Configuring RDS 2012 Certificates and SSO

Applying Certificates to a RDS Deployment

Once you have installed RDS, you will need to configure the RD Certificates for RDS to function properly.

The RDS Certificates for authentication purposes (SSO, external access, Session host connections etc).

Self assigned certificates s are no good for a production environment should only be used for LAB’s, UAT, and POC.

If certificates are not configured or incorrectly configured you will see issues when using RDS. External access is one of the biggest issues users face, especially with “.local” internal domains when accessing RDS externally. If you use a self assigned certificate for the RD Gateway, you will need to export from the RD Gateway and  import the certificate to all clients that what to access the RD Gateway.


  • Use a Wild Card certificate which simplifies the deployment .
  • Use SAN Certificates if you don’t want to pay Wild Card prices.
  • individual certificates are great for single instance deployments or for low budget deployments. managing multiple certificates can get messy.

In this example I will use self assigned certificates that show un-trusted.

In the real world all certificates should show as Trusted.

Please see the following Link  or Commodo for Free certificates. I would recommend purchasing certificates for production environments.

RDS Certs1

On the overview screen of Remote Desktop Services, select Tasks > Edit Deployment Properties

RDS Certs2

In this demo, we will be creating self assigned certificates. As mentioned before, in the real world you would use trusted certificates and use the option select existing certificate…

RDS Certs3

RDS Certs4

Creating a self assigned certificate using the server FQDN and setting a password

RDS Certs5

As you can see from this screenshot, All certificates are not trusted as they are self assigned. To change this to trusted, you would need to use a third party certificate (Public CA certificate) or a internal Root CA  to connect.

Using a internal CA also has limitations as you would need to use domain joined clients or import the internal ca certificates to the external client.

When importing Certificates from a verified Public Certificate Authority /Internal CA  you will see that the level will change from untrusted to trusted.



Certificate Mismatches

As mentioned earlier, lots of users have issues when deploying RDS to a “.local” Domain. When publishing RDS externally, you will see a certificate mismatch as the internal server FQDN’s/IP address’s will show externally during the connection process to RemoteApps or RemoteDesktops.

There are a number of ways to resolve this including creating a custom RDP property that redirects to a alternative name. This is a great way to resolve a single instance deployment in a “.local” domain.

Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full”

There is also a way of changing the client access address of the connection broker using a WMI script provided below.

Change published FQDN for Server 2012 or 2012 R2 RDS Deployment

The Script has been generously provided by “TP”. Please note that there are issues using RD Web feed after using this to change the client access name. RDS looks for a RDCB farm during the connection process and then fails. You can review these errors in the event logs.

Bypassing RDP Authentication

Older versions of windows connected to the computer before checking credentials, RDS now checks credentials before connecting. The following custom RDP Property is not to be used with out security considerations, but if you want to turn off warning or alerts for use in a POC/LAB/UAT Environment then its perfectly fine to get round warnings and connection issues. I do not recommend that you use this in a production environment.

Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “authentication level:i:0”

see the following link for more details:

Authentication Level 

Creating and Deploying Certificates, the PowerShell Way

ensure that you have imported the Remote Desktop PowerShell Module and Set the password for the certificate

Import-module Remotedesktop
$Password = ConvertTo-SecureString -String "RDS%%G0d" -AsPlainText -Force

You will then be able to create the certificates:

To Import a certificate you would use Get-RDCertificate

To Create a certificate you would use New-RDCertificate

To  find out which certificates are associated with RDS roles, you would use Get-RDCertificate

the following commands are used for creating self assigned certificates.

RDPublishing Certificate

New-RDCertificate -Role RDPublishing -DnsName "<Server Name>" -Password $Password -ConnectionBroker "<Connection Broker Name>"

RDWebAccess Certificate

New-RDCertificate -Role RDWebAccess -DnsName "<Server Name>" -Password $Password -ConnectionBroker "<Connection Broker Name>"

RDRedirector Certificate

New-RDCertificate -Role RDRedirector -DnsName "<Server Name>" -Password $Password -ConnectionBroker "<Connection Broker Name>"

RDGateway Certificate

New-RDCertificate -Role RDGateway -DnsName "<Server Name>" -Password $Password -ConnectionBroker "<Connection Broker Name>"

Configuring RDSH Server Certificates

Before configuring RDSH Servers you will see a warning stating that the certificate is untrusted.

This is because the configuration data for RDSH is stored in the WMI, Win32_TSGeneralSetting class in WMI in the rootcimv2TerminalServices namespace. You will need to change the certificate from default using the following commands.

Firstly, You will need to find the certificate thumbprint.

RDSH Certifcate

You can also use PowerShell to find the Thumbprint:

Get-Childitem Cert:\LocalMachine\My


Run one of the following cmds to apply the new certificate to the  Win32_TSGeneralSetting:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"

PowerShell Cmd:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName='RDP-tcp'").__path Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

RDS 2012 RDSH Certificate deployment script

You can also download the script above which simplifies the process.

Credentials Delegation Group Policy setting

Single Sign On can now use the logged-on user credentials of a intranet user who is subscribed to a RemoteApp and Desktop Connection Feed. To enable SSO, you need to add the FQDN of the RD Connection Broker /Farm / Wild Card with the ‘TERMSRV/ Prefix” to the credentials delegation Group Policy setting.

