So, the third party certificates on a 2008R2 Remote Desktop servers were about to expire. I figured, “Log into the certificate issuer website, renew the certificate, download the new certificates, and install them. How hard could that be?”
Well, more complex than I first imagined. I updated the all the certificates using the various Remote Desktop management utilities and in the IIS Management console. But, my results were mixed. Specifically:
- All worked well when using the remote desktop website to remote into the server.
- Worked fine when using remote desktop from any machine outside the domain (say my Mac).
- Worked fine when using the server name from any machine inside the domain (a Windows desktop joined to the domain).
- Got cert error messages when using remote desktop to the pretty server URL from a machine inside the domain.
Looking at bit further, I realized that the terminal server was presenting a self-signed URL to remote desktop connections to any machine inside the domain. The self-signed URL used hostname as the common name, which is one reason why the remote desktop client was so upset — the command names did not match — hostname was not equal to the pretty URL. Both certificates were listed under the “Remote Desktop” folder of the Computers certificates. How do you change which certificate is presented? Here are the steps:
- Know what to run!
- Open a command prompt by using Run | CMD.
- At the command line type: tsconfig.msc
- Edit the Connection properties:
- A window appears called “Remote Desktop Session Host Configuration”.
- Highlight the first Connections entry and right-click Properties in the menu.
- Goto the General tab
- Select the certificate to use:
- Press the Select button.
- Highlight the third-party certificate and press the OK button.
(Note: if you don’t see your third-party certificate, you need to import it first) - Press the OK button and confirm the warning message.
- Reboot the server and test:
- Changes don’t seem to be applied until the server is rebooted.
- At the command prompt: shutdown -r
- Once the server is back up…
- At the command prompt from a Windows desktop: mstc /v hostname
(Note: replace hostname with your server’s actual hostname.)
In my testing, the newly applied third-party certificate worked flawlessly.