Windows Server 2012 RDS and Windows Mobile: connection error
For whatever reason MS decided to make Windows 2012 RDS (former Terminal Services, now Remote Desktop Services) not compatible with Windows Mobile 6.x and other Windows CE 5.0 based handheld devices.
Fortunately, if you activated Remote Desktop License Server using ‘Web Browser’ method, you simply have to change the Collections Security settings and disable ‘Allow only … Network Level Authentication’ (NLA).
The following can also apply for Windows 2008 R2 Terminal Server. Check if you activate the Licensing server via “Web Browser” connection or directly. My 2008 R2 server is running OK for Windows Mobile, as a stand-alone server, with 100 licenses and activated via “Web Browser”.
But let start at the beginning.
Basic RDS setup
When you installed Windows 2012 Server within an existing or new Active Directory and then add the Remote Desktop Server role, you have different choices:
You may go on with “Remote Desktop Services scenario-based installation” and then just follow the wizard after selecting “Quick Start”.
The wizard will install everything onto one server.
Virtual Desktop Infrastructure makes no sense for Windows Mobile clients. They do not need a full virtual windows machine based on a virtual machine. So we select “Session Virtualization”.
The wizard will then deploy all the services and roles and create one default “Session Collection” and “Remote Apps”. At the end you should get following screen:
Now check the setup and look at the RDS Overview:
You see we have RD Web Access (unused by Windows Mobile but cannot be removed), no RD Gateway (not needed here), no RD Licensing (we will install that later), the RD Connection Broker, no RD Virtualization Host (as we do not provide virtual machines here) and a RD Session Host with a QuickSession Collection.
At this stage we can not connect using Windows Mobile client. The NLA setting dis-allows that and we get an error in Remote Desktop Mobile. Just change the NLA setting of the Collection and your Windows Mobile clients can connect.
NOTE that there is no License server and we are in the 120-day trial of RDS!
You can access the above Properties using the TASKS menu of Remote Desktop Services-Collections-CollectionName and selecting “Edit Properties”.
If there is no Collection, we can not change the setting! Windows Desktop PCs can connect to that RDS without a Collection installed. We (Windows Mobile client) need a collection to disable NLA.
Setup Remote Desktop License Server
Now setup a Remote Desktop License server, activate it (or better read my later note about the activation method: see “RD License Server Activation Connection Method”) and install some CALs or DALs (licenses per User or Device). Ensure the License Manager shows your License Server without any error. And also check with RD License Diagnoser!
The licensing mode must match the general Collections properties setting:
If everything is in place and activated and licensed Windows Mobile Clients can no longer connect!
The certificates generated by the License Server are not compatible with Remote Desktop Mobile. They use 4096 bit key-length and SHA256 footprint. The certificates are stored in the registry at [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM]. Extracted and converted these certs look like this:
Certificate: Data: Version: 3 (0x2) Serial Number: 0b:1c:04:1c:9c:74:34:af:41:3a:3c:bf:39:f5:56:bf Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Assurance Designation Root 2011 Validity Not Before: Mar 23 17:41:27 2011 GMT Not After : Mar 23 17:48:11 2036 GMT Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Assurance Designation Root 2011 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a8:ef:ce:ef:ec:12:8b:92:94:ed:cf:aa:a5:81: 8d:4f:a4:ad:4a:ec:a5:f0:da:a8:3d:b6:e5:61:01: ... 2b:a9:44:56:83:be:b6:6e:60:b9:16:1a:e1:62:e9: 54:9d:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 1A:A9:53:45:33:8E:D0:6E:22:52:54:76:39:76:43:1E:FF:79:14:41 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha256WithRSAEncryption 0b:2e:fa:54:de:11:a4:72:e4:13:1d:8b:bc:42:36:7c:fe:76: ... fa:be:02:5b:1a:c1:d9:58:66:c2:0c:b3:ce:e4:b4:ec:f4:eb: 56:4f:9a:cc:cc:b2:a0:a4
RD License Server Activation Connection Method
To fix that and get compatible certificates re-activate the RD Licensing Server using the Web method. In RD Licensing Manager right-click the server name and select Properties. Change the Connection Method to “Web Browser”. Close Properties with OK and again right click the server and then Advanced-Reactivate. Follow the process to reactivate the server using the web browser.