This policy is located in Computer Configuration -> Policies ->Administrative Templates -> System -> Credential Delegation -> Allow delegation defaults credential.

I would recommend making this GPO a domain assigned policy.

Allow Delegating Default Credentials

To achieve Single Sign-On you would need to complete the following steps:

  • Install and configure SSL certificates on RD Gateway, RD Web and RD Connection Broker servers.
  • Enable Web SSO on RDWeb Access servers
  • Configure the group policy for credentials delegation as shown above.
  • Add the Certificates created above to the .rdp trusted publishers using GPO:(Computer Configuration -> Administrative Templates -> Windows Desktop Services -> Remote Desktop Connection Client). Specify SHA1 thumbprints of certificates representing RDP publishers

Once completed, users will be able to connect to desktops and RemoteApp’s with out re-entering their password.

121 thoughts on “Configuring RDS 2012 Certificates and SSO

Add yours

  1. Ryan, When connecting to a farm using RemoteApp in 2012 everything works perfectly, except… (famous last words); when the RDP session starts to connect there is a name mismatch error. This because the the RDP connection uses the internal FQDN instead of the public FQDN. I am not sure how exactly to squish this once and for all. It is more difficult since 2012 take away many GUI options that were available in 2008R2 to tweak these settings.

      1. Are you referring to the WMI settings? If so I am trying to understand how this will fix my problem. My certificate is for, and when launching a RemoteApp the connection first goes to the website which is the same as above, but when the RDP connection starts it is trying to connect to server.internal.local. What I need to change is the FQDN of what I am trying to connect to (in 2008 this would be FQDN of the farm) which I could make whatever I wanted – not the case. Since my original post last night I think what I need to do is enable RDCB-HA as MS documentation seems to indicate that will allow me to specify a farm name for the “RD Broker”, even if I only have one broker (today). The setup of RDCB-HA is not cooperating right now… I appreciate your insight, please let me know if I am barking up the wrong tree right now.

      2. You have certificate issue. You would need to assign a external certificate for the web server/gateway . You would then need to use a wild card cert (public) for the internal servers. You should then point the internal Dns web address to the external one.

        I would recommend that you use a wild card for all rds internal servers.

        If you Are using rdsh you need to change the default ssl cert using WMI or powershell.

        A HA RDCB had nothing to do with certificate miss matches.

        Have you added the ha details into the Rd gateway ?

      3. I have an external certificate assigned to everything, that is the actual problem. Today, the webserver/broker/gateway are all on the same server, then I have (2) session hosts in a collection. In 2008r2 the actual RDP connection goes through the gateway and connects to the farm FQDN, which 2008r2 allows you to set as whatever you want – easily. In 2008r2 i set it using the external FQDN. In 2012 the RDP connection successfully passes through the gateway, but throws a certificate mis-match since the actual RDP connection is connecting to “server.domain.internal” and my certificate is a wildcard for “” (public). I am confused about making the change with WMI/PS as the certificate does not need to be change, but the actual FQDN for the RDSH farm. Again, in 2012 it is dumb’d down and less configurable. I had read that if I setup RDCB-HA I can setup the custom FQDN for the actual RDP connection (in 2008 the connection would typically be a RR/DNS to the different RDSH servers, but in 2012 it would be RR/DNS to the RDCB servers). I would know for sure if I am on the correct path for sure if I can get the stupid HA database to install, except I keep getting an error. I have followed “” perfectly and the darn thing still wont create the database.

      4. You are not changing the certificate, you would be mapping it to the config file.

        The certificate is held in configuration file, so when you connect it uses the certificate in the config file not the certificate folder. You need to copy the thumbprint as shown in a previous post so that the config thumbprint matches the one in the certificate store . This will fix the cert miss match error.

        Rds 2012 has completely changed, I would recommend that you forget the previous setup configs.

        Can you show me the error with the ha SQL script .

      5. Can you answer the following questions:

        1), Have you installed SQL on a separate server ?
        2), Have you configured the Firewall and changed the ports from dynamic to static ?
        3), Have you tried adding the sysadmin role to the users and SA account within SQL
        4), Have you Configured the DNS Round Robin address.
        5), Have you used the following script: DRIVER=SQL Server Native Client 11.0;SERVER=;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=

        the PowerShell Way:

        PS C:\> Set-RDConnectionBrokerHighAvailability –DatabaseConnectionString
        “DRIVER=SQL Server Native Client 11.0;SERVER=;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;
        DATABASE=” -DatabaseFilePath “C:\DbFiles\.mdf”
        -ClientAccessName “”

        6), Have you Added the DNS RR name into the Remote Desktop Gateway Server
        7), Have you installed the following SQL Client

        Let me know how you get on.

        Best Regards,

  2. I have been away from my computer all day so I have not even started making anymore headway on the install of RDCB HA. From the earlier posts… this is the error that occurs right now when launching a RemoteApp, the “Requested remote computer” needs to a “Farm” address which again i think RDCB HA will resolve [IMAGE:

    To answer your questions:
    1. SQL Express 2012 is installed locally
    2. Windows Firewall is disabled
    3. The AD group that contains the server as a member is a sysadmin, as well as my account ‘Administrator’ and ‘sa’
    4. DNS is setup as CNAME that resolves to the current/local broker server
    5. That is the connection string I am using (includes my server\instance and db name)
    6. I believe so (I have found a couple articles on doing this in 2 different spots – but neither should prevent the SQL database from being setup)
    7. SQL client is installed since it is installed locally (and I tested using ODBC) locally as well.

