Event ID 1055 — Remote Desktop Services Authentication and Encryption

Applies To: Windows Server 2008 R2

Transport Layer Security (TLS) 1.0 enhances the security of sessions by providing server authentication and by encrypting RD Session Host server communications. The RD Session Host and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server during Remote Desktop Protocol (RDP) connections.

Event Details

Resolve

Install a certificate on the RD Session Host server and configure the RD Session Host server to use the certificate for TLS 1.0 (SSL)

To resolve this issue, do the following:

• Install a certificate onto the RD Session Host server that meets the requirements for an RD Session Host server certificate. For information about certificate requirements, see the section "Certificate requirements" later in this topic.
• Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL).

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Install a certificate on the RD Session Host server

Important: You should only install certificates obtained from trusted sources. Installing an altered or unreliable certificate could compromise the security of any system component that uses the installed certificate.

To install a certificate on the RD Session Host server:

1. On the RD Session Host server, locate and then double-click the certificate that you want to install. The certificate might exist on the RD Session Host server, or be located on a share.
2. If prompted to confirm whether you want to open the certificate file, click Open.
3. In the Certificate properties dialog box, on the General tab, click Install Certificate.
4. In the Certificate Import Wizard, on the Welcome page, click Next.
5. On the Certificate Store page, do one of the following:
   • If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate.
   • If you want to specify where the certificate is stored, select Place all certificates in the following store, and then click Browse. In Select Certificate Store, click the certificate store to use, and then click OK.
6. On the Certificate Store page, click Next.
7. On the Completing the Certificate Import Wizard page, click Finish.

After you install a certificate, you must specify that it be used by the RD Session Host server, as described in the following procedure.

Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL)

We recommend that you use the Remote Desktop Session Host Configuration snap-in to specify the certificate that is used by the RD Session Host server for server authentication and encryption. If you use Remote Desktop Session Host Configuration to attempt to install a certificate that does not meet the certificate requirements, the certificate will not be installed.

To configure the RD Session Host server to use the certificate for TLS 1.0 (SSL):

1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. In the details pane, under Connections, right-click the connection (for example RDP-tcp), and then click Properties.
3. On the General tab, click Select.
4. In Select Certificate, click the certificate that you want to use, and then click OK.

Certificate requirements

A certificate that is used by the RD Session Host server for server authentication and encryption must meet the following requirements:

• The certificate must be a computer certificate.
• The certificate must have a corresponding private key. The container for the key must be accessible by the NT AUTHORITY\Network Service account.
• The certificate must have an Enhanced Key Usage (EKU) of Server Authentication (1.3.6.1.5.5.7.3.1) or no EKU.
• The following key usage value must be set for the certificate: CERT_KEY_ENCIPHERMENT_KEY_USAGE.
• The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.

Verify

When Transport Layer Security (TLS) 1.0 is functioning as expected for server authentication and encryption of RD Session Host server communications, clients can make connections to RD Session Host servers by using TLS 1.0 (SSL).

To verify that the TLS 1.0 (SSL) settings are correctly configured and working properly on the RD Session Host server to provide server authentication and encryption for connections, use Remote Desktop Connection from a client computer to connect to the RD Session Host server. If you can connect to the RD Session Host server and there is a lock symbol in the upper-left corner of the connection bar at the top of the window, TLS 1.0 (SSL) is being used for the connection.

Note: To ensure that the connection bar is displayed when you use Remote Desktop Connection to connect from a client computer, select full-screen mode when configuring Remote Desktop Connection settings.

To select full-screen mode in Remote Desktop Connection:

1. Open Remote Desktop Connection. To open Remote Desktop Connection, click Start, click Accessories, and then click Remote Desktop Connection.
2. Click Options to display the Remote Desktop Connection settings, and then click Display.
3. Under Remote desktop size, drag the slider all the way to the right to ensure that the remote desktop that you plan to connect to is displayed in full-screen mode.

Related Management Information

Remote Desktop Services Authentication and Encryption

Remote Desktop Services