After reactivation delete the following registry keys and reboot the server!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM o Certificate o X509 Certificate o X509 Certificate ID o X509 Certificate2
These registry keys will rebuild with lower security after reboot (see also).
And, surprise, after reboot Remote Desktop Mobile (Windows CE5, Windows Mobile 6.x and Windows Embedded Handheld 6.5.3) can connect!
If you extract and convert the new ‘web-based’ certificates you see the difference:
Certificate: Data: Version: 3 (0x2) Serial Number: 01:9d:e7:ca:8c:9a:66:80 Signature Algorithm: sha1WithRSA Issuer: L=\x00W\x002\x00K\x001\x002, CN=\x00W\x002\x00K\x001\x002\x00H\x00G\x00O Validity Not Before: Mar 10 14:50:50 1970 GMT Not After : Mar 10 14:50:50 2049 GMT Subject: L=\x00W\x002\x00K\x001\x002, CN=\x00W\x002\x00K\x001\x002\x00H\x00G\x00O Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b6:7e:f2:41:23:f1:f3:cf:44:90:e7:fc:ba:3f: ... d0:51:d1:55:8c:6b:d0:f6:65:e5:c4:d2:09:1d:d0: 17:c7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE, pathlen:0 1.3.6.1.4.1.311.18.8: Q.G.K.8.V.3.W.2.K.H.P.D.6.W.4.V.M.Q.2.G.3.T.H.3.K.C.8.J.W.K.W.D.M.4.Y... Signature Algorithm: sha1WithRSA 3a:1d:94:36:5d:32:12:6f:5e:e3:76:9f:cb:2b:1c:92:c2:ff: ... ac:1e:23:b2:a0:73:ff:6f:12:f8:86:24:4b:95:15:54:c0:a2: ba:05:00:e3
The key length is only 2048 bits and the security algorithm is SHA1.
If you had activated the “Web browser” Connection method before Activating the server the first time, you do not need to touch the registry and reactivate the server!
Conclusion
Windows Mobile’s Remote Desktop Mobile (RDM) application connects fine if the right certificates are generated when Activating the RD License Server. RDM will not connect, if SHA256 and 4096 bits key are used on the server. RDM does not support NLA nor SSL/TLS!
What MS says
RDS 2008, 2008R2, and 2012 will not allow connections from older RDP 5.x clients. To get around this add the following registry key to the RDS Session Host Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM Registry entry: Use512LenPropCert Data type: REG_DWORD Value: 0 or 1 This is far less secure (512bit encryption vs 2048bit), and you won't be able to take advantage of the features of later versions of the RDP protocol, but older clients will be able to connect.
What wonders me about that, is that it says ‘no support of 2048 length key’, but the key length is 2048 in my validated tests. Possibly they mean, does not support 4096 key length but 2048 (which is set with the Use512LenPropCert?).
Test your installation
If you like to check the certificates of your installation you may use the attached demo application: “RDS2012_security”. It will just read the registry and show the certificates data.
The code (included in the attachment) just reads the registry and extracts the certification data. The data is stored binary with some extra data at the beginning. There are twelve bytes to remove to get the raw certificate (all these certs start with 0x30 0x82). So the reg might look like this:
"X509 Certificate"=hex:02,00,00,00,04,00,00,00,f1,05,00,00,30,82,05,ed,30,82,\ 03,d5,a0,03,02,01,02,02,10,0b,1c,04,1c,9c,74,34,af,41,3a,3c,bf,39,f5,56,bf,\ 30,0d,06,09,2a,86,48,86,f7,0d,01,01,0b,05,00,30,81,88,31,0b,30,09,06,03,55,\ ...
Then the tool has to remove the first 12 bytes and we get the raw data:
30,82,05,ed,30,82,\ 03,d5,a0,03,02,01,02,02,10,0b,1c,04,1c,9c,74,34,af,41,3a,3c,bf,39,f5,56,bf,\ 30,0d,06,09,2a,86,48,86,f7,0d,01,01,0b,05,00,30,81,88,31,0b,30,09,06,03,55,\ ...
Here is the simple code that does this in csharp and then initializes a new X509Certificate2 object:
const string rd_mainRegKey = @"SYSTEM\CurrentControlSet\Control\Terminal Server\RCM" string[] _x509ValueNames = new string[] { "X509 Certificate", "X509 Certificate2" }; ... byte[] readX509Cert(string sValueName) { byte[] buf = null; using (RegistryKey rk = Registry.LocalMachine.OpenSubKey(rd_mainRegKey, false)) { byte[] bufTemp = (byte[]) rk.GetValue(sValueName); //remove first 12 bytes buf = new byte[bufTemp.Length - 0x0b]; Array.Copy(bufTemp, 0x0c, buf, 0, bufTemp.Length - 0x0c); } if(sValueName.EndsWith("2")) _x509Certificate2=new X509Certificate2(buf); else _x509Certificate = new X509Certificate2(buf); return buf; }
Now you can even save the cert or, like the demo does, just show the key length and used algorithm.
[Download not found]
RDS 2008, 2008R2, and 2012 will not allow connections from older RDP 5.x clients.
To get around this add the following registry key to the RDS Session Host
Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
Registry entry: Use512LenPropCert
Data type: REG_DWORD
Value: 0 or 1
This is far less secure (512bit encryption vs 2048bit), and you won’t be able to take advantage of the features of later versions of the RDP protocol, but older clients will be able to connect.
Great! That really solved problem with old Motorola MC3090 terminals running WinCE 5. Now they can connect to RDS on Win server 2012 R2. Thank you for detailed guide!
Kudos and thanks you for a detailed guide that also explains the whys and how.
Thank you very much for this tutorial. We found it after a search on WinCE issue with RDS 2012 servers on google. Our first search for Windows Mobile Embeded 6.5 were given somes solutions for only a single RDS server, not for a RDS server farm. Tested succesfully on RDS 2012 Farm and with INTERMEC CK3X terminal. We can use now these terminal with RDS connection in our Warehouses in France and Africa.
Hello Jacques
thanks you for posting your verification on this solution!
~Josef
End our test on Windows Server 2008R2 (x64) RDS Farm of 2 vm host servers 12Go ram each (+ 1 vm broker RDS server + 1 vm RDS license server, all these Windows 2008R2 server are in a Windows 2012 Active directory domain) and it works fine, allowing us to use our 200 RDS Windows 2012 CAL downgraded in Windows 2008/2008R2 CAL for compatibility with ou Citrix XenApp 6.5 servers, instead to allow a part of these CAL to another RDS Windows 2012 License server.
Before on Windows RDS 2008 (x86), only choice we’ve got before discover your solution (but in 32bit and 4Go Ram per server), our Terminals could be connected natively because encryption and security was lowest than Windows 2008R2 an 2012 version.
Now with Windows RDS 2008R2 server we can use the same Microsoft domain policy and preferred policy as for our computers to mount printers on our terminals. To publish Warehouse management RDS application chosen by our company for our various barcodes terminals (Win CE 5.0, Win Embedded 6.5 from various brands), we use batch file (.bat) associated with an Active Directory Preferred Policy (to add the right .bat in Starter folder of terminal user start menu if he’s member of an user group) to launch our RDS applications GUI on our Terminals just after user logon. It’s because RDS publishing features need that the launch path and the work directory path are the same (and is not the case for this specific Terminal RDS application because application path is on RDS servers and INI files are on a centralized share).