    From other articles I would expect to see an error message in SQL… or in windows events… but I do not?

      1. From your screenshot you need to complete the following:

        The configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

        thumbprint value
        1.Open the properties dialog for your certificate and select the Details tab
        2.Scroll to the Thumbprint field and copy the space delimited hex string into Notepad
        3.Remove all the spaces from the string. You’ll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It’s not visible in Notepad.
        4.This is the value you need to set in WMI. It should look something like this: 2da1fd5b25b6c327bc2c4e4857263efdb4d16af2.

        Now that you have the thumbprint value, here’s a one-liner you can use to set the value using wmic:
        wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”THUMBPRINT”

        $path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”).__path
        Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash=”THUMBPRINT”}

      2. PS gives error:
        Get-WmiObject : Invalid query “select * from Win32_TSGeneralSetting where TerminalName=’RDP-tcp’”
        At line:1 char:10
        + $path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\ter …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

        WMIC gives error:
        Description = Invalid namespace

  3. This is supposed to be done on the RDSH right? I have tried on the RDSH and the RDG/RDCB server and get the same results – however the cert error is not upon connection to the RDSH – the connection name is the broker server.

    1. Run the WMI Cmd on the rdsh server. Ensure the parameters are correct.

      Just to confirm you config you have the three roles rdcb, rdgw, rdweb on the same server. As you have a .local and a .net you may need a SAN certificate for the alternative names.

      Assign the rdsh server with the thumbprint of the cert and if you still have issues , you may need a SAN
      Cert. if you have a internal root Ca test it using this first.

      1. Corrected, the three roles are all on the same server… I understand how updating the SAN Cert should solve this problem, however in the future I will still need a broker farm as this environment will grow. What is puzzling me is that I cannot get RDCB HA to install and I cannot get any error logs?

      2. Yes, I have read both of those articles as well. I am going to remove SQL2012 and install SQL2008r2 to see if there is a difference (most of the articles were written before SQL 2012).

      3. I have used SQL 2012 on all setups. before you remove SQL, have you put the connection brokers in the local user groups ?, Have you configured the round robin name. have you installed the connection broker roles on both servers?. Configuring Ha is relatively simple it only fails if you miss something off the list. Have you created the a folder on the root of the SQL Server for the storing of the DB ?

      4. At this time there is only one Connection Broker, and it is a member of an AD group, not a local group. Adding the CB role to another sever comes after enabling HA and yes I created the local folder. I even tried creating the DB manually (there is an article that states the DB will be overwritten) but still fails. What is odd is other then the error in server manager – there is no event or sql logs about it.

      5. That is impossible… the option to install a 2nd RDCB is greyed out until you install HA. Also..
        I went back to SQL 2008r2 and have the same error. However I also tried doing the setup again from PS and got this error:

        Could not create the database ‘RDCB’.
        + CategoryInfo : NotSpecified: (:) [Write-Error], RDManagementException
        + FullyQualifiedErrorId : SetRdmsHighAvailability,Microsoft.PowerShell.Commands.WriteErrorCommand
        + PSComputerName : localhost

        SQL still has no errors or anything showing a connection attempt.

      6. You can add an additional connection broker through the add roles and features. Ignore the Remote desktop option and then scroll down in the main window to the remote desktop role.

        I think i have the answer to your problem, are you trying to do this on the connection broker. You need to do this on the sql instance. create a server group add all your servers and then try and create your HA RDCB on the SQL instance.

        Good look

      7. I dont understand that last part… I created a group in AD “RDCB Servers”. I added the connection broker server as a member of that group. I added that group to the SQL Server logins and (for now) have granted dbcreator and sysadmin roles… which I assume all is correct.

  4. Do you think either of these could affect RDCB HA setup?

    The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x200b, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

    The root\cimv2\rdms namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

    Both existed with SQL 2012 as well. I can do a telnet connection to the server remotely on port 1433.

  5. Ok.. so it appears that RDCB-HA does not like the idea of SQL being installed on the local server. I setup a new SQL instance on a different server and after a reboot of everything it it installed successfully. Now when I go to run a RemoteApp, the “Remote Computer” is now using the name specified which matches my cert.

    Now I get a new error, becides the double login (but i think the issues are related):

    |Remote Desktop can’t connect to the remote computer “CLC.PUBLIC.NET” for one of
    |these reasons:
    |1) Your user account is not listed in the RD Gateway’s permission list
    |2) You might have specified the remote computer in NetBIOS formatm byt the RD Gateway
    |is expecting an FQDN or IP address format.

    If I try to connect locally using RDP from another server I get this error:

    |The connection was denied because the user account is not authorized for remote login.

    These are the exact same errors that occour if I were to try to RDP to the broker server directly so it appears that HA is up… but not 100%.

      1. RAP/CAP were already working so no changes should be needed… even with the 2nd login I should still be able to get in. It seems that since enabling HA it is trying to actually RDP to the RDCB

      2. Different direction… since I was pounding on this for so long (there may have been other changes I cannot recall), how do I turn off RDCB-HA and go back to plain old RDCB?

