Securing the RDP connection with SSL (TLS 1.0)

[Brian]

I have a certificate issued from "GlobalSign" that came in a .pfx file. It's properties allow for Server Authentication and Client Authentication. I am trying to use this with TSPLUS Generated Clients...

I was able to get the non-IIS Web Service to use the cert from globalsign, so that when my users go to https:\mysite.com they get the green lock, viewing the certificate all is well.

Problem is using RDP or the generated clients... When I use RDP, I get a certificate warning. When I click View Certificate, it shows a self assigned cert, we will call it servername.

So I Open MMC -Add/remove snap in 'Certificates' - 'Computer Account' - Expand Remote Desktop - Certificates. In here, I have added globalsign certificate and it's information all looks correct. I have deleted the 'servername' certificate from this location.

When I attempt to RDP to the server, I get the same certificate warning. I click 'no' and do not login. When I refresh my 'Certificates' in remote desktop, the self signed 'servername' certificate re-appears.

I have tried opening Local Computer Policy\computer configuration\administrative templates\windows components\remote desktop services\remote desktop session host\security and setting the 'Server Authentication Certificate Template' name to my 'globalsign' certificate, no change. I have tried changing the name to 'RemoteDesktopComputer' as found when googling my issue - no change. Seems no matter what I try in this 'Server Auth Certificate Template" field, it doesn't matter and it will create a self assigned certificate.

Does anyone have any suggestions? This is on a Windows 2008 R2 server.
Thanks

[admin]

Hello,

Going for the group policy feels like the right thing to do. Have you tried using this procedure to import your own certificate ?

technet.microsoft.com/en-us/library/cc754076.aspx

[Brian]

Unfortunately the suggestion in the link will not work. The link references Remote Desktop Gateway Server, which we do not have and also is for setting up the CLIENT side.
I have tried several options such as suggested here:
windowsecurity.com/articles-tutorials/misc_network_security/Securing-Remote-Desktop-Services-Windows-Server-2008-R2.html

To no avail. Another forum is saying it will have to be built into the application from TSPLUS to use SSL/TLS 1.0 in their RDP sessions:
serverfault.com/questions/628983/need-help-forcing-ssl-for-remote-desktop

[DamianS]

The RDP file itself needs to be signed which is easy to do.....

On a computer where the certificate is installed (your 2008 server - in the computers cert store), you will need to get the "SHA1" value from the certificate.

Then open a comand line window and type the following:

Code: Select all

rdpsign /sha1 oooYOURoooSHAooGOESooHEREooo C:\RDPfile.rdp 

This will take your current RDP file and digitally sign it with your certificate.
Also, for the generated client.exe, you would follow a similar principal and use "SignTool" to sign the EXE with your certificate.