The Remote Desktop Services client computer must verify and trust the identity of the RD Gateway server before the client can send the user's password and logon credentials securely and complete the authentication process. To establish this trust, the clients must trust the root of the server’s certificate. That is, clients must have the certificate of the certification authority (CA) that issued the server certificate in their Trusted Root Certification Authorities store. You can view this store by using the Certificates snap-in.

As mentioned, this procedure is not required if:

For more information, see Obtain a Certificate for the Remote Desktop Gateway Server.

If the RD Gateway server is using a certificate that is issued by one of the trusted public CAs, and the certificate is recognized and trusted by your client computer, proceed to complete the steps in Configure Remote Desktop Connection Settings for Remote Desktop Gateway.

Notes
  • If you are configuring the Remote Desktop Services client for use with Network Access Protection (NAP), you must install the RD Gateway server root certificate by using the computer account. If not, you can install the RD Gateway server root certificate by using the user account.
  • For more information about RD Gateway, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (http://go.microsoft.com/fwlink/?LinkId=140433).

Membership in the Users group or local Administrators group, or equivalent, is the minimum group membership required to complete this procedure. To open the Certificates snap-in for a computer account, membership in the local Administrators group, or equivalent, is required on the Remote Desktop Services client on which you plan to install the certificate. To open the Certificates snap-in for a user account, membership in the Users group on the client is sufficient. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To install the Remote Desktop Gateway server root certificate on the Remote Desktop Services client
  1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

    1. Click Start, click Run, type mmc and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

    4. In the Certificates snap-in dialog box, do one of the following:

      • To open the snap-in for a computer account, click Computer account, and then click Next. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

      • To open the snap-in for a user account, click My user account, and then click Finish.

    5. In the Add or Remove Snap-ins dialog box, click OK.

  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import.

  3. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.

  4. On the File to Import page, in the File name box, specify the name of the RD Gateway server root certificate, and then click Next.

  5. On the Certificate Store page, accept the default option Place all certificates in the following store (in the certificate store Trusted Root Certification Authorities), and then click Next.

  6. On the Completing the Certificate Import Wizard page, confirm that the following certificate settings appear:

    • Certificate Store Selected by User: Trusted Root Certification Authorities

    • Content: Certificate

    • File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name> is the name of the RD Gateway server root certificate.

  7. Click Finish.

  8. In the Certificate Import Wizard dialog box, click OK.

  9. With Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates selected in the console tree, in the details pane, verify that the root certificate of the RD Gateway server appears in the list of certificates on the client.