Saturday, 10 October 2020

RDP File Signing

RDP File Signing.md

Removing unknown publisher errors from RDP connection files

Ever seen this error or had it reported by a customer?

The publisher of this remote connection can’t be identified. Do you want to connect anyway?

With a publisher name of Unknown publisher

Unknown RDP Publisher

Getting rid of this is a 2 step process, first sign the RDP file, then set your clients to trust the signing certificate. Unfortunately this is only possible through a policy setting so the client machine needs to be domain joined or you must edit the local policy of the client.

Signing the RDP File

Signing the RDP file is done with the rdpsign tool, I found this built in on Server 2012, Windows 10 and Server 2019 so it looks like it’s there across the board. I don’t think the certificate requires anything special except for the Digital Signature key usage. I tested this with both a public wildcard certificate issued by Let’s Encrypt and with an AD Certificate Services issued “Code Signing” certificate. Presumably this would work with a self-signed certificate since the thumbprint is pinned later in group policy.

The /sha256 switch appears to be missing in earlier versions (2012, non-R2), but I used the /sha1 switch in it’s place and it accepted a sha256 certificate.

Run the command as follows

rdpsign.exe /sha256 <certificate thumbprint> filename.rdp

Example output from rdpsign

Once signed, if you open the .rdp file with notepad, you’ll see a signature block at the bottom of the file. Modifying any of the signscope elements of the file will cause the original unknown publisher warning to appear.

Example signed RDP file

Now that the file is signed, the first step is complete, but now there is just a different warning asking if you trust the publisher. The publisher listed is the subject name of the certificate used.

Example signed publisher warning

Setting the SHA1 hash in policy

To actually make the warning go away, the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers setting in policy needs to be changed. In group policy the setting is as follows, the list is comma separated and there is an equivalent setting in the user policy.

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

Here it is in a GPO

Policy location

Once the policy is set, update group policy on the client and reopen the .rdp file.

gpupdate output

And now there is no warning!

no warning

Written with StackEdit.

No comments:

Post a comment

Please be nice! :)