How to Force Remote Desktop Services on Windows 7 to
Use a Custom Server Authentication Certificate for TLS
Server authentication certificates are supported on Windows Vista and Windows 7. To use a custom certificate for RDS, follow the steps below:
- Install a server authentication certificate from a certification authority.
- Create the following registry value containing the certificate’s SHA1 hash to configure this custom certificate to support TLS instead of using the default self-signed certificate.
Value name: SSLCertificateSHA1Hash
Value type: REG_BINARY
Value data: <certificate thumbprint>
The value should be the thumbprint of the certificate separated by comma ‘,’ and no empty spaces. For example, if you were to export that registry key the SSLCertificateSHA1Hash value would look like this:
Note: It is necessary to edit the registry directly because there is no user interface on Windows client SKUs to configure a server certificate.
- The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS (referenced by the certificate named in the SSLCertificateSHA1Hash registry value) to include NETWORK SERVICE with "Read" permissions. To modify the permissions follow the steps below:
Open the Certificates snap-in for the local computer:
- Click Start, click Run, type mmc, and click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.
- In the Certificates snap-in dialog box, click Computer account, and click Next.
- In the Select Computer dialog box, click Local computer: (the computer this console is running on), and clickFinish.
- In the Add or Remove Snap-ins dialog box, click OK.
- In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.
- Right-click the certificate, select All Tasks, and select Manage Private Keys.
- In the Permissions dialog box, click Add, type NETWORK SERVICE, click OK, select Read under the Allowcheckbox, then click OK.