Windows Server 2012 RDS and Windows Mobile: connection error

Print This Post Print This Post

For whatever reason MS decided to make Windows 2012 RDS (former Terminal Services, now Remote Desktop Services) not compatible with Windows Mobile 6.x and other Windows CE 5.0 based handheld devices.

Fortunately, if you activated Remote Desktop License Server using ‘Web Browser’ method, you simply have to change the Collections Security settings and disable ‘Allow only … Network Level Authentication’ (NLA).

The following can also apply for Windows 2008 R2 Terminal Server. Check if you activate the Licensing server via “Web Browser” connection or directly. My 2008 R2 server is running OK for Windows Mobile, as a stand-alone server, with 100 licenses and activated via “Web Browser”.

But let start at the beginning.

Basic RDS setup

When you installed Windows 2012 Server within an existing or new Active Directory and then add the Remote Desktop Server role, you have different choices:

AddRolesAndFeatures

You may go on with “Remote Desktop Services scenario-based installation” and then just follow the wizard after selecting “Quick Start”.

AddRolesAndFeatures_2

The wizard will install everything onto one server.

AddRolesAndFeatures_3

Virtual Desktop Infrastructure makes no sense for Windows Mobile clients. They do not need a full virtual windows machine based on a virtual machine. So we select “Session Virtualization”.

The wizard will then deploy all the services and roles and create one default “Session Collection” and “Remote Apps”. At the end you should get following screen:

AddRolesAndFeatures_4

Now check the setup and look at the RDS Overview:

RemoteDesktopServices-Overview

You see we have RD Web Access (unused by Windows Mobile but cannot be removed), no RD Gateway (not needed here), no RD Licensing (we will install that later), the RD Connection Broker, no RD Virtualization Host (as we do not provide virtual machines here) and a RD Session Host with a QuickSession Collection.

At this stage we can not connect using Windows Mobile client. The NLA setting dis-allows that and we get an error in Remote Desktop Mobile. Just change the NLA setting of the Collection and your Windows Mobile clients can connect.

rdm_cn70   rdm_ck3b

NOTE that there is no License server and we are in the 120-day trial of RDS!

RDS_Collections_EditProperties QuickSessionCollection_Properties

You can access the above Properties using the TASKS menu of Remote Desktop Services-Collections-CollectionName and selecting “Edit Properties”.

If there is no Collection, we can not change the setting! Windows Desktop PCs can connect to that RDS without a Collection installed. We (Windows Mobile client) need a collection to disable NLA.

Setup Remote Desktop License Server

Now setup a Remote Desktop License server, activate it (or better read my later note about the activation method: see “RD License Server Activation Connection Method”) and install some CALs or DALs (licenses per User or Device). Ensure the License Manager shows your License Server without any error. And also check with RD License Diagnoser!

RD_licensing_Manager RD_Licensing_Diagnoser

The licensing mode must match the general Collections properties setting:

Collection_DeploymentProperties

If everything is in place and activated and licensed Windows Mobile Clients can no longer connect!

rdm_security_error

The certificates generated by the License Server are not compatible with Remote Desktop Mobile. They use 4096 bit key-length and SHA256 footprint. The certificates are stored in the registry at [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM]. Extracted and converted these certs look like this:

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             0b:1c:04:1c:9c:74:34:af:41:3a:3c:bf:39:f5:56:bf
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Assurance Designation Root 2011
         Validity
             Not Before: Mar 23 17:41:27 2011 GMT
             Not After : Mar 23 17:48:11 2036 GMT
         Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Assurance Designation Root 2011
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (4096 bit)
                 Modulus:
                     00:a8:ef:ce:ef:ec:12:8b:92:94:ed:cf:aa:a5:81:
                     8d:4f:a4:ad:4a:ec:a5:f0:da:a8:3d:b6:e5:61:01:
  ...
                     2b:a9:44:56:83:be:b6:6e:60:b9:16:1a:e1:62:e9:
                     54:9d:bf
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Key Usage: 
                 Digital Signature, Certificate Sign, CRL Sign
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Key Identifier: 
                 1A:A9:53:45:33:8E:D0:6E:22:52:54:76:39:76:43:1E:FF:79:14:41
             1.3.6.1.4.1.311.21.1: 
                 ...
     Signature Algorithm: sha256WithRSAEncryption
          0b:2e:fa:54:de:11:a4:72:e4:13:1d:8b:bc:42:36:7c:fe:76:
 ...
          fa:be:02:5b:1a:c1:d9:58:66:c2:0c:b3:ce:e4:b4:ec:f4:eb:
          56:4f:9a:cc:cc:b2:a0:a4

RD License Server Activation Connection Method

To fix that and get compatible certificates re-activate the RD Licensing Server using the Web method. In RD Licensing Manager right-click the server name and select Properties. Change the Connection Method to “Web Browser”. Close Properties with OK and again right click the server and then Advanced-Reactivate. Follow the process to reactivate the server using the web browser.

