security - Where is my RDP server certificate stored?
2014-04
Given the recent issues of Man-in-the-Middle attacks, i actually paid attention to the warning i get when connecting to a server:
Selecting View Certificate, i was going to check the SHA1
Thumbprint:
Issued to: corsair
Issued by: corsair
Valid from: 9/5/2013 to 3/7/2014
Thumbprint (SHA1):e9 c5 d7 17 95 95 fd ba 09 88 37 d8 9f 49 5e b8 02 ac 2b e2
and make sure it matches whats on the server. i connected anyway, then using certmgr.msc
, searched for the certificate (i.e. "Issued to corsair"):
There it is, the only one on the machine. But wait, that's not the same key:
The certificate i am presented through RDP is different than the one on the server:
Issued to: corsair
Issued by: corsair
Valid from: 4/6/2013 to 8/7/3012
Thumbprint (SHA1):c5 b4 12 0d f6 4f b3 e7 a8 59 cd 4d e4 0e cb 5b 18 a1 42 92
Either there already is a Man-in-the-Middle, substituting fake certificates for RDP connections, or the certificate being presented by the RDP server is not visible in certmgr.msc
.
Assuming i don't have CSIS monitoring my (non-domain) LAN: where can i find the certificate that RDP will present to connecting clients?
Server: Windows Server 2012 Standard
Note: Also applies to Windows 8. Also could apply to Windows 7, and earlier, and Windows Server 2008 R2, and earlier. Because even though, right now, i'm connecting to a server; i also connect to my Windows 7 desktop PC from the Internet - and i want to validate that i am seeing my actual desktop.
Keywords: How to change my Windows 8 Remote Desktop Connection SSL certificate? How to specify my Remote Desktop certificate?
This is answered here:
It (the Remote Desktop Configuration service) [...] created the certificate. Doing so generates an event log message:
Log Name: System Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager .... Description: A new self signed certificate to be used for Terminal Server authentication on SSL connections was generated. The name on this certificate is servername.domain.com . The SHA1 hash of the certificate is in the event data.
Go to eventvwr.msc
, look up events by TerminalServices-RemoteConnectionManager
in System
and you will get all the different times when the RDP service (re-)created its server key, along with the SHA-1 hash of each key.
see the below link:
Certificate issue on remote desktop
I have 2 PCs with Windows 7 Ultimate. Both are in NETHOME
, and are connected with a crossover cable.
PC 1: computer name = alfa
-> (main PC) , IP = 192.168.0.1
PC 2: computer name = beta-lap
->(laptop) , IP = 192.168.0.2
When I want to remote in to one of these PCs from the other, I get this error:
Full Title :
Remote Desktop Connection
Body Text :
The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.
Certificate name
Name in the certificate from the remote computer:
blablabla
Certificate errors
The following errors were encountered while validating the remote computer's certificate:
The certificate is not from a trusted certifying authority.
Do you want to connect despite these certificate errors? [Yes] [No]
[ ] Don't ask me again for connections to this computer
I can bypass it by checking "connect despite these certificate errors", and can then view the remote computer. But is this normal?
Also, there is an attention icon on the network connection icon in each computer's system tray. What is the problem with this little network?
Is this normal -
Yes it is, Windows Vista/2008+ secures the remote connection with a self signed certificate. This certificate only exists on the server and until you import it on your machine, you will get a warning.
How to fix -
You can view the certificate then import it to your local store and it will be trusted.
The reason for this is simply in a large corporate environment, with their own certificate authority, they can give every machine a certificate, and, as the root will be trusted, all computers will "know" each other automatically.
as for the attention icons, I can't help you here - this sounds like you have networking issues on your machine (local only/no internet etc.) and that is a completely separate question that I need more information on to help you with.
The suggestions above "just check the box" completely breaks the chain of trust. This is especially important in any enclave that represents a Point of Sales (POS) environment. It is the application supplier legal responsibility "Due Care" to engineer that completed chain of trust pedigree. There are several available exploits that takes advantage of a broken chain of trust. An POS Audit should identify shortfalls such as this. Hopefully the supplier will take corrective action and complete that required chain of trust.
You can follow Wil's answer and fix it, but since you know you are connecting to a computer you KNOW is safe, you can check the box to ignore the certificate.
The certificate is just designed to make sure you can trust the host you are connecting to (whether with Remote Desktop, as in this case, or a web site using HTTPS), and you know you can trust it in this case since it is your computer.
You can import the certificate, but why bother "fixing" this when you can just check the box, and move on?