How to Force Remote Desktop Services on Windows 7 to Use a Custom Server Authentication Certificate for TLS

Article translations Article translations
Article ID: 2001849 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When making a Remote Desktop Services (RDS) connection to a Windows 7 computer, a self-signed server authentication certificate is automatically generated to support Transport Layer Security (TLS). This allows the data to be encrypted between computers. Data is only encrypted when the following Group Policy setting is enabled on the target computer and set to SSL (TLS 1.0):

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security: Require use of specific security layer for remote (RDP) connections

Cause

The generation of self-signed certificates for TLS over a RDS connection is enabled by design in Windows Vista and Windows 7.

Resolution

Server authentication certificates are supported on Windows Vista and Windows 7. To use a custom certificate for RDS, follow the steps below: 

  1. Install a server authentication certificate from a certification authority.

  2. Create the following registry value containing the certificate’s SHA1 hash to configure this custom certificate to support TLS instead of using the default self-signed certificate.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

    Value name:  SSLCertificateSHA1Hash
    Value type:  REG_BINARY
    Value data:  <certificate thumbprint>

    The value should be the thumbprint of the certificate separated by comma ‘,’ and no empty spaces. For example, if you were to export that registry key the SSLCertificateSHA1Hash value would look like this:

    “SSLCertificateSHA1Hash"=hex:42,49,e1,6e,0a,f0,a0,2e,63,c4,5c,93,fd,52,ad,09,27,82,1b,01

    Note: It is necessary to edit the registry directly because there is no user interface on Windows client SKUs to configure a server certificate.

  3. The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS (referenced by the certificate named in the SSLCertificateSHA1Hash registry value) to include NETWORK SERVICE with "Read" permissions. To modify the permissions follow the steps below:

    Open the Certificates snap-in for the local computer:

    1. Click Start, click Run, type mmc, and click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.

    4. In the Certificates snap-in dialog box, click Computer account, and click Next.

    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and click Finish.

    6. In the Add or Remove Snap-ins dialog box, click OK.

    7. In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.

    8. Right-click the certificate, select All Tasks, and select Manage Private Keys.

    9. In the Permissions dialog box, click Add, type NETWORK SERVICE, click OK,  select Read under the Allow checkbox, then click OK.

More Information

For more information about how to programmatically configure the RDP encryption settings, visit the following Microsoft Web site:

http://msdn.microsoft.com/en-us/library/aa383799(VS.85).aspx

Properties

Article ID: 2001849 - Last Review: September 30, 2009 - Revision: 6.0
APPLIES TO
  • Windows 7 Enterprise
  • Windows 7 Ultimate
Keywords: 
KB2001849

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com