      3. You would need to ensure the active RDCB server is the first. Remove the second connection broker from the HA deployment overview and then all settings back to the original.

  6. Ok, I am at this again after taking the weekend off… I am 100% sure that I will run into the same problem so let me know where I am going wrong. When I go to setup the RDCB-HA i have to set a client access name which is “”. I also need to create DNS records so that this resolves somewhere… I know in 2008 the RDS farm functioned as follows:

    1. Client is sent directly to RDSH (because of DNS RR)
    2. Client is directed to query the RDCB for load and availability
    3. Client is connected to final RDSH

    The huge flaw in this is that if one RDSH was down, and DNS RR sent you to that server you would be out of luck. Also, if that server was down for maintenance you would get a connection error and again be out of luck.

    My understanding is that the initial connection goes to the RDCB first so that the client does not get stuck at an RDSH that is offline or in maintenance mode. Upon the initial basic setup of the 2012 farm, I can see that after the gateway, the RDP connection was being sent directly to the name of the broker server. Keep in mind that today the gateway, broker and web services all run on (1) server, and i have (2) RDSH servers.

    So, when i setup my DNS record internally for I assume that it needs to be pointed at the broker server. However that gives me an error that I do not have permission to connect (which is correct) as nobody should actually make and RDP connection to the broker desktop. So where should resolve to? Should it be the RDSH servers? Will 2012 then use DNS RR between the (2) RDSH servers and potentially send a client to a server that is in maintenance mode?

    Any help is appreciated!

  7. Hi Ryan,

    I have wild card certificate for * ( which is applied to RDSWEB and RDSGW role. With Subject alternative names

    Please mention that how to create certificate for domain.local certificates for RDCB and RDCB SSO .

    Should we need to purchase domain.local certificates also or we can create localy ?
    I cant understand domain.local certificates .

    Please help in this regard


    1. You can create a Internal.local (domain.local) Certificate using the Domain AD certificate services or use a wild card certificate for your internal servers from a Trusted root CA. *.internal.local

      Best Regards,

  8. Hi Ryan,

    At the very beginning of this blog you write
    * Use a Wild Card certificate from a public CA for all RDS internal servers. (*.domainname.local)

    I am struggling to identify a public CA where I can get this from. Could you please assist by providing one or more locations where I can acquire a public CA SSL for an internal domain?


  9. Hi Ryan,

    I’m trying to get my RDS certificate problem solved but after several hours of troubleshooting i’m reaching out for help.
    I have four 2012 servers with RDS roles.

    SRV1 is RDS Session Host
    SRV2 is RDS Session Host
    SRV3 Is Connection Broker
    SRV4 with roles: RDGateway and RDWEB

    Wildcard certificate on all rds roles for external
    Internal ca with certificate based on Remote Desktop Authentication (

    I can get to and see all rds rdweb apps without certificate warnings.
    When I start the app I get: name mismatch, request remote, name in certificate from remote computer: *

    I tink i made a mistake assigning all rds roles to the external certificate, but i can not figure out a way to change this to the certifacate that my internal ca gave to my srv3.

    The RDS role wizard lets me change the certificate using a pfx where i can only export the existing certificate to a cer file without the private key. This can not be imported in the rds role wizard.

    On the RDS hosts i can see that CA assigned Remote desktop Computer certificate is in the local store. But when i query WMI the thumbprint of the SSLCertificateSHA1Hash points to a self signed certificate and not to the certificate that has been auto enrolled. The think this is also a problem.

    I tried: $path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”).__path
    Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash=”222779121ab46b5e5a1188c9f75e4fb4381f454″}

    But it this comes back with:
    Set-WmiInstance : Invalid parameter
    At line:2 char:1
    + Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash=”222779121ab46b5e …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Set-WmiInstance], ManagementException
    + FullyQualifiedErrorId : SetWMIManagementException,Microsoft.PowerShell.Commands.SetWmiInstance

    and tried:
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”222779121ab46b5e5a1188c9f75e4fb4381f454″}

    Comes back with:
    Updating property(s) of ‘\\SRV1\root\CIMV2\TerminalServices:Win32_TSGeneralSetting.TerminalName=”RDP-Tcp”‘
    Description = Invalid parameter

    I would have startet from schratch, but SRV3 has is root CA and vcenter server so this is not an option.

    So can someone help me with this.

    1. Hi,

      ok just to confirm…

      You can connect to the RDS website with no issues. When you try to load a RemoteApp you receive a certificate miss match.

      If your Session Servers are using the default self assigned certificates you will need to change them.

      wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”Thumbprint” Ensure you are using the PFX otherwise you will see the error Invalid parameter.

      You can change the RDS Connection broker FQDN by deploying a RDS Connection Broker HA, but this would require additional infrastructure.

      Let me know how you get on or if you need anything .

      Best Regards,

  10. Hi,
    I made a high availability TS farm setup , all servers are win2012.
    while accessing from internet I am getting error:
    “The two computers couldn’t connect in the amount of time allotted.”
    I followed all the settings mentioned by you.
    Please suggest.

    1. Hi,

      firstly can you confirm that you are using Hyper-V to run your RDS environment ?

