Install the TS Gateway Server Root Certificate on the Terminal Services Client

  • Article

Applies To: Windows Server 2008

The Terminal Services client computer must verify and trust the identity of the TS Gateway server before the client can send the user's password and logon credentials securely and complete the authentication process. To establish this trust, the clients must trust the root of the server’s certificate. That is, clients must have the certificate of the certification authority (CA) that issued the server certificate in their Trusted Root Certification Authorities store. You can view this store by using the Certificates snap-in.

As mentioned, this procedure is not required if:

  • A certificate that is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program [as listed in article 931125 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink?LinkID=59547)] is installed on the TS Gateway server; and

  • The Terminal Services client computer already trusts the issuing CA.

For more information, see Obtain a Certificate for the TS Gateway Server.

If the TS Gateway server is using a certificate that is issued by one of the trusted public CAs, and the certificate is recognized and trusted by your client computer, proceed to complete the steps in Configure Remote Desktop Connection Settings for TS Gateway.

Note

If you are configuring the Terminal Services client for use with Network Access Protection (NAP), you must install the TS Gateway server root certificate by using the computer account. For more information, see the Terminal Services Client Step-by-Step Setup Guide for TS Gateway (https://go.microsoft.com/fwlink/?LinkId=79605). If not, you can install the TS Gateway server root certificate by using the user account.

Membership in the Users group or local Administrators group, or equivalent, is the minimum group membership required to complete this procedure. To open the Certificates snap-in for a computer account, membership in the local Administrators group, or equivalent, is required on the Terminal Services client on which you plan to install the certificate. To open the Certificates snap-in for a user account, membership in the Users group on the client is sufficient. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To install the TS Gateway server root certificate on the Terminal Services client

  1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

    • Click Start, click Run, type mmc, and then click OK.

    • On the File menu, click Add/Remove Snap-in.

    • In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

    • In the Certificates snap-in dialog box, to open the snap-in for a computer account, click Computer account, and then click Next. To open the snap-in for a user account, click My user account and then click Finish.

    • If you opened the Certificates snap-in for a computer account, in the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

    • In the Add or Remove Snap-ins dialog box, click OK.

  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import.

  3. On the Welcome to the Certificate Import Wizard page, click Next.

  4. On the File to Import page, in the File name box, specify the name of the TS Gateway server root certificate, and then click Next.

  5. On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next.

  6. On the Completing the Certificate Import Wizard page, confirm that the following certificate settings appear:

    • Certificate Store Selected by User: Trusted Root Certification Authorities

    • Content: Certificate

    • File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name> is the name of the TS Gateway server root certificate.

  7. Click Finish.

  8. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.

  9. With Certificates selected in the console tree, in the details pane, verify that the root certificate of the TS Gateway server appears in the list of certificates on the client. Ensure that the certificate appears under the Trusted Root Certification Authorities store.

Additional references