Automating the RDP SSL certificate

General conversation about our product. Get help with your 'How To' questions.
Post Reply
uHost
Posts: 2
Joined: Thu Jun 07, 2018 1:44 pm

Automating the RDP SSL certificate

Post by uHost » Fri Jun 08, 2018 9:25 am

I have written a PowerShell script which should automate installing the RDP SSL certificate from the TSPLus java keystore. Firts it checks the thumbprint of the existing certificate against the one from the TSPlus java keystore and replaces if the thumprints are different. After replacing the certificate the RDP services are restarted.

I have saved the Replace-RDPCertificate-TSPlus.ps1 file in C:\ and created a scheduled task for it running as user SYSTEM, "Run with highest privileges" on and scheduled to run daily at 4 am. At action I have in "Program/Script" PowerShell and in "Add arguments (optional)" C:\Replace-RDPCertificate-TSPlus.ps1

For me my basic tests show it works but I will have to see if this automates the replacement of the certificate when TSPlus will renew the Let's Encrypt certificate.

Please test and let me know.
Replace-RDPCertificate-TSPlus.ps1.zip
(1.88 KiB) Downloaded 551 times

adrien
Posts: 43
Joined: Thu Sep 10, 2015 10:39 am

Re: Automating the RDP SSL certificate

Post by adrien » Thu Jun 14, 2018 12:40 pm

Hello Yavuz,

Thank you for sharing this nice script!

FYI it is very interesting, because we released a new TSplus version a few days ago which includes just that (except we did not use PowerShell - nice scripting skills on your side!).

Starting with TSPlus 10.30.6.12 if you are using TSplus Free Certificate Manager (which use Let's Encrypt to install an HTTPS certificate on TSPlus Web Portal), then the certificate will automatically be configured for RDP protocol too - and automatically renewed whenever necessary.
Adrien
TSplus CTO

uHost
Posts: 2
Joined: Thu Jun 07, 2018 1:44 pm

Re: Automating the RDP SSL certificate

Post by uHost » Wed Jun 20, 2018 2:53 pm

Great to hear you have included this functionality in your product, I think that it is an important feature. I will test the new version soon.

User avatar
bzdega
Posts: 141
Joined: Tue Nov 14, 2017 9:34 am

Re: Automating the RDP SSL certificate

Post by bzdega » Thu Jun 21, 2018 7:26 pm

adrien wrote:Hello Yavuz,

Thank you for sharing this nice script!

FYI it is very interesting, because we released a new TSplus version a few days ago which includes just that (except we did not use PowerShell - nice scripting skills on your side!).

Starting with TSPlus 10.30.6.12 if you are using TSplus Free Certificate Manager (which use Let's Encrypt to install an HTTPS certificate on TSPlus Web Portal), then the certificate will automatically be configured for RDP protocol too - and automatically renewed whenever necessary.
is this working for generated client? Every time i start the generated client, i get the well known message "the identity of the remote computer cannot be verified. Do you want to connect anyway?".

How can i use the SSL-Certificate which is used for web portal also with the generated client?

regards,
Michael

User avatar
admin
Site Admin
Posts: 1649
Joined: Wed Sep 05, 2012 6:38 am

Re: Automating the RDP SSL certificate

Post by admin » Thu Jun 21, 2018 9:58 pm

Hello,

SSL is meant for browser use only. The use of RDP certificate is not supported with TSplus.

Open a Control Panel > User Accounts > Manage your credentials and remove the saved credentials of the Tsplus servers, restarting mstsc.exe and checking the "Allow me to save the credentials".

This pop up is normal and should then have no influence on your connection. Simply check the box and click connect.

If your server got updated to Windows 2016, then most likely you inherited the new RDP 10 protocol. As always, Microsoft does not keep a good descending compatibility with lower versions of Windows.

What you can do is lower the authentication method of your server by using a GPO. Open a gpedit.msc on your TSplus server and locate the following GPO :

Computer configuration / Administrative templates / Windows components / Remote Desktop Service / Remote Desktop session host / Security / Set client encryption level

You can also update the RDP protocol on your client computer.
Olivier
TSplus support team administrator
Image

Post Reply