RD_license_server_web_activation

After reactivation delete the following registry keys and reboot the server!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
 o Certificate
 o X509 Certificate
 o X509 Certificate ID
 o X509 Certificate2

These registry keys will rebuild with lower security after reboot (see also).

And, surprise, after reboot Remote Desktop Mobile (Windows CE5, Windows Mobile 6.x and Windows Embedded Handheld 6.5.3) can connect!

rdm_cn70_after_reactivation

If you extract and convert the new ‘web-based’ certificates you see the difference:

Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 01:9d:e7:ca:8c:9a:66:80
 Signature Algorithm: sha1WithRSA
 Issuer: L=\x00W\x002\x00K\x001\x002, CN=\x00W\x002\x00K\x001\x002\x00H\x00G\x00O
 Validity
 Not Before: Mar 10 14:50:50 1970 GMT
 Not After : Mar 10 14:50:50 2049 GMT
 Subject: L=\x00W\x002\x00K\x001\x002, CN=\x00W\x002\x00K\x001\x002\x00H\x00G\x00O
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:b6:7e:f2:41:23:f1:f3:cf:44:90:e7:fc:ba:3f:
 ...
 d0:51:d1:55:8c:6b:d0:f6:65:e5:c4:d2:09:1d:d0:
 17:c7
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:TRUE, pathlen:0
 1.3.6.1.4.1.311.18.8:
 Q.G.K.8.V.3.W.2.K.H.P.D.6.W.4.V.M.Q.2.G.3.T.H.3.K.C.8.J.W.K.W.D.M.4.Y...
 Signature Algorithm: sha1WithRSA
 3a:1d:94:36:5d:32:12:6f:5e:e3:76:9f:cb:2b:1c:92:c2:ff:
 ...
 ac:1e:23:b2:a0:73:ff:6f:12:f8:86:24:4b:95:15:54:c0:a2:
 ba:05:00:e3

The key length is only 2048 bits and the security algorithm is SHA1.
If you had activated the “Web browser” Connection method before Activating the server the first time, you do not need to touch the registry and reactivate the server!

Conclusion

Windows Mobile’s Remote Desktop Mobile (RDM) application connects fine if the right certificates are generated when Activating the RD License Server. RDM will not connect, if SHA256 and 4096 bits key are used on the server. RDM does not support NLA nor SSL/TLS!

What MS says

RDS 2008, 2008R2, and 2012 will not allow connections from older RDP 5.x clients.

To get around this add the following registry key to the RDS Session Host

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
Registry entry: Use512LenPropCert
Data type: REG_DWORD
Value: 0 or 1

This is far less secure (512bit encryption vs 2048bit), and you won't be able to take advantage of the features of later versions of the RDP protocol, but older clients will be able to connect.

What wonders me about that, is that it says ‘no support of 2048 length key’, but the key length is 2048 in my validated tests. Possibly they mean, does not support 4096 key length but 2048 (which is set with the Use512LenPropCert?).

Test your installation

If you like to check the certificates of your installation you may use the attached demo application: “RDS2012_security”. It will just read the registry and show the certificates data.

RDS_Security_CertifcateDump_not_ok RDS_Security_CertifcateDump_ok

The code (included in the attachment) just reads the registry and extracts the certification data. The data is stored binary with some extra data at the beginning. There are twelve bytes to remove to get the raw certificate (all these certs start with 0x30 0x82). So the reg might look like this:

"X509 Certificate"=hex:02,00,00,00,04,00,00,00,f1,05,00,00,30,82,05,ed,30,82,\
  03,d5,a0,03,02,01,02,02,10,0b,1c,04,1c,9c,74,34,af,41,3a,3c,bf,39,f5,56,bf,\
  30,0d,06,09,2a,86,48,86,f7,0d,01,01,0b,05,00,30,81,88,31,0b,30,09,06,03,55,\
...

Then the tool has to remove the first 12 bytes and we get the raw data:

30,82,05,ed,30,82,\
  03,d5,a0,03,02,01,02,02,10,0b,1c,04,1c,9c,74,34,af,41,3a,3c,bf,39,f5,56,bf,\
  30,0d,06,09,2a,86,48,86,f7,0d,01,01,0b,05,00,30,81,88,31,0b,30,09,06,03,55,\
...

Here is the simple code that does this in csharp and then initializes a new X509Certificate2 object:

        const string rd_mainRegKey = @"SYSTEM\CurrentControlSet\Control\Terminal Server\RCM"
        string[] _x509ValueNames = new string[] { "X509 Certificate", "X509 Certificate2" };
...
        byte[] readX509Cert(string sValueName)
        {
            byte[] buf = null;
            using (RegistryKey rk = Registry.LocalMachine.OpenSubKey(rd_mainRegKey, false))
            {
                byte[] bufTemp = (byte[]) rk.GetValue(sValueName);
                //remove first 12 bytes
                buf = new byte[bufTemp.Length - 0x0b];                
                Array.Copy(bufTemp, 0x0c, buf, 0, bufTemp.Length - 0x0c);
            }
            if(sValueName.EndsWith("2"))
                _x509Certificate2=new X509Certificate2(buf);
            else
                _x509Certificate = new X509Certificate2(buf);

            return buf;
        }

Now you can even save the cert or, like the demo does, just show the key length and used algorithm.

DOWNLOAD:rds_security - test the certs of an win 2012 RDS server. (Hits: 1530, size: 43.74 kB)

 

21 Comments

  1. josef says:

    RDS 2008, 2008R2, and 2012 will not allow connections from older RDP 5.x clients.

    To get around this add the following registry key to the RDS Session Host

    Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
    Registry entry: Use512LenPropCert
    Data type: REG_DWORD
    Value: 0 or 1

    This is far less secure (512bit encryption vs 2048bit), and you won’t be able to take advantage of the features of later versions of the RDP protocol, but older clients will be able to connect.

  2. Dario says:

    Great! That really solved problem with old Motorola MC3090 terminals running WinCE 5. Now they can connect to RDS on Win server 2012 R2. Thank you for detailed guide!

  3. Will King says:

    Kudos and thanks you for a detailed guide that also explains the whys and how.

  4. Jacques REACHER says:

    Thank you very much for this tutorial. We found it after a search on WinCE issue with RDS 2012 servers on google. Our first search for Windows Mobile Embeded 6.5 were given somes solutions for only a single RDS server, not for a RDS server farm. Tested succesfully on RDS 2012 Farm and with INTERMEC CK3X terminal. We can use now these terminal with RDS connection in our Warehouses in France and Africa.

  5. josef says:

    Hello Jacques

    thanks you for posting your verification on this solution!

    ~Josef

  6. Jacques REACHER says:

    End our test on Windows Server 2008R2 (x64) RDS Farm of 2 vm host servers 12Go ram each (+ 1 vm broker RDS server + 1 vm RDS license server, all these Windows 2008R2 server are in a Windows 2012 Active directory domain) and it works fine, allowing us to use our 200 RDS Windows 2012 CAL downgraded in Windows 2008/2008R2 CAL for compatibility with ou Citrix XenApp 6.5 servers, instead to allow a part of these CAL to another RDS Windows 2012 License server.

    Before on Windows RDS 2008 (x86), only choice we’ve got before discover your solution (but in 32bit and 4Go Ram per server), our Terminals could be connected natively because encryption and security was lowest than Windows 2008R2 an 2012 version.
    Now with Windows RDS 2008R2 server we can use the same Microsoft domain policy and preferred policy as for our computers to mount printers on our terminals. To publish Warehouse management RDS application chosen by our company for our various barcodes terminals (Win CE 5.0, Win Embedded 6.5 from various brands), we use batch file (.bat) associated with an Active Directory Preferred Policy (to add the right .bat in Starter folder of terminal user start menu if he’s member of an user group) to launch our RDS applications GUI on our Terminals just after user logon. It’s because RDS publishing features need that the launch path and the work directory path are the same (and is not the case for this specific Terminal RDS application because application path is on RDS servers and INI files are on a centralized share).

    Pay attention to resolution screen and colors number used on your Terminals (it’s increase network charge if it’s high), and pay attention to have a good Wifi network in IEEE 802.11g, with centralized management wifi access point with no dark zone in your Warehouse, and also a good wired network Category 5e SFP in 100Mpbs or 1Gbps (not for speed but for lantency) with good POE injector for each of these wifi access point. Wifi centralized management (and perhaps load balancing functionalities between near wifi access point if you have a lot of user scanning in a same Wifi Area for this last point, see on Fortinet or perhaps Cisco Wifi solutions for that).
    Check all these points to have a low latency and low network charge by terminal and a good roaming between each Wifi access point for your Terminal and his application (and a low latency with speed level guarantee WAN MPLS/VPN IPSEC network in case of many distant Warehouse site interconnected). Because of old OS (Win CE 5.0 and Win Embedded 6.5) and old RDS (RDP) functionnality on these Terminals you can’t count on last evolutions of RDS protocol given by 2008R2 and 2012/2012R2 Windows servers (the last solution it’s to change all your terminals with new terminals on Windows CE 7.0 and/or Android 4.1 like Motorola MC3200 but at 1000€ to 1500€ by terminals it’ a high cost and it doesn’t exclude to have a good Wifi Network and WAN interconnexion network).

    Hope you can understand my English in this post ;-).

  7. Edigs says:

    I followed your tutorial on 2012R2 server.
    But there is only certificate key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM

    No o X509 Certificate
    o X509 Certificate ID
    o X509 Certificate2
    keys.

    And 5.0 client can’t connect.

  8. josef says:

    Did you install Terminal Server Licenses?
    Did you activate the TS using the Web method?

    The description was used on diferent sites and always worked. Please read and follow carefully!

    And what do you mean by 5.0 client? The decription is tested with Windows Mobile >=6.1

  9. Edigs says:

    Ok, some troubles with licensing server.
    Now I have registry keys and 6.1 is working.
    But still I can’t connect with old terminal service client 5.0
    Some old Symbol terminal with Win Mobile 4.2.

    Any chance to connect old devices to 2012r2?

  10. josef says:

    Sorry, but I do not have tested that old Windows Mobile Client OS.

  11. andrea says:

    Many thanks, with this solution I have saved about 40,000 euros to change our handhelds (Psion workabout pro 3 ce 5.0), because they wer not compatible with windows server 2012 r2 remote desktop services

  12. Majid says:

    Hi,

    Good guide! Thank You Alot!

    after ive implemented this solution to support RDP 5/6, then all RDP 5+6 Versions are working.

    But if you have multiple RDSH in your farm, then you will get issues due to some features not working due to low encryption data.

    ive used alot of months on debugging and troubleshooting on this.

    ive tested this with more than 50 different reinstall attempts to getting this to work – and it works fine as long as you have Single Server RDSH with Broker.
    as soon as you have multiple RDSH in a farm you will face “black screens” and RDP “Internal Error / Security error” as it tries to Connect your desktop to another RDSH in the LB farm, and it failes here.

    SO i have chossen to get rid of Broker Service and use another Load Balancing software (ZEND LB) to achive the same, and it works with multiple RDSH farm 🙂
    and to control RDS Sessions you could use 3rd party program like “Galinette cendrée RDS Client” which is better than the Broker TS Management.

    Now i have 900 unsupported RDP versions connected to my RDS2012 Farm with 60 RDSH with Zend and Galinette cendrée RDS Client – running very good.

  13. Hirwigo says:

    Thank you very much for this article! Probably just saved us thousands of $!

  14. josef says:

    How about a donation? ;-))

  15. Guillermin-go says:

    Awesome information, you have a new follower in EE 🙂

    I would like to make sure that the problem that is making our PDA unable to connect is this one. How did you extracted the certificate so you can read them? I would like to confirm that the key lenght displayed in the current certificate is 4096 bit before I reactivate the server.

    Thanks in advance and I apologize for my bad english.

  16. josef says:

    Hello Guillermin-go

    the data was extracted from the registry:

    “The certificates are stored in the registry at [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM]”

    as noted in the blog post. But you need a tool to convert the data to be compatible with openSSL.

    ~josef

  17. MikeyRod1981 says:

    Thanks Josef! This worked like a charm. I had setup a new RDS server running Windows 2012 R2 for a customer and he had scanning guns running Windows CE 5.2 on them that were failing to connect. Following your instructions, we were able to successfully connect to the Windows 2012 R2 server from the guns running Windows CE.

    Thanks for sharing your experience and knowledge!

  18. Christin says:

    I still face problem.

    I had the Licence Server (Windows 2012 R2) with only enabled the Remote Desktop Licencing Tool and Remote Desktop Licencing Diagnosting (no broker, no gateway, nothing else except those 2 options). I also activate the 60 CALs Per Device.

    I also have 2 Other servers Windows 2012 R2 (terminal servers) which have only Remote Session Host and from the Group policy i set the licence server (the first one). User connects without facing any problem.

    But I have 2 Intermec CN3 which when i try to connect them to license server connects succesfully but when i try to connect them to 2 Other servers (terminal) they didn;t connect “Because of a security error”.

    I change to the licence server the Activate method to “Web”, reactivate the server and delete the keys. I restart the server and try again but the same problem exists. I try then to add the key Use512LenPropCert but still nothing happened

  19. josef says:

    Hello

    your writing is confusing. Do you have any Windows Mobile 6.x device that you can test in parallel to the CN3’s?

    What does “But I have 2 Intermec CN3 which when i try to connect them to license server connects succesfully but when i try to connect them to 2 Other servers (terminal) they didn;t connect” mean in simple, short sentences?

    Anyway, I cannot help further, the supplied information here is all I can offer. Possibly your server’s event log gives more hints to you.

    Sorry

    Josef

  20. GJH says:

    This is slightly off topic, but does anyone know how to get a Windows Embedded Handheld to run (or connect to a Remote Desktop Host) using 320X240 resolution? I find the “QVGA” resolution as a profile in the registry, but every time I try to change it, the device reverts back upon reboot. Thank you.

Leave a Reply