Force Remote Desktop Services in Windows 7 to use a custom server authentication certificate for TLS
This article provides a solution to an issue where a self-signed server authentication certificate is automatically generated to support Transport Layer Security (TLS) when you make a Remote Desktop Services (RDS) connection to a Windows 7 computer.
Applies to: Windows 7 Service Pack 1
Original KB number: 2001849
Symptoms
When making a RDS connection to a Windows 7 computer, a self-signed server authentication certificate is automatically generated to support TLS. This allows the data to be encrypted between computers. Data is only encrypted when the following Group Policy setting is enabled on the target computer and set to SSL (TLS 1.0):
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security:Require use of specific security layer for remote (RDP) connections
Cause
The generation of self-signed certificates for TLS over a RDS connection is enabled by design in Windows Vista and Windows 7.
Resolution
Server authentication certificates are supported in Windows Vista and Windows 7. To use a custom certificate for RDS, follow the steps below:
Install a server authentication certificate from a certification authority.
Create the following registry value containing the certificate's SHA1 hash to configure this custom certificate to support TLS instead of using the default self-signed certificate.
- Location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp - Value name: SSLCertificateSHA1Hash
- Value type: REG_BINARY
- Value data: <certificate thumbprint>
The value should be the thumbprint of the certificate separated by comma (,) and no empty spaces. For example, if you were to export that registry key the SSLCertificateSHA1Hash value would look like this:
SSLCertificateSHA1Hash=hex:42,49,e1,6e,0a,f0,a0,2e,63,c4,5c,93,fd,52,ad,09,27,82,1b,01
It is necessary to edit the registry directly because there is no user interface on Windows client SKUs to configure a server certificate.
- Location:
The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS (referenced by the certificate named in the SSLCertificateSHA1Hash registry value) to include NETWORK SERVICE with Read permissions. To modify the permissions, follow these steps:
Open the Certificates snap-in for the local computer:
- Click Start, click Run, type mmc, and click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.
- In the Certificates snap-in dialog box, click Computer account, and click Next.
- In the Select Computer dialog box, click Local computer: (the computer this console is running on), and click Finish.
- In the Add or Remove Snap-ins dialog box, click OK.
- In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.
- Right-click the certificate, select All Tasks, and select Manage Private Keys.
- In the Permissions dialog box, click Add, type NETWORK SERVICE, click OK, select Read under the Allow checkbox, then click OK.
More information
For more information about how to programmatically configure the RDP encryption settings, see Win32_TSGeneralSetting class.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for