If you are using Remote Desktop Services, you would know by now that by default, RDS session hosts will use a default RDP native encryption. This might sound good, but it is only encryption. There is no authenticity to verify the identity of the RDS session host server. You can enhance the security of your session host servers by using TLS. In this blog post, I will guide you through couple of steps to use TLS with Remote Desktop Server, and fix any certificate issues when using TLS.

TLS with Remote Desktop Server

I was deploying Windows Server 2012 R2 RDS farm once, and I configured two session host servers in a pool or collection, one broker and one licensing server. The deployment was easy, and I expected everything to work fine. I wanted end users to connect to a nice name space like apps.contoso.com, that will point to one of the session host servers.

When my users started accessing apps.contoso.com, they get a certificate warning indicating that there is some certificate name mismatch. This is because the session host servers will generate self-signed certificate with the name of the session host server itself, and not with the name apps.contoso.com.

I started to look at the best way to use TLS with Remote Desktop Server, and how can I fix those certificate problems. First, I need a digital certificate [server authentication] from my internal certificate authority with the name apps.contoso.com. I installed that certificate in the computer personal store of my two session host servers. I started asking myself then “how can I tell my session host servers to use that certificate instead of the self-signed one?”.

TLS with Remote Desktop Server

Then I found the solution:

  • On each session host server, open PowerShell using admin credentials, and type:
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path

Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="‎Thumnail"}

Note: replace Thumbnail with my new certificate thumbnail.

  • Or you can use this command instead:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumnail"
  • Restart both servers.
  • Use this command to get the certificate hash being used:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash