{"id":1895,"date":"2014-03-12T16:18:36","date_gmt":"2014-03-12T14:18:36","guid":{"rendered":"http:\/\/www.hjgode.de\/wp\/?p=1895"},"modified":"2020-07-14T19:52:18","modified_gmt":"2020-07-14T17:52:18","slug":"windows-server-2012-rds-and-windows-mobile-connection-error","status":"publish","type":"post","link":"https:\/\/www.hjgode.de\/wp\/2014\/03\/12\/windows-server-2012-rds-and-windows-mobile-connection-error\/","title":{"rendered":"Windows Server 2012 RDS and Windows Mobile: connection error"},"content":{"rendered":"

For whatever reason MS decided to make Windows 2012 RDS (former Terminal Services, now Remote Desktop Services) not compatible with Windows Mobile 6.x and other Windows CE 5.0 based handheld devices.<\/p>\n

Fortunately, if you activated Remote Desktop License Server using ‘Web Browser’ method, you simply have to change the Collections Security settings and disable ‘Allow only … Network Level Authentication’ (NLA).<\/p>\n

The following can also apply for Windows 2008 R2 Terminal Server. Check if you activate the Licensing server via “Web Browser” connection or directly. My 2008 R2 server is running OK for Windows Mobile, as a stand-alone server, with 100 licenses and activated via “Web Browser”.<\/p>\n

But let start at the beginning.<\/p>\n

<\/p>\n

Basic RDS setup<\/h1>\n

When you installed Windows 2012 Server within an existing or new Active Directory and then add the Remote Desktop Server role, you have different choices:<\/p>\n

\"AddRolesAndFeatures\"<\/a><\/p>\n

You may go on with “Remote Desktop Services scenario-based installation” and then just follow the wizard after selecting “Quick Start”.<\/p>\n

\"AddRolesAndFeatures_2\"<\/a><\/p>\n

The wizard will install everything onto one server.<\/p>\n

\"AddRolesAndFeatures_3\"<\/a><\/p>\n

Virtual Desktop Infrastructure makes no sense for Windows Mobile clients. They do not need a full virtual windows machine based on a virtual machine. So we select “Session Virtualization”.<\/p>\n

The wizard will then deploy all the services and roles and create one default “Session Collection” and “Remote Apps”. At the end you should get following screen:<\/p>\n

\"AddRolesAndFeatures_4\"<\/a><\/p>\n

Now check the setup and look at the RDS Overview:<\/p>\n

\"RemoteDesktopServices-Overview\"<\/a><\/p>\n

You see we have RD Web Access (unused by Windows Mobile but cannot be removed), no RD Gateway (not needed here), no RD Licensing (we will install that later), the RD Connection Broker, no RD Virtualization Host (as we do not provide virtual machines here) and a RD Session Host with a QuickSession Collection.<\/p>\n

At this stage we can not connect using Windows Mobile client. The NLA setting dis-allows that and we get an error in Remote Desktop Mobile. Just change the NLA setting of the Collection and your Windows Mobile clients can connect.<\/p>\n

\"rdm_cn70\"<\/a>\u00a0\u00a0 \"rdm_ck3b\"<\/a><\/p>\n

NOTE that there is no License server and we are in the 120-day trial of RDS!<\/strong><\/p>\n

\"RDS_Collections_EditProperties\"<\/a>\u00a0\"QuickSessionCollection_Properties\"<\/p>\n

You can access the above Properties using the TASKS menu of Remote Desktop Services-Collections-CollectionName<\/em> and selecting “Edit Properties”.<\/p>\n

If there is no Collection, we can not change the setting! Windows Desktop PCs can connect to that RDS without a Collection installed. We (Windows Mobile client) need a collection to disable NLA.<\/p>\n

Setup Remote Desktop License Server<\/h1>\n

Now setup a Remote Desktop License server, activate it (or better read my later note about the activation method: see “RD License Server Activation Connection Method”) and install some CALs or DALs (licenses per User or Device). Ensure the License Manager shows your License Server without any error. And also check with RD License Diagnoser!<\/p>\n

\"RD_licensing_Manager\"<\/a> \"RD_Licensing_Diagnoser\"<\/a><\/p>\n

The licensing mode must match the general Collections properties setting:<\/p>\n

\"Collection_DeploymentProperties\"<\/a><\/p>\n

If everything is in place and activated and licensed Windows Mobile Clients can no longer connect!<\/p>\n

\"rdm_security_error\"<\/a><\/p>\n

The certificates generated by the License Server are not compatible with Remote Desktop Mobile. They use 4096 bit key-length and SHA256 footprint. The certificates are stored in the registry at [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\RCM]. Extracted and converted these certs look like this:<\/p>\n