      Also check if you can telnet to the RD gateway FQDN on port 443 from the outside. do have a RD Gateway configured, it should have a FQDN and be reachable from the internet. (public DNS).

      are you using a windows xp client to connect ?

      if so check out the following

      Let me know who you get on

      Best Regards,

  11. Hi Ryan,
    Thanks for the quick reply.
    Here r the details:
    RDCB 2VM’s
    RDGW 2VM’s
    MSSQL 2VM’s Failover cluster setup
    Client Windows 7 , RDP client version 7.1

    At network side F5 load balancer is
    Configured with one public IP and one Nat IP is directed to gateway pool(2 IP’s).
    I checked at network side and I am getting packets on both the GW’s.
    When I try to connect from win 7 client via Internet, I am able to connect , and RD gateway manager’s monitoring has displayed my successful connection.
    I got it on both GW’s, and it makes sure that my load balancer setup is working fine.
    Only issue is this setup works sometimes and sometimes I am getting the error
    “The two computers couldn’t connect in the amount of time allotted.”
    I checked all the logs on all server , there is no error or negative points.
    It seems system is unstable, Please suggest.


    1. Hi Raghu,

      you will need to patch your windows 7 clients with RDP8, please see the following link (this could be the main cause of your problem.

      In VMware, Can you ensure that you are using a E1000 network adapter on all of your VMs. Can you also make sure that you configure all Load Balanced VM with no notify switch settings. please see the following link:

      Can you confirm how you have configured your F5 Load Balancer , are you using two VIPs one for the Web Services and one for the Gateway. I would strongly recommend using KEMP to load balance RDS. F5 requires two VIPs where as Kemp only require one.

      To troubleshoot your configuration, you would need to enable RDMS UI tracing. please see the following link:

      The RDS 2012 solution is stable, I can confirm this as it has been deployed into production with over 12000 users.

      Let me know how you get on .

      Best Regards,

  12. Hi Ryan,
    I changed the NIC VMX3 to E1000.
    And only one IP is configured using KEMP.
    Changed the RDP ver on Win7 Client.
    Already enabled the trace after reading your blogs.
    Still on 40% attempts I am getting same error. “he two computers couldn’t connect in the amount of time allocated.”
    Still all logs are positive. 😦


    1. Hi,

      Have you configured the gateway farm in the gateway settings and created both types of policy.

      It must be a configuration issue if there are no errors in the event log. Can you confirm your kemp settings and have you configured no notify switch for the load balanced port group.

      Can you confirm your ISP bandwidth ? And what you are publishing through your firewall to public.

      Have you configured network level authentication ?

      Let me know how you get on .

      Best regards,

  13. Hi Ryan,

    I’ve read all your articles on RDSH certificate errors but I still get the name mismatch (per Damian’s ).

    I have:
    RDCB HA with DNS set to records pointing to internal RDCB IPs
    RDSH1.domain.local and RDSH2.domain.local in the Collection
    * cert imported and thumbprint set on RDSH servers

    Connections are from external so it connect to &
    But then I get the certificate name mismatch!
    How do I stop this and have the RemoteApp connect to instead of domain.local?

    BTW – thanks for filling the gaps in Microsoft’s documentation!


      1. Yes, RDGW is gateway.
        The public cert is applied successfully and trusted in all 4 locations (Web, Gateway, Broker SSO & Publishing).

        The only cert error is when the RemoteApp actually launches saying name mismatch – name of server RDSH1.domain.local, name of certificate *

      2. check the thumbprint for RDSH1 and ensure the cert is applied.

        Just to confirm, there are three locations where you need to configure the Certificates. The first is under Deployment properties, second is each session host, and thirdly the RD Gateway manager on the RDGW. Have these all been configured. If your Session host is showing the local name rather than the wild card, this would indicate a issue with the wrong SSL cert.

      3. If your internal domain is .local then when you connect externally you will see the .local certificate miss match. There are various ways round this, some use IP address,s rather than DNS in SAN certificates, some publish the root internal ca certificate to all clients or you could try modifying the DNS. This is a issue which effects a lot of organisations due to the .local prefix. What Client versions are you using. ?

      4. Client versions are 7 and 8.
        App is published to external users so install of Internal CA not possible.
        It sounds like my options are to buy a .local certificate (or IP in SAN) but both are only valid until Nov 2015.
        I can’t understand Microsoft logic for signing this way – surely Gateway and Broker publishing are sufficient.
        Thanks Ryan for clarifying my issue!

      5. You cannot buy a .local certificate, in the pas Microsoft have recommended changing ad from a .local to a .com. This is unrealistic so I would recommend using custom rdp property’s which should resolve your issue.

        Let me know know you get on.

  14. Yes, the wild card cert is applied in Deployment, Session Host and RD Gateway.
    The Session Host is presenting the wild card cert correctly, but the name mismatch says that I am connecting to the RDSH1.domain.local.
    How can this final connection to the SH be changed to a name?
    Do I need to create records in my internal DNS and change the hosts in the Session Collection to use these external names?

    FYI – the Broker HA DNS name is
    In the internal DNS, I have setup A records for this external name and pointed it to the internal IPs of both RDCB servers.

    Thanks for your help!

    1. Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full”

      Try running the following powershell cmdlet, which will change all the following

      Remote computer:
      Gateway server:

      You should then see no miss match.

      Let me know how you get on, and make sure you modify the collection name in the cmd let.

      Point to note you will need to include all custom property’s into one script with a linefeed between each.

