RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Remote Desktop Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2, Windows Server 2012

Product/Feature

Remote Desktop Services

Severity

Warning

Category

Configuration

Issue

The Remote Desktop Gateway (RD Gateway) server is configured to use a self-signed certificate. By default, a self-signed certificate is not trusted by client computers.

Impact

If the RD Gateway server is configured to use a Secure Sockets Layer (SSL) certificate that is not signed by a trusted certification authority, users might be unable to connect to internal network resources (computers) through the RD Gateway server.

Resolution

Use the RD Gateway Manager tool to configure the RD Gateway server to use an SSL certificate that is signed by a trusted certification authority. Using a self-signed certificate is not recommended.

By default TLS 1.0 is used to encrypt communications between Remote Desktop Services clients and RD Gateway servers over the Internet. TLS is a standard protocol that helps to secure Web communications on the Internet or intranets. For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the RD Gateway server.

Note

Remote Desktop Services clients must have the certificate from an enterprise certification authority (CA) that issued the server certificate in their Trusted Root Certification Authorities store. Therefore, if you create a self-signed certificate you must copy the certificate to the client computer (or to a network share that can be accessed from the client computer) and then install the certificate in the Trusted Root Certification Authorities store on the client computer.

The process of obtaining, importing, and configuring a certificate for RD Gateway server involves the following steps:

  • Obtain a signed certificate that is signed by a trusted certification authority for the RD Gateway server.

  • Import a certificate to the RD Gateway server in the (Local Computer)/Personal Store.

  • Import a certificate to be used by the RD Gateway server.

This section assumes an understanding of certificate trust chaining, certificate signing, and general certificate configuration principles. For information about PKI configuration in Windows Server 2008, see ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=93995). For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure (https://go.microsoft.com/fwlink/?LinkID=54917).

Membership in the local Administrators group, or equivalent, on the RD Gateway server that you plan to configure, is the minimum required to complete this procedure.

To obtain a certificate for the RD Gateway server

  • If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet the requirements for RD Gateway, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include:

    • Initiating auto-enrollment from the Certificates snap-in.

    • Requesting certificates by using the Certificate Request Wizard.

    • Requesting a certificate over the Web.

Note

If you have a Windows Server 2003 CA, be aware that the Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX control is available in Microsoft Windows 2000, Windows Server 2003, and Windows XP. However, Xenroll has been deprecated in Windows Server 2008 and Windows Vista. The sample certificate enrollment Web pages that are included with the original release version of Windows Server 2003, Windows Server 2003 Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not designed to handle the change in how Windows Server 2008 and Windows Vista perform Web-based certificate enrollment operations. For information about the steps that you can take to address this issue, see article 922706 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=94472).

  - Using the Certreq command-line tool.  
      

For more information about using any of these methods to obtain certificates for Windows Server 2008, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the "Certreq" topic in the Windows Server 2008 Command Reference. To review the Certificates snap-in Help topics, click **Start**, click **Run**, type **hh certmgr.chm**, and then click **OK**. For information about how to request certificates for Windows Server 2003, see Requesting Certificates ([https://go.microsoft.com/fwlink/?LinkID=19638](https://go.microsoft.com/fwlink/?linkid=19638)).

A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the Microsoft Root Certification Program Members program ([https://go.microsoft.com/fwlink/?LinkID=59547](https://go.microsoft.com/fwlink/?linkid=59547)). Otherwise, users connecting from home computers or kiosks might not be able to connect to TS Gateway servers. These connections might fail because the enterprise CA-issued root might not be trusted by computers that are not members of domains, such as home computers or kiosks.
  • If your company does not maintain a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547). Some of these vendors might offer certificates at no cost on a trial basis.

To import a certificate to the RD Gateway server in the (Local Computer)/Personal Store

  1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

    1. Click Start, click Run, type mmc, and then click OK.

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue..

    3. On the File menu, click Add/Remove Snap-in.

    4. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

    5. In the Certificates snap-in dialog box, click Computer account, and then click Next.

    6. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

    7. In the Add or Remove Snap-ins dialog box, click OK.

  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Personal.

  3. Right-click the Personal folder, point to All Tasks, and then click Import.

  4. On the Welcome to the Certificate Import Wizard page, click Next.

  5. On the File to Import page, in the File name box, specify the name of the certificate that you want to import, and then click Next.

  6. If the Password page appears, if you specified a password for the private key associated with the certificate earlier, type the password, and then click Next.

  7. On the Certificate Store page, accept the default option, and then click Next.

  8. On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected.

  9. Click Finish.

  10. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.

  11. With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the RD Gateway server. The certificate must be under the Personal store of the local computer.

To import a certificate to be used by the RD Gateway server

  1. Open RD Gateway Manager. To open RD Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RD Gateway Manager.

  2. In the RD Gateway Manager console tree, right-click the local RD Gateway server, and then click Properties.

  3. On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.

  4. In the Install Certificate dialog box, click the certificate that you want to use, and then click Install.

  5. Click OK to close the Properties dialog box for the RD Gateway Manager server.

  6. If this is the first time that you have mapped the RD Gateway Manager certificate, after the certificate mapping is completed, you can verify that the mapping was successful by viewing the RD Gateway Server Status area in RD Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed.

Certificates for RD Gateway must meet these requirements:

  • The name in the Subject line of the server certificate (certificate name, or CN) must match the FQDN, or the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.

Note

If you are using the SAN attributes of certificates, clients that connect to the RD Gateway server must be running Remote Desktop Connection (RDC) 6.1. (RDC 6.1 [6.0.6001] supports Remote Desktop Protocol 6.1.). RDC 6.1 is included with Windows Server 2008 and Windows Vista SP1 and Windows XP SP3.

  • The certificate is a computer certificate.

  • The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).

  • The certificate has a corresponding private key.

  • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.

  • A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.

    For more information about these values, see Advanced Certificate Enrollment and Management (https://go.microsoft.com/fwlink/?LinkID=74577).

  • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.

Additional references

See Also

Concepts

Best Practices Analyzer for Remote Desktop Services: Configuration
Best Practices Analyzer for Remote Desktop Services