2008 certificates Terminal Services

Enterprise Certificate Services and Terminal Services Gateway – Certificate Issuing for Internet Usage

To issue a certificate for the Windows 2008 Terminal Services gateway using your own intalled Enterprise Certificate Authority, out of the box you need to create a certificate request file, request the certificate from the Enterprise CA, install the issued certificate and map the certificate to the TS Gateway.

This can help you if you get errors such as -2146875377 or “the dns name is unavailable and cannot be added to the subject alternative name” or “denied by policy” errors.

In detail these steps are:
Create MMC Console for all steps

  1. On the TS Gateway Windows 2008 server, with the remote administration tools installed, click Start > Run and enter mmc.exe.
  2. Confirm the UAC prompt and add the following snap-ins: Certificate Authority (choose computer on which this role is installed), Certificates (for local machine), TS Gateway Manager.

Create a Certificate Request

  1. Expand Certificates (Local Computer)/Personal/Certificates and right-click Certificates>All Tasks>Advanced Options>Create Custom Request.
  2. Click Next on the Before You Begin page.
  3. Choose Web Server as the template. The template type that you chose is the 2nd most important choice you make in this process. Click Next.
  4. Click the Details down arrow and then click Properties.
  5. On the Subject tab, under Subject Name, select Common Name under Type and enter the URL that you will use across the internet to reach this TS Gateway. Click OK when the names you are using have been added to the list on the right of the dialog. The correct value for common name is the 1st most important choice you make here.
  6. Click Next.
  7. Enter a file name and click Finish.

Upload Certificate Request to Enterprise Certificate Authority

  1. Expand the Certification Authority node in the MMC you created above.
  2. Right-click the CA name and choose All Tasks>Submit New Request.
  3. Browse and select the request file created in step 7 in the previous section.
  4. Save the issued certificate with a .cer file extension.

Install the Certificate on the TS Gateway Server

  1. Expand Certificates (Local Computer)/Personal/Certificates and right-click Certificates>All Tasks>Import and click Next.
  2. Browse to the file created in step 4 in the previous section.
  3. Click Next twice.
  4. Click Finish. You will be told the import was successful.

Map Certificate to TS Gateway

  1. Expand TS Gateway Manager in the MMC.
  2. Right-click your TS Gateway server and choose Properties
  3. Select the SSL Certificate tab and ensure the “Select an existing certificate…” option is set.
  4. Click Browse Certificates and select the new certificate that you have just created
  5. Click Install and OK.

Then to finish, open Remote Desktop Connection tool (mstsc.exe) and connect to a Terminal Server using the Gateway option via the Options>Advanced>Settings dialog. To complete these steps you must also have created the policies for connection the the gateway.

terminal server Terminal Services

Setting Remote Desktop to an Alternate Port

The default port for Remote Desktop is 3389, but there are cases where it is useful to change this port, for example on the external interface of a firewall should you be providing remote support of said firewall. These steps are known to work on Windows XP and Windows Server 2003. They have not been tested by me on other versions of Windows.

On the Remote Desktop Server

    1. Start Registry Editor (Regedt32.exe).
  • Locate the following key in the registry:HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Control\ TerminalServer\ WinStations\ RDP-Tcp\ PortNumber
  • On the Edit menu, click Modify, click Decimal, type the new port number, and
    then click OK.


  • Quit Registry Editor.



On the Client

    1. Click Start, click All Programs, point to Accessories,
      point to Communications, and then click Remote Desktop Connection.
  • In the Computer box, type the computer name or IP address of the
    computer to which you want to connect, followed by a colon (:) and the port
    number you want to use.For example, to connect to port 3390 on a computer named “MyXPPro,”
    type the following information: MyXPPro:3390

    To connect to port 3391 on a computer with IP address,
    type the following information:


More information at;en-us;306759