10 December 2010

Change the default certificate used by RDS

When building an RDS environment you will at some point add more RD Session host servers.  At this point you will start running into certificate issues because the requested name does not match the certificate anymore.

You might also be prompted that the certificates is form an untrusted source.  This is because by default the RDS server will use a self signed certificate.

In a proper RDS environment you will most probably be using a SAN certificate that is exported and installed on  all the RDSH servers.

To change the the certificate being used you need to do the following:

  • Get the certificate thumbprint.
  • Copy the thumbprint into notepad and remove all the spaces

Copy the following script and save it as rdconfig.js

var strComputer = ".";

var strNamespace = "\\root\\CIMV2\\TerminalServices";

var wbemChangeFlagUpdateOnly = 1;

var wbemAuthenticationLevelPktPrivacy = 6;

var Locator = new ActiveXObject("WbemScripting.SWbemLocator");

Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;

var Service = Locator.ConnectServer (strComputer, strNamespace);

var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");

if (WScript.Arguments.length >= 1 )


    TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);




     TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";



Open a command prompt and execute the script specifying the edited thumbprint as the parameter

cscript rdconfig.js 0e2a9eb75f1afc321790407fa4b130e0e4e223e2

This will now set the default certificate to be used by the RDS

If at any point you want to revert back to using the self signed certificate just execute the script without specifying a parameter.


No comments:

Post a Comment