Certificate:\r\n \u00a0\u00a0\u00a0 Data:\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Version: 3 (0x2)\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Serial Number:\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0b:1c:04:1c:9c:74:34:af:41:3a:3c:bf:39:f5:56:bf\r\n \u00a0\u00a0\u00a0 Signature Algorithm: sha256WithRSAEncryption\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Assurance Designation Root 2011\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Validity\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Not Before: Mar 23 17:41:27 2011 GMT\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Not After : Mar 23 17:48:11 2036 GMT\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Assurance Designation Root 2011\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Subject Public Key Info:\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Public Key Algorithm: rsaEncryption\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Public-Key: (4096 bit)\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Modulus:\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 00:a8:ef:ce:ef:ec:12:8b:92:94:ed:cf:aa:a5:81:\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 8d:4f:a4:ad:4a:ec:a5:f0:da:a8:3d:b6:e5:61:01:\r\n\u00a0 ...\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2b:a9:44:56:83:be:b6:6e:60:b9:16:1a:e1:62:e9:\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 54:9d:bf\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Exponent: 65537 (0x10001)\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 X509v3 extensions:\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 X509v3 Key Usage: \r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Digital Signature, Certificate Sign, CRL Sign\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 X509v3 Basic Constraints: critical\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CA:TRUE\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 X509v3 Subject Key Identifier: \r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1A:A9:53:45:33:8E:D0:6E:22:52:54:76:39:76:43:1E:FF:79:14:41\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1.3.6.1.4.1.311.21.1: \r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ...\r\n \u00a0\u00a0\u00a0 Signature Algorithm: sha256WithRSAEncryption\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0b:2e:fa:54:de:11:a4:72:e4:13:1d:8b:bc:42:36:7c:fe:76:\r\n ...\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 fa:be:02:5b:1a:c1:d9:58:66:c2:0c:b3:ce:e4:b4:ec:f4:eb:\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 56:4f:9a:cc:cc:b2:a0:a4<\/pre>\n
RD License Server Activation Connection Method<\/h2>\n
To fix that and get compatible certificates re-activate the RD Licensing Server using the Web method. In RD Licensing Manager right-click the server name and select Properties. Change the Connection Method to “Web Browser”. Close Properties with OK and again right click the server and then Advanced-Reactivate. Follow the process to reactivate the server using the web browser.<\/p>\n
\"RD_license_server_web_activation\"<\/a><\/p>\n
After reactivation delete the following registry keys and reboot the server!<\/p>\n
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\RCM\r\n o Certificate\r\n o X509 Certificate\r\n o X509 Certificate ID\r\n o X509 Certificate2<\/pre>\n
These registry keys will rebuild with lower security after reboot (see also<\/a>).<\/p>\n
And, surprise, after reboot Remote Desktop Mobile (Windows CE5, Windows Mobile 6.x and Windows Embedded Handheld 6.5.3) can connect!<\/p>\n
\"rdm_cn70_after_reactivation\"<\/a><\/p>\n
If you extract and convert the new ‘web-based’ certificates you see the difference:<\/p>\n
Certificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number:\r\n 01:9d:e7:ca:8c:9a:66:80\r\n Signature Algorithm: sha1WithRSA\r\n Issuer: L=\\x00W\\x002\\x00K\\x001\\x002, CN=\\x00W\\x002\\x00K\\x001\\x002\\x00H\\x00G\\x00O\r\n Validity\r\n Not Before: Mar 10 14:50:50 1970 GMT\r\n Not After : Mar 10 14:50:50 2049 GMT\r\n Subject: L=\\x00W\\x002\\x00K\\x001\\x002, CN=\\x00W\\x002\\x00K\\x001\\x002\\x00H\\x00G\\x00O\r\n Subject Public Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n Public-Key: (2048 bit)\r\n Modulus:\r\n 00:b6:7e:f2:41:23:f1:f3:cf:44:90:e7:fc:ba:3f:\r\n ...\r\n d0:51:d1:55:8c:6b:d0:f6:65:e5:c4:d2:09:1d:d0:\r\n 17:c7\r\n Exponent: 65537 (0x10001)\r\n X509v3 extensions:\r\n X509v3 Basic Constraints:\r\n CA:TRUE, pathlen:0\r\n 1.3.6.1.4.1.311.18.8:\r\n Q.G.K.8.V.3.W.2.K.H.P.D.6.W.4.V.M.Q.2.G.3.T.H.3.K.C.8.J.W.K.W.D.M.4.Y...\r\n Signature Algorithm: sha1WithRSA\r\n 3a:1d:94:36:5d:32:12:6f:5e:e3:76:9f:cb:2b:1c:92:c2:ff:\r\n ...\r\n ac:1e:23:b2:a0:73:ff:6f:12:f8:86:24:4b:95:15:54:c0:a2:\r\n ba:05:00:e3<\/pre>\n
The key length is only 2048 bits and the security algorithm is SHA1.
\nIf you had activated the “Web browser” Connection method before Activating the server the first time, you do not need to touch the registry and reactivate the server!<\/p>\n
Conclusion<\/h1>\n
Windows Mobile’s Remote Desktop Mobile (RDM) application connects fine if the right certificates are generated when Activating the RD License Server. RDM will not connect, if SHA256 and 4096 bits key are used on the server. RDM does not support NLA nor SSL\/TLS!<\/p>\n
What MS says<\/h1>\n
RDS 2008, 2008R2, and 2012 will not allow connections from older RDP 5.x clients.\r\n\r\nTo get around this add the following registry key to the RDS Session Host\r\n\r\nSubkey: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\RCM\r\nRegistry entry: Use512LenPropCert\r\nData type: REG_DWORD\r\nValue: 0 or 1\r\n\r\nThis is far less secure (512bit encryption vs 2048bit), and you won't be able to take advantage of the features of later versions of the RDP protocol, but older clients will be able to connect.<\/pre>\n
What wonders me about that, is that it says ‘no support of 2048 length key’, but the key length is 2048 in my validated tests. Possibly they mean, does not support 4096 key length but 2048 (which is set with the Use512LenPropCert?).<\/p>\n
Test your installation<\/h2>\n
If you like to check the certificates of your installation you may use the attached demo application: “RDS2012_security”. It will just read the registry and show the certificates data.<\/p>\n
\"RDS_Security_CertifcateDump_not_ok\"<\/a> \"RDS_Security_CertifcateDump_ok\"<\/a><\/p>\n
The code (included in the attachment) just reads the registry and extracts the certification data. The data is stored binary with some extra data at the beginning. There are twelve bytes to remove to get the raw certificate (all these certs start with 0x30 0x82). So the reg might look like this:<\/p>\n
\"X509 Certificate\"=hex:02,00,00,00,04,00,00,00,f1,05,00,00,30,82,05,ed,30,82,\\\r\n\u00a0 03,d5,a0,03,02,01,02,02,10,0b,1c,04,1c,9c,74,34,af,41,3a,3c,bf,39,f5,56,bf,\\\r\n\u00a0 30,0d,06,09,2a,86,48,86,f7,0d,01,01,0b,05,00,30,81,88,31,0b,30,09,06,03,55,\\\r\n...<\/pre>\n
Then the tool has to remove the first 12 bytes and we get the raw data:<\/p>\n
30,82,05,ed,30,82,\\\r\n\u00a0 03,d5,a0,03,02,01,02,02,10,0b,1c,04,1c,9c,74,34,af,41,3a,3c,bf,39,f5,56,bf,\\\r\n\u00a0 30,0d,06,09,2a,86,48,86,f7,0d,01,01,0b,05,00,30,81,88,31,0b,30,09,06,03,55,\\\r\n...<\/pre>\n
Here is the simple code that does this in csharp and then initializes a new X509Certificate2 object:<\/p>\n
        const string rd_mainRegKey = @\"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\RCM\"\r\n        string[] _x509ValueNames = new string[] { \"X509 Certificate\", \"X509 Certificate2\" };\r\n...\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 byte[] readX509Cert(string sValueName)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 byte[] buf = null;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 using (RegistryKey rk = Registry.LocalMachine.OpenSubKey(rd_mainRegKey, false))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 byte[] bufTemp = (byte[]) rk.GetValue(sValueName);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/remove first 12 bytes\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 buf = new byte[bufTemp.Length - 0x0b];\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Array.Copy(bufTemp, 0x0c, buf, 0, bufTemp.Length - 0x0c);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if(sValueName.EndsWith(\"2\"))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 _x509Certificate2=new X509Certificate2(buf);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 else\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 _x509Certificate = new X509Certificate2(buf);\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return buf;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/pre>\n
Now you can even save the cert or, like the demo does, just show the key length and used algorithm.<\/p>\n[Download not found]\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
For whatever reason MS decided to make Windows 2012 RDS (former Terminal Services, now Remote Desktop Services) not compatible with Windows Mobile 6.x and other Windows CE 5.0 based handheld devices. Fortunately, if you activated Remote Desktop License Server using ‘Web Browser’ method, you simply have to change the Collections Security settings and disable ‘Allow […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[178,3,194],"tags":[156,501,502,499,500,15,32],"class_list":["post-1895","post","type-post","status-publish","format-standard","hentry","category-codeproject","category-programming","category-tips","tag-remote-desktop-mobile","tag-remote-desktop-services","tag-terminal-server","tag-windows-2008-r2","tag-windows-2012-r2","tag-windows-mobile","tag-windows-mobile-6"],"_links":{"self":[{"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/posts\/1895"}],"collection":[{"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/comments?post=1895"}],"version-history":[{"count":10,"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/posts\/1895\/revisions"}],"predecessor-version":[{"id":2762,"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/posts\/1895\/revisions\/2762"}],"wp:attachment":[{"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/media?parent=1895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/categories?post=1895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hjgode.de\/wp\/wp-json\/wp\/v2\/tags?post=1895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}