste it into the command, and then delete out the spaces.

    Please note that it is not necessary to set the certificate on each RDSH server to support RDP8 clients.  Currently Windows 8 and Server 2012 are the only operating systems that include Remote Desktop Client 8.  There should be an updated Remote Desktop Client for Windows 7 SP1 that supports RDP8 released before the end of the year.

    Thanks.

    -TP

    Friday, October 12, 2012 7:52 AM
    Moderator

All replies

  • Hi,

    You may set the certificate using wmi.  Please import the certificate and its private key into each RDSH server's Local Computer\Personal store (using Certificates mmc snapin), then run the following command in an administrator command prompt:

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"

    Please substitute your certificate's thumbprint in the above command.  The easiest way I know to get the thumbprint correct is to view your certificate, copy the thumbprint to the clipboard, paste it into the command, and then delete out the spaces.

    Please note that it is not necessary to set the certificate on each RDSH server to support RDP8 clients.  Currently Windows 8 and Server 2012 are the only operating systems that include Remote Desktop Client 8.  There should be an updated Remote Desktop Client for Windows 7 SP1 that supports RDP8 released before the end of the year.

    Thanks.

    -TP

    Friday, October 12, 2012 7:52 AM
    Moderator
  • Unfortunately for my machines this did not work at all. My config is as follos:

    I have 2 2012 RDS servers in a collection and I have 2 A records with the name ts.mydomain.tld that point to the IPs of each server. Now when I try to connect to ts.mydomain.tld I get a certificate warning as the RDS certificates are self signed certs for each RDS. Why can't I assign a certficate per RDP-Listener anymore? In my scenario RDGateway is also not working anymore because of this cert issue.

    Cheers


    Sebastian Bammer

    Monday, November 12, 2012 6:04 PM
  • Unfortunately for my machines this did not work at all. My config is as follos:

    I have 2 2012 RDS servers in a collection and I have 2 A records with the name ts.mydomain.tld that point to the IPs of each server. Now when I try to connect to ts.mydomain.tld I get a certificate warning as the RDS certificates are self signed certs for each RDS. Why can't I assign a certficate per RDP-Listener anymore? In my scenario RDGateway is also not working anymore because of this cert issue.

    Cheers


    Sebastian Bammer

    By the way, the error I'm getting is:

    Set-WmiInstance : Invalid parameter
    At line:1 char:1
    + Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="5B683AE3C1A7B502 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Set-WmiInstance], ManagementException
        + FullyQualifiedErrorId : SetWMIManagementException,Microsoft.PowerShell.Commands.SetWmiInstance

    When I run the command with the already existing (self signed) thumbprint the command does not bring any error. The cert I try to use is placed in the Remote Desktop folder of the local machine's cert store and does have a private key.


    Sebastian Bammer

    Monday, November 12, 2012 6:30 PM
  • Ok, here's the solution that worked for me (Don't know why the one above did not work, as I used the same thumbprint):

    $pass = ConvertTo-SecureString "PasswordFoThePFXFile" -AsPlainText -Force
    $thumbprint = (Import-PfxCertificate -Password $pass -CertStoreLocation cert:\localMachine\my -FilePath '\\server\share\certificatewithprivatekey.pfx').thumbprint
    $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
    Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$Thumbprint"}

    Cheers


    Sebastian Bammer

    Monday, November 12, 2012 9:04 PM
  • Hi Sebastian,

    The basic problem - first way would work if you start the powershell as a Admin - (UAC!) - i tried myself and the error with every tool (wmic, wbemtest,...) is always "invalid parameter" even if it should tell you "Access Denied"

    BG Christoph

    Thursday, July 11, 2013 7:25 AM
  • Hi Sebastian,

    Some time ago your post, but I successfully changed it the first time, then I wanted to refer to the old cert and thumbprint, but that resulted in invalid parameter.

    Any idea?

    Grtz

    Wednesday, April 30, 2014 10:59 PM