Pay attention to resolution screen and colors number used on your Terminals (it’s increase network charge if it’s high), and pay attention to have a good Wifi network in IEEE 802.11g, with centralized management wifi access point with no dark zone in your Warehouse, and also a good wired network Category 5e SFP in 100Mpbs or 1Gbps (not for speed but for lantency) with good POE injector for each of these wifi access point. Wifi centralized management (and perhaps load balancing functionalities between near wifi access point if you have a lot of user scanning in a same Wifi Area for this last point, see on Fortinet or perhaps Cisco Wifi solutions for that).
Check all these points to have a low latency and low network charge by terminal and a good roaming between each Wifi access point for your Terminal and his application (and a low latency with speed level guarantee WAN MPLS/VPN IPSEC network in case of many distant Warehouse site interconnected). Because of old OS (Win CE 5.0 and Win Embedded 6.5) and old RDS (RDP) functionnality on these Terminals you can’t count on last evolutions of RDS protocol given by 2008R2 and 2012/2012R2 Windows servers (the last solution it’s to change all your terminals with new terminals on Windows CE 7.0 and/or Android 4.1 like Motorola MC3200 but at 1000€ to 1500€ by terminals it’ a high cost and it doesn’t exclude to have a good Wifi Network and WAN interconnexion network).
Hope you can understand my English in this post ;-).
I followed your tutorial on 2012R2 server.
But there is only certificate key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
No o X509 Certificate
o X509 Certificate ID
o X509 Certificate2
keys.
And 5.0 client can’t connect.
Did you install Terminal Server Licenses?
Did you activate the TS using the Web method?
The description was used on diferent sites and always worked. Please read and follow carefully!
And what do you mean by 5.0 client? The decription is tested with Windows Mobile >=6.1
Ok, some troubles with licensing server.
Now I have registry keys and 6.1 is working.
But still I can’t connect with old terminal service client 5.0
Some old Symbol terminal with Win Mobile 4.2.
Any chance to connect old devices to 2012r2?
Sorry, but I do not have tested that old Windows Mobile Client OS.
Many thanks, with this solution I have saved about 40,000 euros to change our handhelds (Psion workabout pro 3 ce 5.0), because they wer not compatible with windows server 2012 r2 remote desktop services
Hi,
Good guide! Thank You Alot!
after ive implemented this solution to support RDP 5/6, then all RDP 5+6 Versions are working.
But if you have multiple RDSH in your farm, then you will get issues due to some features not working due to low encryption data.
ive used alot of months on debugging and troubleshooting on this.
ive tested this with more than 50 different reinstall attempts to getting this to work – and it works fine as long as you have Single Server RDSH with Broker.
as soon as you have multiple RDSH in a farm you will face “black screens” and RDP “Internal Error / Security error” as it tries to Connect your desktop to another RDSH in the LB farm, and it failes here.
SO i have chossen to get rid of Broker Service and use another Load Balancing software (ZEND LB) to achive the same, and it works with multiple RDSH farm 🙂
and to control RDS Sessions you could use 3rd party program like “Galinette cendrée RDS Client” which is better than the Broker TS Management.
Now i have 900 unsupported RDP versions connected to my RDS2012 Farm with 60 RDSH with Zend and Galinette cendrée RDS Client – running very good.
Thank you very much for this article! Probably just saved us thousands of $!
How about a donation? ;-))
Awesome information, you have a new follower in EE 🙂
I would like to make sure that the problem that is making our PDA unable to connect is this one. How did you extracted the certificate so you can read them? I would like to confirm that the key lenght displayed in the current certificate is 4096 bit before I reactivate the server.
Thanks in advance and I apologize for my bad english.
Hello Guillermin-go
the data was extracted from the registry:
“The certificates are stored in the registry at [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM]”
as noted in the blog post. But you need a tool to convert the data to be compatible with openSSL.
~josef
Thanks Josef! This worked like a charm. I had setup a new RDS server running Windows 2012 R2 for a customer and he had scanning guns running Windows CE 5.2 on them that were failing to connect. Following your instructions, we were able to successfully connect to the Windows 2012 R2 server from the guns running Windows CE.
