Share via


Event ID 1062 — Remote Desktop Services Authentication and Encryption

Applies To: Windows Server 2008 R2

Transport Layer Security (TLS) 1.0 enhances the security of sessions by providing server authentication and by encrypting RD Session Host server communications. The RD Session Host and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server during Remote Desktop Protocol (RDP) connections.

Event Details

Product: Windows Operating System
ID: 1062
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Version: 6.1
Symbolic Name: EVENT_TS_SSL_WRONG_SUBJECT_NAME
Message: The terminal server is configured to use a template-based certificate for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption, but the subject name on the certificate is invalid. %1 The SHA1 hash of the certificate is in the event data. Therefore, the default certificate will be used by the terminal server for authentication. To resolve this issue, make sure that template used to create this certificate is configured to use DNS name as subject name .

Resolve

Configure the certificate template Subject name to match the DNS name of the RD Session Host server

To resolve this issue, you must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to RD Session Host servers. The certificate template must be modified so that the alternate subject name for the certificate matches the DNS name of the RD Session Host server.

For information about certificate templates, see "Implementing and Administering Certificate Templates in Windows Server 2008" (https://go.microsoft.com/fwlink/?LinkID=92522).

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To configure the alternate subject name of the certificate to match the DNS name of the RD Session Host server:

  1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
  4. In the console tree, click Certificate Templates.
  5. In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to RD Session Host servers, and then click Properties.
  6. On the Subject Name tab, ensure that Build from this Active Directory information is selected.
  7. Under Subject name format, click Fully distinguished name.
  8. Under Include this information in alternate subject name, select the DNS name check box.
  9. Click OK to close the Properties dialog box for the certificate template.
  10. Restart the Remote Desktop Configuration service on the RD Session Host server. To restart the Remote Desktop Configuration service, click Start, click Run, type services.msc, and then press ENTER. In the Name column of the Services snap-in, right click Remote Desktop Configuration, and then click Restart.
  11. If the attempt to restart only the service fails, restart the computer. This forces all related and dependent services to restart.

Verify

When Transport Layer Security (TLS) 1.0 is functioning as expected for server authentication and encryption of RD Session Host server communications, clients can make connections to RD Session Host servers by using TLS 1.0 (SSL).

To verify that the TLS 1.0 (SSL) settings are correctly configured and working properly on the RD Session Host server to provide server authentication and encryption for connections, use Remote Desktop Connection from a client computer to connect to the RD Session Host server. If you can connect to the RD Session Host server and there is a lock symbol in the upper-left corner of the connection bar at the top of the window, TLS 1.0 (SSL) is being used for the connection.

Note: To ensure that the connection bar is displayed when you use Remote Desktop Connection to connect from a client computer, select full-screen mode when configuring Remote Desktop Connection settings.

To select full-screen mode in Remote Desktop Connection:

  1. Open Remote Desktop Connection. To open Remote Desktop Connection, click Start, click Accessories, and then click Remote Desktop Connection.
  2. Click Options to display the Remote Desktop Connection settings, and then click Display.
  3. Under Remote desktop size, drag the slider all the way to the right to ensure that the remote desktop that you plan to connect to is displayed in full-screen mode.

Remote Desktop Services Authentication and Encryption

Remote Desktop Services