RDS Session Host certificate never trusted?

Heath Durrett 486 Reputation points
2020-09-03T09:20:44.2+00:00

Hi all,

I've successfully deployed an RDS farm, all server running Server 2019 STD.

1x server running RDWeb & GW roles
1x server running Connection Broker & LIC server roles
2x server running RDS Session Host role

Using internal PKI certificates I have the system working 95%. I've deployed the RDWeb HTML client and can successfully connect using RDWeb no problems at all.

What I have a small problem with is using the MSTSC client application to work seamlessly with my GW server address configured. It works but in the final step of connecting an untrusted certificate warning prompt is thrown.

If I view the certificate and trace its thumbprint back - this certificate is a self-signed certificate sitting locally on the session host server's internal store - Remote Desktop\Certificates

Why is this cert self signed and why is it demanding it? I have issued certificates from my internal PKI that chain back successfully to a trusted ROOT but even if I place that cert in the same store it does not get used and the connection always prompts for the self signed certificate in the "Remote Desktop" store?

Do I need to bind my self signed cert somewhere?

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,504 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Karlie Weng 18,031 Reputation points Microsoft Vendor
    2020-09-04T03:14:07.567+00:00

    Hey,

    By default, RDP will use the self-signed certificate not an internal CA.

    Here is a great article about Certificate Warnings:
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/remote-desktop-connection-rdp-certificate-warnings/ba-p/259301

    If you provide access to external users, I would recommend wildcard certificate from a trusted public CA, to avoid any warnings during connections.

    More about certificates in RDS, please refer to this article:
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn781533(v=ws.11)

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Karlie


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.