security - Where is my RDP server certificate stored?

13
2014-04
  • Ian Boyd

    Given the recent issues of Man-in-the-Middle attacks, i actually paid attention to the warning i get when connecting to a server:

    enter image description here

    Selecting View Certificate, i was going to check the SHA1 Thumbprint:

    Issued to: corsair
    Issued by: corsair
    Valid from: 9/5/2013 to 3/7/2014
    Thumbprint (SHA1): ‎e9 c5 d7 17 95 95 fd ba 09 88 37 d8 9f 49 5e b8 02 ac 2b e2

    and make sure it matches whats on the server. i connected anyway, then using certmgr.msc, searched for the certificate (i.e. "Issued to corsair"):

    enter image description here

    There it is, the only one on the machine. But wait, that's not the same key:

    enter image description here

    The certificate i am presented through RDP is different than the one on the server:

    Issued to: corsair
    Issued by: corsair
    Valid from: 4/6/2013 to 8/7/3012
    Thumbprint (SHA1): ‎c5 b4 12 0d f6 4f b3 e7 a8 59 cd 4d e4 0e cb 5b 18 a1 42 92

    Either there already is a Man-in-the-Middle, substituting fake certificates for RDP connections, or the certificate being presented by the RDP server is not visible in certmgr.msc.

    Assuming i don't have CSIS monitoring my (non-domain) LAN: where can i find the certificate that RDP will present to connecting clients?

    Server: Windows Server 2012 Standard

    Note: Also applies to Windows 8. Also could apply to Windows 7, and earlier, and Windows Server 2008 R2, and earlier. Because even though, right now, i'm connecting to a server; i also connect to my Windows 7 desktop PC from the Internet - and i want to validate that i am seeing my actual desktop.

    Keywords: How to change my Windows 8 Remote Desktop Connection SSL certificate? How to specify my Remote Desktop certificate?

    • Answers
  • Dan

    This is answered here:

    It (the Remote Desktop Configuration service) [...] created the certificate. Doing so generates an event log message: 

    Log Name:     System
Source:       Microsoft-Windows-TerminalServices-RemoteConnectionManager 
....
Description: A new self signed certificate to be used for Terminal Server 
authentication on SSL connections was generated. The name on this certificate
is servername.domain.com . The SHA1 hash of the certificate is in the event
data.

    Go to eventvwr.msc, look up events by TerminalServices-RemoteConnectionManager in System and you will get all the different times when the RDP service (re-)created its server key, along with the SHA-1 hash of each key.


    • Related Question

    networking - Certificate issue on remote desktop
  • LostLord

    see the below link:
    Certificate issue on remote desktop

    I have 2 PCs with Windows 7 Ultimate. Both are in NETHOME, and are connected with a crossover cable.

    PC 1: computer name = alfa -> (main PC) , IP = 192.168.0.1
    PC 2: computer name = beta-lap ->(laptop) , IP = 192.168.0.2

    When I want to remote in to one of these PCs from the other, I get this error:

    Full Title :  
Remote Desktop Connection    
Body Text :  
The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.

Certificate name

Name in the certificate from the remote computer:

blablabla

Certificate errors

The following errors were encountered while validating the remote computer's certificate:

The certificate is not from a trusted certifying authority.

Do you want to connect despite these certificate errors? [Yes] [No]

[ ] Don't ask me again for connections to this computer

    I can bypass it by checking "connect despite these certificate errors", and can then view the remote computer. But is this normal?

    Also, there is an attention icon on the network connection icon in each computer's system tray. What is the problem with this little network?


    • Related Answers
  • William Hilsum

    Is this normal -

    Yes it is, Windows Vista/2008+ secures the remote connection with a self signed certificate. This certificate only exists on the server and until you import it on your machine, you will get a warning.

    How to fix -

    You can view the certificate then import it to your local store and it will be trusted.

    The reason for this is simply in a large corporate environment, with their own certificate authority, they can give every machine a certificate, and, as the root will be trusted, all computers will "know" each other automatically.

    as for the attention icons, I can't help you here - this sounds like you have networking issues on your machine (local only/no internet etc.) and that is a completely separate question that I need more information on to help you with.

  • JohnF

    The suggestions above "just check the box" completely breaks the chain of trust. This is especially important in any enclave that represents a Point of Sales (POS) environment. It is the application supplier legal responsibility "Due Care" to engineer that completed chain of trust pedigree. There are several available exploits that takes advantage of a broken chain of trust. An POS Audit should identify shortfalls such as this. Hopefully the supplier will take corrective action and complete that required chain of trust.

  • KCotreau

    You can follow Wil's answer and fix it, but since you know you are connecting to a computer you KNOW is safe, you can check the box to ignore the certificate.

    The certificate is just designed to make sure you can trust the host you are connecting to (whether with Remote Desktop, as in this case, or a web site using HTTPS), and you know you can trust it in this case since it is your computer.

    You can import the certificate, but why bother "fixing" this when you can just check the box, and move on?