Thanks for sharing your experience and knowledge!
I still face problem.
I had the Licence Server (Windows 2012 R2) with only enabled the Remote Desktop Licencing Tool and Remote Desktop Licencing Diagnosting (no broker, no gateway, nothing else except those 2 options). I also activate the 60 CALs Per Device.
I also have 2 Other servers Windows 2012 R2 (terminal servers) which have only Remote Session Host and from the Group policy i set the licence server (the first one). User connects without facing any problem.
But I have 2 Intermec CN3 which when i try to connect them to license server connects succesfully but when i try to connect them to 2 Other servers (terminal) they didn;t connect “Because of a security error”.
I change to the licence server the Activate method to “Web”, reactivate the server and delete the keys. I restart the server and try again but the same problem exists. I try then to add the key Use512LenPropCert but still nothing happened
Hello
your writing is confusing. Do you have any Windows Mobile 6.x device that you can test in parallel to the CN3’s?
What does “But I have 2 Intermec CN3 which when i try to connect them to license server connects succesfully but when i try to connect them to 2 Other servers (terminal) they didn;t connect” mean in simple, short sentences?
Anyway, I cannot help further, the supplied information here is all I can offer. Possibly your server’s event log gives more hints to you.
Sorry
Josef
This is slightly off topic, but does anyone know how to get a Windows Embedded Handheld to run (or connect to a Remote Desktop Host) using 320X240 resolution? I find the “QVGA” resolution as a profile in the registry, but every time I try to change it, the device reverts back upon reboot. Thank you.
Did you already read this: http://www.hjgode.de/wp/2011/09/05/remote-desktop-mobile-on-vga-devices-qvga-applications-do-not-scale-well/
Huge Thanks to this post.. and poster. I just ran into this problem and fixed a customer’s thin client connections (Win XP).
Steven
Good Morning,
I am having some issues with not being able to connect my Intermec CK71 to my secondary RDS server.
My Environment is 2 Windows 2012 r2 RDS servers. First one is my RD Licensing Manager. the second is only an RD Session Hosts for my Australia office. They can connect in and run the applications that I have shared but I cannot connect my handheld to this server.
My license manager RDS server works great for all of my CK71 handhelds.
On the license server I had changed the connection method to WEB Browser and I did Reactivate the Server. I also had deleted the Certificates. the 3 X509 certs.
I have not changed anything on the secondary RD Session server.
SO I guess my question is when I connect into the secondary (non Licensing) server does it gain all of its information from the Main RDS (Licensing) server?
Since there is nothing to change on the Secondary RD Host server I cannot pick Web Browser or re-activate it. But it does have the registry X509 Certs. Should I delete these and restart the server? Will it rebuild them? will it get its information from the licensing server?
I am just stuck as to how to ake these CK71’s work on it and what I can change.
Thank you very much for your thoughts.
John
Hello John
although this artcile does not clearly say it, this is an issue with the Terminal Server Encrpytion method. The Licensing stuff changes that as a side effect.
Please try the registry key setting on the secondary Terminal Server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
Use512LenPropCert=1
As MS says, this enbales RDP 5 Client access.
Appreciate any feedback
~Josef
Josef,
I have the reg setting on my secondary RDS Hosts and I still cannot connect into it.
Like I stated my Main licensing and logon RDS server everything works great, just not the secondary one.
Any thoughts again are appreciated.
John
Have you disabled Network Level Authentication?
What shows the System Log for the failing attempts on the server?
I can not help with more than documented here
Sorry
Josef,
I have disabled the Network Level Authentication on both servers.
Success.
On my second RD Host that does not have the licensing on it I was able to finally connect.
Steps were.
I added the line: Use512LenPropCert into its Registry
Exported or backed up that part of the Reg
Deleted all Cert entries
Rebooted the server so it would regenerate the Cert entries
Now I am able to login this RDS server with my CK71 windows handhelds.
