Connect a Windows Mobile 5.0 RF to Windows Server 2012 R2

mobile-devicesrdpremote-desktop-serviceswindows-server-2012-r2

I am having a situation here, where i want to connect an RF that runs Windows Mobile 5.0 to a Windows Server 2012 R2 server that is located on Azure.

It is reasonable for the two OS's to have different RDP versions but i still can't figure out how i am supposed to establish a connection between them. I am able to ping RF from the server and vice versa but when i am trying to connect i am getting the following error message: "Because of a security error the client could not connect to the terminal server".

However i can connect to my Windows 2003 Servers without any problem regardless if they are Terminal Servers or servers that having any other role installed. Of course that's most likely because of the compatible RDP version they have.

On the Windows Server 2012 R2, I have tried to change the Remote Desktop Configuration Host settings by setting Security Layer to "RDP Security Layer" from "Negotiate" and Encryption level from "Client Compatible" to "Low" without any luck.

I should note that on Remote Settings under "My Computer" tab the option "Allow connections from computers running any version of Remote Desktop (less secure)" is enabled instead of the Network Level Autentication option.

Is there something i could really do?

Best Answer

Yeah, I just did it not too long ago actually.

You have to change a few settings in RDS and delete a few registry keys and reboot the server in order to rebuild the certificates with a lower encryption level.

See here for a full walkthrough: http://www.hjgode.de/wp/2014/03/12/windows-server-2012-rds-and-windows-mobile-connection-error/

I'll include the most relevant parts below in case the blog post above ever goes away:

RD License Server Activation Connection Method

To fix that and get compatible certificates re-activate the RD Licensing Server using the Web method. In RD Licensing Manager right-click the server name and select Properties. Change the Connection Method to “Web Browser”. Close Properties with OK and again right click the server and then Advanced-Reactivate. Follow the process to reactivate the server using the web browser.

After reactivation delete the following registry keys and reboot the server!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM

Certificate

X509 Certificate

X509 Certificate ID

X509 Certificate2

These registry keys will rebuild with lower security after reboot (see also [14]).

And, surprise, after reboot Remote Desktop Mobile (Windows CE5, Windows Mobile 6.x and Windows Embedded Handheld 6.5.3) can connect!

Related Solutions

Can’t connect via Windows 2003 RDP to Windows 2008 R2 Server

Theres a Microsoft KB for WinXP that may be relevant. Wouldn't hurt to check and see what's under HKLM\Software\Microsoft\MSLicensing

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

UPDATE: Here's a generalized Powershell solution that grabs and sets the thumbprint of the first SSL cert in the computer's personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct cert. I've left my original answer intact below this for reference.

# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

In order to get the thumbprint value

Open the properties dialog for your certificate and select the Details tab
Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
Remove all the spaces from the string. You'll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It's not visible in Notepad.
This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or if PowerShell is your thing, you can use this instead:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Note: the certificate must be in the 'Personal' Certificate Store for the Computer account.

Best Answer

Related Solutions

Can’t connect via Windows 2003 RDP to Windows 2008 R2 Server

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

Related Topic