How to view a trusted certificate in the Remote Desktop Connection client

remote desktop

When you use the Remote Desktop Connection client to connect to a remote computer that does not have a valid SSL certificate, you are presented with a box similar to this:
RDP certificate error

I already know how to deal with this, to make the box not appear at every connection ("check Don't ask me again…"). I also know how to make the box reappear after "Don't ask me again" has been checked. (There are several posts to this effect here on superuser.) An option in this dialog allows you to review the server certificate.

My question is when using Remote Desktop Connection client to connect to a server that has a valid certificate issued by a trusted certification authority, how do I view the certificate? (Assume that I do not have access to the certificate store on the remote server.)

In the connection bar of Remote Desktop Connection version 6.3.9600 there appears a padlock, similar to what you might see in a web browser. However, clicking on the padlock only reveals MSTSC Padlock dialog

Again, how do I view the certificate used by Remote Desktop Connection when the certificate is valid?

EDIT: In my initial testing, I was using a client PC (non-domain) to connect to the server on the same subnet. The security (padlock) icon in MSTSC indicated authentication by kerberos. A subsequent test from a PC on a remote network indicated authentication by server certificate, and gave me the option to view the certificate.

So now I am wondering why the local connection authenticated by kerberos and the remote connection by certificate?

Best Answer

Kerberos doesn't use certificates. If the connection was secured with Kerberos then there is no certificate to view on this connection.

Related Solutions

Networking – Certificate issue on remote desktop

Is this normal -

Yes it is, Windows Vista/2008+ secures the remote connection with a self signed certificate. This certificate only exists on the server and until you import it on your machine, you will get a warning.

How to fix -

You can view the certificate then import it to your local store and it will be trusted.

The reason for this is simply in a large corporate environment, with their own certificate authority, they can give every machine a certificate, and, as the root will be trusted, all computers will "know" each other automatically.

as for the attention icons, I can't help you here - this sounds like you have networking issues on your machine (local only/no internet etc.) and that is a completely separate question that I need more information on to help you with.

Windows 7 Remote Desktop Connection Save Credentials not working

i found the solution. It was at the same time both subtle, and obvious.

As mentioned in the question, when i was modifying the following Remote Desktop Connection Client Group Policy settings:

Prompt for credentials on the client computer
Do not allow passwords to be saved

i was checking them on the server:

enter image description here

i thought it would be the server that dictates what the client is allowed to do. Turns out that is completely wrong. It was @mpy's answer (while incorrect), which led me to the solution. i shouldn't be looking at the RDP client policy on the RDP server, i need to look at the RDP client policy on my RDP client machine:

enter image description here

On my client Windows 7 machine, the policy was:

Do not allow passwords to be saved: Enabled
Prompt for credentials on the client computer: Enabled

i do not know when these options were enabled (i did not enable them in recent memory). The confusing part is that even though

Do not allow passwords to be saved

is Enabled, the RDP client would still save password; but only for servers below Windows Server 2008.

The truth table of functioning:

Do not allow saved  Prompt for creds  Works for 2008+ servers  Works for 2003 R2- servers
==================  ================  =======================  ==========================
Enabled             Enabled           No                       Yes
Enabled             Not Configured    No                       No
Not Configured      Enabled           Yes                      Yes
Not Configured      Not Configured    Yes                      Yes

So there is the trick. The group policy settings under:

Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client

on the client machine need to be configured with:

Do not allow passwords to be saved: Not Configured (critical)
Prompt for credentials on the client computer: Not Configured

The other source of confusion is that while

a domain Enabled policy cannot override a local Disabled
a domain Disabled policy can be overridden by a local Enabled policy

Which again leads to a truth table:

Domain Policy   Local Policy    Effective Policy
==============  ==============  ==============================
Not Configured  Not Configured  Not configured (i.e. disabled)
Not Configured  Disabled        Disabled
Not Configured  Enabled         Enabled
Disabled        Not Configured  Disabled
Disabled        Disabled        Disabled
Disabled        Enabled         Disabled (client wins)
Enabled         Not Configured  Enabled
Enabled         Disabled        Enabled (domain wins)
Enabled         Enabled         Enabled

Best Answer

Related Solutions

Networking – Certificate issue on remote desktop

Windows 7 Remote Desktop Connection Save Credentials not working

Related Question