04/01/2012

The publisher of this remote connection cannot be identified. Do you want to connect anyway?

When using 2008R2 Remote Desktop Services you might run in the following situation:

When you first start an RDP session you get a warning:
The publisher of this remote connection cannot be identified. Do you want to connect anyway?

Here is how get rid of this warning by using self-signed certificates


  • Use makecert to create a certificate
    makecert -r -pe -n "CN=" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -ss My
  • Open up the Certificates MMC
  • Add>My User Account
  • Expand Certicates > Current User > Personal > Certificates
  • Right click the certificate and choose All Tasks > Export, and make sure you export the private key
  • Enter a password and save the file to a location
Now you have a signed certificate, lets start using it:
  • Import PFX into root CA
    winhttpcertcfg.exe -g -i -c local_machine\root -a -p
  • Import PFX to personal
    certutil -f -p -importpfx
Now lets sign the RDP file:
  • Open the certificate details and look at the Thumbprint, copy this information to notepad and remove the spaces.
  • Use the rdpsign command to sign your rdp file, where the hash is the thumbprint
    rdpsign /sha1 name-of-rdp-file.rdp
  • Open the Group Policy Editor
  • Expand Local Computer Policy > Remote Settings > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client
  • OPen the setting Specify SHA1 thumbprints of certificates presenting trusted .rdp publishers and select ebable
  • Enter the thumbprint again and klik OK.
  • Force the policy by usinggpupdate /force

5 comments:

Anonymous said...

This is clear and great post! Thanks!

Anonymous said...

Although your instructions do work. I have discovered that the true cause of this error is a windows update. I discovered this because the problem did not surface until after an update. If you remove this one update, you will be able to remove this warning message. The update in question is: KB2592687.
This update installs the RDP 8.0 Terminal Services Client which requires a secured connection. Previous clients did not. This is much simpler than the procedure outlined.

Anonymous said...

... and less secure

Unknown said...

So you fixed it by removing a more secure update... Great admining.

Anonymous said...

Why would you want to uninstall the RDP 8.0 update, that's nonsense. If you really want to proceed to the less secure path of not creating a Certifate you would just have to disable the security confirmation on the RDP client.

Still it would be better to create the Certificate.