Installing the Remote Desktop Gateway Server Root Certificate on the Remote Desktop Services Client
Updated: March 2, 2011
Applies To: Windows Server 2008 R2
The Remote Desktop Services client computer must verify and trust the identity of the RD Gateway server before the client can send the user's password and logon credentials securely and complete the authentication process. To establish this trust, the clients must trust the root of the server’s certificate. That is, clients must have the certificate of the certification authority (CA) that issued the server certificate in their Trusted Root Certification Authorities store. You can view this store by using the Certificates snap-in.
As mentioned, this procedure is not required if:
A certificate that is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program [as listed in article 931125 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink?LinkID=59547)] is installed on the RD Gateway server; and
The Remote Desktop Services client computer already trusts the issuing CA.
For more information, see Obtaining a Certificate for the Remote Desktop Gateway Server.
If the RD Gateway server is using a certificate that is issued by one of the trusted public CAs, and the certificate is recognized and trusted by your client computer, proceed to complete the steps in Configuring Remote Desktop Connection Settings for Remote Desktop Gateway.
If you are configuring the Remote Desktop Services client for use with Network Access Protection (NAP), you must install the RD Gateway server root certificate by using the computer account. If not, you can install the RD Gateway server root certificate by using the user account.
Membership in the Users group or local Administrators group, or equivalent, is the minimum group membership required to complete this procedure. To open the Certificates snap-in for a computer account, membership in the local Administrators group, or equivalent, is required on the Remote Desktop Services client on which you plan to install the certificate. To open the Certificates snap-in for a user account, membership in the Users group on the client is sufficient. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To install the Remote Desktop Gateway server root certificate on the Remote Desktop Services client
Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:
Click Start, click Run, type mmc and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
In the Certificates snap-in dialog box, do one of the following:
To open the snap-in for a computer account, click Computer account, and then click Next. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
To open the snap-in for a user account, click My user account, and then click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import.
In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, in the File name box, specify the name of the RD Gateway server root certificate, and then click Next.
On the Certificate Store page, accept the default option Place all certificates in the following store (in the certificate store Trusted Root Certification Authorities), and then click Next.
On the Completing the Certificate Import Wizard page, confirm that the following certificate settings appear:
Certificate Store Selected by User: Trusted Root Certification Authorities
File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name> is the name of the RD Gateway server root certificate.
In the Certificate Import Wizard dialog box, click OK.
With Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates selected in the console tree, in the details pane, verify that the root certificate of the RD Gateway server appears in the list of certificates on the client.