      1. The script executed and updated the remote name.
        My results are changed to:
        Publisher: *

        But before the RemoteApp launches, I still get the cert mismatch:

        Requested Remote Computer: RDSH1.domain.local
        Name in Certificate: *

        It seems impossible to change the SH name (without domain rename!)

      2. You can disable the check by using ” authentication level:i:0 ”
        In the custom rdp property’s.

        Or it looks like a SAN cert is required with the rdsh local IP address’s included.

    2. Yes this is very annoying, I have the same issue. Lesson learned – always use an external subdomain e.g. and not domain.local.

  15. Genius!!
    Problem solved after setting authentication level:i:0
    That’s 2 days of banging my head put right.
    Many, many thanks!

  16. Do you have any guides or information on how to create the certificate with an internal Certificate Authority and then use that Cert.?

  17. Hello Ryan,

    I have published RD GW and RD WEB, it’s accessible from external and I need to configure SSO, I create certificate from local CA so I think that step “Configuring RDSH Server Certificates” and for group policy if I configure group policy with FQDN of the RD Connection Broker, is that mean that I have to publish RD Connection Broker ? or internal FQDN is enough ?

  18. hi,
    I am getting the below error:

    – Provider

    [ Name] Microsoft-Windows-CAPI2
    [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}

    EventID 41

    Version 0

    Level 2

    Task 41

    Opcode 2

    Keywords 0x4000000000000005

    – TimeCreated

    [ SystemTime] 2013-11-18T14:05:33.545838000Z

    EventRecordID 20991


    – Execution

    [ ProcessID] 596
    [ ThreadID] 1460

    Channel Microsoft-Windows-CAPI2/Operational


    – Security

    [ UserID] S-1-5-18

    – UserData

    – CertVerifyRevocation

    – Certificate

    [ fileRef] EC843B9D194A352C279F761A29D6FFA25BCF29CE.cer
    [ subjectName]

    – IssuerCertificate

    [ fileRef] 4A8A2A0E276FF33B5DD88A362146010F2A8B6AEE.cer
    [ subjectName] VeriSign Class 3 Extended Validation SSL SGC CA

    – Flags

    [ value] 8

    – AdditionalParameters

    [ timeToUse] 2013-11-18T14:05:21.469Z
    [ currentTime] 2013-11-18T14:05:21.469Z
    [ urlRetrievalTimeout] PT15S

    – RevocationStatus

    [ index] 0
    [ error] 80092013
    [ reason] 0
    [ thirdPartyProviderUsed] C:\Windows\System32\cryptnet.dll

    – EventAuxInfo

    [ ProcessName] lsass.exe

    – CorrelationAuxInfo

    [ TaskId] {DB8F5E95-917B-4F12-A00A-E4FA042035A8}
    [ SeqNumber] 5

    – Result The revocation function was unable to check revocation because the revocation server was offline.

    [ value] 80092013

    from CAPI2 logs on RD gateway. this is Verisign CA certificate.
    Please suggest how to remove that.

  19. Hi Ryan,

    I have RDS 2012 setup in Azure cloud. I’ve configured AD as and not as domainname.local, so all the machine with RDS roles have FQDN as “” and so are the certificate names.
    Will it create any problem in future when i try to map external certificates from public CA ?

      1. we are yet to procure the public CA. i’m using self signed certificates for now and its all working as expected. But want to ensure that using public CA in future will not cause any problem.

  20. I procured a public cert from NetSol, but I do no think I created the certificate request file correctly. I created it from IIS on that server running RDGW. How do I correctly create a certificate request for the RDGW?

  21. Hi, I applied your script for the RDSH using a single name certificate. As from now I cannot connect to the RDS server with an RDP client. I get an error in the eventlog on the RDS server, id 36870 : “A fatal error occured when attempting to access the ssl server credential private key…” What can I do? Can I revert to the default setting?

      1. Maybe I ordered the wrong certificate for this purpose, it is a Thawte SSL 123 certificate just with the FQDN for the internal RDS server, like:
        For the external connection I use same type of certificate, like I can connect with browser to the rdweb interface, but again when I start an application I get the SSL server credential private key error.
        Some sites indicated to add the read permission for “Network Service” to the certificate file in the crypto folder.

  22. Hi Ryan,

    I am trying to setup a wildcard cert in my RDS deployment. I am running all roles on one server. I have a GoDaddy wildcard cert that I have exported to a pfx file. I have the cert successfully installed on the Connection Broker Publishing role. However all other roles spit out an error stating:

    “Could not configure the certificate on one or more servers. Ensure that the servers are available on the network and apply the certificate again.”

    On the Manage certificates page I have Level as trusted, and status as error on all failed certs. Any thoughts?

    Thanks so much for your help.

      1. I redid the pfx export this time with default values, leaving the box unchecked for “export all extended properties” and “delete private key if export is successful.” Thanks Ryan!

  23. Hello Ryan,
    I set up first RDS server. Published APPV app (from APPV server) to it.
    I can access this app from Windows 7 client by https://rds_name/rdweb.
    So first part is done. Now I need to provide only shortcut for this published APP in seamless for users way
    So need to deal with certificate first and then appropriate GPO and other things.

    1. would self signed certificate be enough for INTERNAL ONLY use? If not what is the real impact?
    There is no problem with purchasing a trusted one. But I don’t want to complicate things if possible to leave it simple.
    Clearly understand the need of Trusted cert for External use.

