Configure custom SSL certificate for RDP on Windows Server 2012 in Remote Administration mode

Q:

So the release of Windows Server 2012 has removed a lot of the old Remote Desktop related configuration utilities. In particular, there is no more Remote Desktop Session Host Configuration utility that gave you access to the RDP-Tcp properties dialog that let you configure a custom certificate for the RDSH to use. In its place is a nice new consolidated GUI that is part of the overall "edit deployment properties" workflow in the new Server Manager. The catch is that you only get access to that workflow if you have the Remote Desktop Services role installed (as far as I can tell).

This seems like a bit of an oversight on Microsoft‘s part. How can we configure a custom SSL certificate for RDP on Windows Server 2012 when it‘s running in the default Remote Administration mode without needlessly installing the Remote Desktop Services role?

Important: you need open a CMD by "Run as administrator" then perform the wmic command.

A:


38 down vote accepted

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

In order to get the thumbprint value

  1. Open the properties dialog for your certificate and select the Details tab
  2. Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
  3. Remove all the spaces from the string. You‘ll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It‘s not visible in Notepad.
  4. This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here‘s a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or if PowerShell is your thing, you can use this instead:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName=‘RDP-tcp‘").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

It occurs to me that this solution would probably work on Windows 8 systems as well. I haven‘t played with it much myself yet though.

Note: the certificate must be in the ‘Personal‘ Certificate Store for the Computer account.
时间: 2024-10-29 05:20:30

Configure custom SSL certificate for RDP on Windows Server 2012 in Remote Administration mode的相关文章

Windows server 2012远程桌面服务(RDP)存在SSL / TLS漏洞的解决办法

1. 前言 为了提高远程桌面的安全级别,保证数据不被×××窃取,在Windows2003的最新补丁包SP1中添加了一个安全认证方式的远程桌面功能.通过这个功能我们可以使用SSL加密信息来传输控制远程服务器的数据,从而弥补了远程桌面功能本来的安全缺陷. 2.问题描述 在Windows server 2003和Windows server 2008,远程桌面服务SSL加密默认是关闭的,需要配置才可以使用:但 Windows server 2012默认是开启的,且有默认的CA证书.由于SSL/ TLS

怎么取消 Windows Server 2012 r2 RDP 限制每个用户只能进行一个会话(转)

在 Windows Server 2008 / 2008 R2 上,如果希望多个远程用户使用同一个账号同时访问服务器的 Remote Desktop(RDP),只需通过管理工具-远程桌面下的“远程桌面会话主机配置”进行设置即可.或是通过命令:在运行里输入“tsconfig“ 就能看到如下提示:将允许每个用户同时进行一个会话 设置为“否” 即可. 但是在 Windows Server 2012 下会发现系统默认并未提供这个配置工具,(可以手工通过添加角色和功能进行添加).所以如果要取消 Windo

Windows server 2012 R2 DHCP failover配置

Windows Server 2012 中的DHCP 故障转移允许管理员部署具有原生高可用的 DHCP 服务,这一功能的主要目标如下: Windows Server 2012 中的DHCP 故障转移允许管理员部署具有原生高可用的 DHCP 服务,这一功能的主要目标如下: 总是在企业网络上提供 DHCP 服务可用性. 如果一个 DHCP 服务器无法再连接上,DHCP 客户端可以通过联系企业网络上的另一台 DHCP 服务器,延长它当前 IP 地址上的租约. 在 Windows Server(R) 2

Windows Server 2012十大实用快捷键组合

在本文中,我们将一起体验快捷键如何在微软最新服务器操作系统中帮助用户提升工作效率. 微软推出的最新服务器操作系统比我印象中任何一款前代Windows Server产品都依赖于键盘操作——当然,这些产品我都曾使用过.如果大家已经开始尝试Windows Server 2012,那么下面要介绍的十大快捷键组合可绝不能错过.另外,如果大家是通过远程桌面对Windows Server系统实施远程管理,请记得在远程计算机的RDP设定中打开“应用Windows键位组合”选项. 1. Windows键+X—这一

windows server 2012 70-414认证释疑

此题的环境是:custum1需要打开公有云供应商northwindtraders的RMS加密文档,公有云供应商需要打开Custum2创建的RMS加密文档,因为明年Custum2的RMS Server将被撤销. 第一小题:需要在northwindtraders的RMS服务器上导入custum2的SLC文件,创建TPD,导入后,northwindtraders的用户打开custum2创建的加密文档时,只需要访问本地(即northwindtraders)的RMS服务器就可以了,满足custum2的RM

Windows Server 2012 R2 IIS8.5+PHP(FastCGI)+MySQL环境搭建教程

原文地址:http://www.osyunwei.com/archives/7378.html 搬运是为了自己找资料方便. 准备篇 一.环境说明: 操作系统:Windows Server 2012 R2 PHP版本:php 5.5.8 MySQL版本:MySQL5.6.15 二.相关软件下载: 1.PHP下载地址: http://windows.php.net/downloads/releases/php-5.5.8-nts-Win32-VC11-x86.zip 2.MySQL下载地址: htt

Windows Server 2012 R2 IIS8.5+PHP(FastCGI)+MySQL环境搭建教程

准备篇 一.环境说明: 操作系统:Windows Server 2012 R2 PHP版本:php 5.5.8 MySQL版本:MySQL5.6.15 二.相关软件下载: 1.PHP下载地址: http://windows.php.net/downloads/releases/php-5.5.8-nts-Win32-VC11-x86.zip 2.MySQL下载地址: http://cdn.mysql.com/Downloads/MySQLInstaller/mysql-installer-com

Windows Server 2012 R2中的网络诊断命令

Get-NetAdapter Get-NetIPAddress Get-NetIPConfiguration(GIP) TNC :Pinging Servers and Trace Route tnc www.baidu.com -traceroutetnc www.baidu.com -prot 80tnc hostname RDP Provider Address (PA) Ping PA Pings allows admins to validate connectivity in the

Windows Server 2012 R2 配置远程桌面网关服务

在常见的远程控制方法中,微软远程桌面使用的 RDP 协议应当算是操作效率最高.用户体验最好的几种方案之一,并且即使在网络环境较差的公网远程连接中,也可以获得非常好的远程操作性能.甚至在 Linux 下也有 XRDP 这样的 RDP 远程操作工具实现. 不过 RDP 也有一项比较明显的不足在于,其服务需要占用特定端口,如果需要在公网对内网主机进行访问的话,一一配置端口映射就显得过于麻烦.因此在这样的场合之下,Windows Server 提供的远程桌面网关功能就成了一项很有价值的功能. 远程桌面网