I was working on a deployment of Windows 2012 R2 RDS, where i have couple of servers participating in a session host pool (Collection), one server acting as a broker, and a TS Licensing server.
I have two Session Host servers (SRV1 and SRV2), so i have created two DNS records, both with the same Host Name ( Apps.contoso.com) and each one pointing to one of the Session Host servers (DNS Load Balancing).
The problem is that when users are connecting to (Apps.contoso.com), they are getting some certificate warning regarding certificate name mismatch.
This is because the Session Host servers will generate self signed certificate with the name of the session host server, and not (Apps.contoso.com).
So i have created a digital certificate with subject name (Apps.contoso.com), i installed on on SRV1 and SRV2, and i could not find any place to instruct the session host servers to use my certificate, not the self signed one.
Then i found the solution:
- Install the Apps.contoso.com certificate on SRV1 and SRV2 ( which are the session host servers), and take note of the thumbnail of the certificate.
- On each session host server, open PowerSehll using Admin credentials, and type :
$path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”).__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash=”Thumnail”}
Note: replace Thumbnail with your custom certificate thumbnail
- Restart both servers
- Use this command to get the certificate hash being used already
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash
- Or you can use this command to do it in one command:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”Thumnail”
It works!
Thaks!