    2. I saw your multiple blogs with excellent advices. Could you please put steps for providing a shortcut in the scenario that I described above: APP is accessible from https://rds_name/rdweb
    RDS 2012 R2 and Windows7 client

    3. Let say I achieved my final goal and the icon is published on user Desktop. Can I add a next RDS server for LB or the farm should be created before starting to publish apps?


  24. I need to do Virtual machine based RDS with HA. So i tried the steps mentioned above and done collection creation with one desktop. Collection alone can see in other machine when one shutdown but the desktop in that collection is not shown under collection. But i can see that desktop in Hyperv manager and failover cluster manager (because of cluster i hope). Please let me know whether the above setup will support Virtual machine based desktop deployment or need to do anthing additionally to achieve.

  25. Hello Ryan

    Fantastic article! Helped me very much! But I’m stuck changing the cert wthi the wmi command or powershell… I tried almost everything, get always “Invalid Parameter” I tried with some automatically assigned certs from our PKI, with these ones the command works without problems. When I try with the thumbprint from the external cert, I get always the Invalid parameter… Are there any requirements for the external wildcard cert? I also imported the cert in the Personal Store, there I can see it an take the thumbprint from there.

    Thanks for any help!


      1. Hi Ryan. As my external cert provider doesn’t offer me a .pfx I couldn’t use the script. But thanks to this I found out the problem; I imported the .cer to the personal store, this seams not working. I imported then the .p12, after this the wmi way or powershell worked.
        Perhaps this helps also other people with the same problem.
        BR Marcel

      2. You should create the certificate using IIS. Purchase your Public Certificate. Complete the certificate in IIS and then export as PFX.

        That’s all you need to do.

  26. Hello,
    we created an RDS farm (one broker server and 2 RDSH servers) We did not install RDG, because we want the farm to be accessed only internally. When we access the farm by Remote Desktop, log in and we have the warning screen “the identity of the remote computer can not be verified…). We created a cert in the broker server, registered it with godaddy, (something like, and we installed it on the broker. In the deployment properties for the collection the rd connection broker – enable SSO, rd connection broker – publishing and rd web access we have this certificate installed and the level is trusted BUT when we access the farm: from remote desktop, log in, we have the warning screen “the identity of the remote computer can not be verified…). We looked few days on internet, no luck. The environment is Windows server 2012. Any ideas?
    Thank you,

  27. Hi Ryan, Thanks for the write-up. You’re posts are a huge help but I’m still having significant problems when trying to publish externally. My current setup is as follows:

    web.mydomain.local – web access and gateway roles
    broker.mydomain.local — broker and licensing roles
    shost.mydomain.local — session host server

    All are internal and domain joined. We have a TMG in the dmz and split dns with records pointing to On the outside points to the public ip of the TMG and internally it points the internal address of the TMG. The tmg forwards all requests for -> web.mydomain.local

    – The TMG has a wildcard cert (was already there for other purposes) for *
    – web.mydomain.local has a cert from internal CA for web.mydomain.local in its personal store and bound in IIS. This cert is also used the Deployment properties for the RD Web Access and RD Gateway and shows as trusted/OK
    – broker.mydomain.local has a cert from the internal CA for broker.mydomain.local in its personal store and this cert is also used in the Deployment properties for the Broker-Publishing and Broker-SSO sections and shows trusted/OK

    Internally every thing appears to work. I can go to and it goes, allows me to login and when I launch a remoteapp it asks if I trust the publisher and launches.

    Externally I can hit and login. However when I try to launch a remoteapp it pops up and asks if I trust the publisher (it shows web.mydomain.local as the gateway and broker.mydomain.local as the host). When I hit ok it then gives the error that I can’t connect (either rd gateway isn’t running or can’t be found)

    So now I’m lost. Do I need to try and take the wildcard cert for * that is on the TMG and use that for all for all places in the Deployment Properties? Or do I need a separate wildcard for *.mydomain.local from a trusted public CA? Or is my problem as simple as just using the powershell to set the custom property?
    Set-RDSessionCollectionConfiguration –CollectionName ” ” -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:”
    Finally should the gateway server name in the Deployment Properties be web.mydomain.local or
    Any help would be supremely appreciated and from what I’ve read maybe be helpful to folks with a similar set. Thanks so much.

  28. Hi Ryan,

    Thanks for this article, has really helped me get this up and running. I have everything working but with one caveat. I run the Powershell script you provided which converts the .local name to the name and it then works. If I then make changes on the Session and apply them, this change seems to disappear and I have to re-run the Powershell script again. Is there any way to make this change permanent? I can foresee issues otherwise since I am only deploying the environment and not supporting it – it would be embarrassing if the client could no longer access because someone changed something and forgot to run the Powershell command.

    Many tnanks,


  29. Is there a method to troubleshoot SSO issues, the issue being I get prompted for double credentials when going to the website. I have followed every guide I can find on how to make SSO work and I am confident I have them working but obviously something is not working. I don’t want to run through all of the steps I have done, I would love to know where it’s logged so maybe I can find a clue there. Thank you

  30. Regarding “Configuring RDSH Server Certificates”

    This seems to no longer work after (for 2012 r1, at least) applying the MS updates for patch Tuesday for December.
    Can anyone confirm and anyone know how to solve this ?
    My users at are now warned that the certificate of the server they are connection to is not the one that they use to use (RDS.someinternaldomain.local) but FQDN of server.

