Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)

Applies To: Windows Server 2008

The client computer must verify and trust the identity of the TS Gateway server before the client can send the user's password and logon credentials securely and complete the authentication process. To establish this trust, the clients must trust the root certificate of the server. That is, clients must have the certificate of the certification authority (CA) that issued the server certificate in their Trusted Root Certification Authorities store. You can view this store by using the Certificates snap-in.

This procedure is not required if:

  • A certificate that is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program is installed on the TS Gateway server; for a list of trusted public CAs, see article 931125 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=59547); and

  • The Terminal Services client computer already trusts the CA that issued the certificate.

If the TS Gateway server is using a certificate that is issued by one of the trusted public CAs, and the certificate is recognized and trusted by your client computer, proceed to complete the steps in the Configure remote desktop connection settings section.

Important

Do not install certificates from any untrusted sources or individuals.

Note

If you are configuring the Terminal Services client for use with Network Access Protection (NAP), you must install the TS Gateway server root certificate by using the computer account. If not, you can install the TS Gateway server root certificate by using the user account.

Before you complete the steps in the following procedure, you must have already copied the certificate to the client computer. For example, if you created a self-signed certificate for the TS Gateway server by using TS Gateway Manager, you must have already copied that certificate from the TS Gateway server to the client computer.

To install the TS Gateway server root certificate in the Trusted Root Certification Authorities store on the Terminal Services client

  1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

    1. Click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

    4. In the Certificates snap-in dialog box, to open the snap-in for a computer account, click Computer account, and then click Next. To open the snap-in for a user account, click My user account, and then click Finish.

    5. If you opened the Certificates snap-in for a computer account, in the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

    6. In the Add or Remove snap-ins dialog box, click OK.

  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import.

  3. On the Welcome to the Certificate Import Wizard page, click Next.

  4. On the File to Import page, in the File name box, browse to the TS Gateway server root certificate, click Open, and then click Next.

  5. On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next.

  6. On the Completing the Certificate Import Wizard page, confirm that the following certificate settings appear:

    • Certificate Store Selected by User: Trusted Root Certification Authorities

    • Content: Certificate

    • File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name> is the name of the TS Gateway server root certificate.

  7. Click Finish.

  8. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.

  9. With Certificates selected in the console tree, in the details pane, verify that the root certificate of the TS Gateway server appears in the list of certificates on the client. Ensure that the certificate appears under the Trusted Root Certification Authorities store.