How to configure RDP with an InCommon security certificate on Server 2022?

Question

Split from this thread.

I came here looking for instructions on configuring RDP with an InCommon security certificate. I am on Server 2022.

The poster above shows a screenshot

The poster above points to what looks like the Local Group Policy Editor, from there I had to click around since the screenshot didn't show what tree any of the settings were under.

Go to User Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Sesssion Host

The poster shows that there is a Security folder in their screenshot, but on my system I do not have this Security folder, and cannot proceed.

Could anyone please help?

Answer 1

Hello,

Based on your description, you need to configure RDP with an InCommon security certificate on Windows Server 2022, here are the detailed steps:

First, make sure you've obtained a security certificate from InCommon and exported it to .pfx format.

Then, press 'Win + R' and enter certlm.msc to open the certificate manager. In the Certificate Manager, expand Personal -> Certificates. Right-click the Certificates folder and select All Tasks -> Import. Follow the wizard prompts to select the .pfx file and make sure to import the certificate into your personal storage.

RDP certificates can be set up through Remote Desktop Services configuration or PowerShell.

Method 1: Configure via Server Manager

1. Open Server Manager.
2. In the left navigation, select Remote Desktop Services -> Deployment.
3. In the Deployment Overview, click Tasks -> Edit Deployment Properties.
4. In the Configure Deployment window, select Certificates.
5. In the Certificates tab, select Select an existing certificate.
6. Click Browse to find the .pfx certificate you imported.
7. Enter the certificate password and tick Allow certificates to be added to the Trusted Root Certification Authority Certificate Store.
8. Click OK to complete the configuration.

Method 2: Configure via PowerShell

1. Open PowerShell with administrator privileges.
2. Use the following command to find the thumbprint of the certificate:

Get-ChildItem -Path Cert:\LocalMachine\My

Find your InCommon certificate and make a note of its thumbprint.

3. Use the following command to assign the certificate to the RDP service:

Set-Item -Path WSMan:\localhost\Service\CertificateThumbprint -Value <Certificate thumbprint>

Replace with the <Certificate thumbprint> fingerprint found in the previous step.

Finally, restart the RDP service, and then use the Remote Desktop client to connect to the server. If the configuration is successful, the client prompts that the connection is secure and displays the certificate information.

I hope this information helps.

Best regards,

Jingjing Wu

Answer 2

For method 1, I do not see Remote Desktop Services listed in Server Administrator in the left pane:

For method 2, I keep getting Invalid Parameter. I read and understand about the possibility of special characters and spaces, I've quadruple checked by pasting the Thumbrpint in cmd, verified no spaces or special chars.

Answer 3

Got it sorted. I had to import a certificate with embedded key (as .pfx) in Console -> Personal -> Certificates. It successfully imported, and after refresh appears in my list of certs. In my previous attempts, I was trying to add a .crt without an embedded key - think that's where I was going wrong.

I then was able to issue this wmic command to configure the cert for RDP.

wmic /namespace:\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="MyCertThumbnail"

Finally, restarted RDP service and am able to log in to RDP without the certificate error.