Thank you for directing me in a path to resolve this issue.
I much appreciate your help.
John
Hello John
many thanks for the feedback!
Glad that you got it to work.
~Josef
Hello John,
We are facing this issue in our CN3 (Windows Mobile 5.0) and CN50 (Windows Mobile 6.1) PDAs, to connect with two RDP servers, one with Windows 2012 R2 and another with Windows 2008 R2.
My provider has told me that the changes you mention in your article can not be done in Windows 2008 R2. Is that true? If so, do you know if there is any workaround?
Besides, thanks to your article our CN50 units can connect with the Windows 2012 R2, but our CN3 still can’t. When trying to connect with the Terminal Services Client, they show this error: “The terminal server ended the connection or a network error occurred. Please try to reconnect.”. In your article you mention Windows CE 5.0 and Windows Mobile 6.x. Maybe Windows Mobile 5.x cannot be resolved with your method?
I would appreciate your help very much.
Oscar
Hello,
is this guide only for 2008 R2 and 2012 or will it work on Windows Server 2008? Are there any positive tests?
Thx
Andreas
Hello Oscar,
I have same problem. Windows 2012 R2 with RDS role and Intermec CN50 can connect but Intermec CN3 gives me same error: “The terminal server ended the connection or a network error occurred. Please try to reconnect.”
Are there any solution to connect Windows CE 5 to Windows 2012 R2 ?
Thanks,
Best regards.
Wp Starter Guide Computers Internet
[…] us to use our 200 RDS Windows 2012 CAL downgraded in Windows 2008/2008R2 CAL for […]
Very important thing to know: If you have a multi-server installation, with a seperate Licensing-server, you need to be aware that the reg-keys are located on each Session Host.
That is also the reason why some people only find the Certificate-key, but not the x509-keys in the registry. It’s because they are looking on the Licensing-server, not the Session Host.
Took me a while to find it…
Another thing, you don’t need to reboot; you just need to restart the “Remote Desktop Services”-service with its dependency. This causes all RDP-sessions to disconnect, but users can reconnect to them. Then when the first user reconnects, the Certificate-keys will be regenerated.
Thanks for this article.
Did anyone test this guide on Windows server 2016? Getting same problem using windows CE 5 even going step by step. Tried steps leading to 2048b then the key leading to 512b without success.
Thanks
Jirka Elda
Sorry, no resources to test for Windows 2016 server.
🙁
Josef
Resolved my problem with Windows Server 2016 ! (with CE 5.2)
Thanks a lot.
Hallo everyone,
Hallo Thomas GABRIEL,
Can someone connect me at short notice with the problem Windows CE RDP to Server 2016?
I have followed the instructions above, but unfortunately still comes “an error has occurred”.
It is incredibly important and urgent.
Who got it started in the constellation?
Works perfect on a RDS 2016 with Windows CE 6.0 ! Thank you very much !
Joel
Bonjour,
Meme probleme avec Dolphin Honeywell WinCE5.0 et Windows 10! Message lors de la connexion RDP depuis le pocket : “An internal error has occured”.
Sur mon poste en W10 ca fonctionne, pas sur celui de la clente et impossible de savoir d’ou ca vient! (sauf une possible mise à jour concernant le RDP en 2018 qui a fait couler beaucoup d’encre sur l’encryption CREDSSP).
ping ok, AV, firewall aussi…
Thank you very much for this excellent guide, I have been using it with old barcode scanners and it has spared me a few headaches.
I read this article to late. I chose wrong deployment method (VDI instead of session virtualization). Do i have to deinstall everything and install new or can i just change the to session virtualization?
Will the reactivation of the license server with web browser option leave the installed user cal licenses untouched or do you have to install them again?
Thanks.
Hello Stefan
I am sorry but this is beyond my knowledge
Regards
Josef
Works perfect to me, Wiundows 2012 R2 x Windows Mobile. Thanks’s
Amazing
Work with Win CE 5.0 to server 2016!