  31. I have a 2012 R2 environment with one RDS server sucessfully installed, session based, license server. Now I am installing a second RDS server with RD Web Access to optimize one particular app. Installed fine, pointed to license server, no error on license diagnostics. I have a wild card cert. The cert installs OK for Connection Broker SSO and Connection Broker Publishing, but when I install it for RD Web Access it says Level is Trusted but says Status is Error. The message displayed is “Could Not configure the certificate on one or more servers. Ensure that the servers are available…” The powershell command Get-RDCertificate shows all 3 as Trusted with no reference to the Error. I can make a connection via /rdweb, but that Error status in the gui make me nervous to deploy in production.

  32. Even if you apply the WMI script on the session host you will get the Certificate Mismatch when using RemoteApps. And that is ONLY if the connection broker and the session host roles are on the same server.

    Keep CB and SH on different servers
    Apply Wildcard certs
    Enable CustomRDPProperty alternate full
    Apply WMI script on each SH with your public cert.
    all done.

  33. When dealing with a farm; every role is on a different server. We get a certificate prompt saying the root certificate is not trusted. The session host server is using a self-issued certificate.

    We have a SAN cert from GoDaddy for our RDS env. Do I need to include every single Session Host server on that public certificate?

    When connecting to the session host server, is it the connection broker saying the certifcate is not trusted, or is it the end user client saying the certificate is untrusted?

  34. Maybe you can help me. I have a 3 RDHS Farm with on RDCB server who is also the RDWA server… external users so no Gateway required. I configured the SSL Certs under “edit deployment” to use for the RD Connection Broker SSO and Publishing. The certs are “trusted” and I created a Round Robin DNS to the Farm Name. For the life of me, I can’t get SSO working for RDP (Full Desktop) sessions yet it works for RemoteApps through the Web Access Server. I’m getting a server mismatch error since I’m trying to connect through the name of the farm rather than the name of the server. I have this working flawlessly in Server 2008. Any ideas??

    1. is this a public certificate or a internal one. are the users accessing using external devices ? you should look also look at applying a certificate to the session hosts

  35. I am trying to figure out how to use our current certificate authority, Server 2003 machine, to give a .pfx file that will work. I cant seen to get the RDS to have trusted certs installed from the 2003 CA server. I believe this is giving me issues with my SSO. Any help would be great

  36. Many thanks. I used your guide to help get RDS 2012 up and running a few years ago.

    Any chance you are going to make a section on renewing certs? Now the time is coming to renew certs, I am not sure if the process is basically the same?


  37. Hello Ryan!

    I recently created a farm. Using a * cert and started the HA for CB. Everything was great with certificates until I added another CB. Now I get a cert mismatch. I re-applied the cert form signing/pub etc for CB but still have errors?

  38. Private SSL RDS2012R2
    create self ssl use certreq. Testet on 2012R2 RDS.
    certreq -new certutil star.domain.no_root.cer

    Export pfx fil from certifcates personal “mmc”
    Use star.domain.no_root.cer crtfile on clients. (deploy with gpo)

    Install on Connection brokers roles- Configure Deployement
    RD Connection Broker – Enable Single Sign On – status OK
    RD Connection Broker – Publishing – status OK
    RD Web Access – status OK

    create txt file “ ” replace with yours.
    Signature = “$Windows NT$”


    Subject = “cn=*”
    MachineKeySet = false
    KeyLength = 2048
    HashAlgorithm = sha256
    Exportable = true
    RequestType = Cert

    ValidityPeriod = “years”
    ValidityPeriodUnits = “1000”


    On all RDS Host servers
    – get thumbprint for cert
    – Powershell: Get-Childitem Cert:\LocalMachine\My
    – from cmd: wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”Tumbprint”

  39. I am having some issues I am hoping you can shed some light on …..cert mismatch issue between .local and .com – my config is:
    RDS01 – Session Host
    RDS02 – Web, Broker, Gateway
    DC01 – Licensing

    I have Internal DNS setup for, and

    Wildcard cert being used *
    I can login to webaccess fine and launch Session Collection, but get the issue of:
    Name mismatch:
    Requested remote computer rds01.domain.local
    Name in the certificate: *

    I tried to follow the steps by using Set-RDSessionCollectionConfiguration to but this did nothing. I also used the wmic to change TS listener but all to no avail.

  40. Ryan,

    If I set the PublishName to the external DNS FQDN on the cert via the script or your command, I receive the following error:
    Remote Desktop can’t connect to the remote computer “” for one of these reasons:
    1) Your user account is not listed in the RD Gateway’s permission list.
    2) You might have specified the remote computer in NetBIOS format.

    Any ideas?


      1. Yes. It is incredibly frustrating. It acts like it cannot resolve the FQDN. Just to be sure, I created a zone on the DNS servers the Gateway/Connection Broker uses for the external FQDN and created an A record pointing to the internal IP. I have done this before for another client without issue. Scratching my head on this one.

      2. Side note. If I run the script and change the Publishname back to the internal FQDN, users can connect but they get the cert mismatch.

      3. I figured out my issue. I had to add the external FQDN to the gateway manged computer group.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at

Up ↑

%d bloggers like this: