The digital signature of this RDP file cannot be verified. The remote connection cannot be started.

Case #

When you try to launch a Remote Desktop Services (RDS) remote app or desktop, you receive the following error: "The digital signature of this RDP file cannot be verified. The remote connection cannot be started".

This may be combined by various TLS certificate-related errors or warnings in your RDS servers, for example the Connection Broker server.

Solution #

This indicates that some or all of the TLS certificates used in your Remote Desktop Services (RDS) infrastructure have expired or are not valid.

You must first check the certificate store of all RDS servers, i.e. RDS Connection Broker, RDS Gateway and RDS Web Access. If you have expired certificates, you must either renew the existing certificates or issue new certificates. For renewing existing certificates, either automatically via Group Policy or manually, refer to the following article:

For issuing new certificates for your RDS roles, you can use the Windows Server IIS Manager console (inetmgr command in Start Menu) in order to request a new certificate from your private Certificate Authority (CA). Also public certificates from a public CA can be used, if applicable.

When all certificates are ready, you must ensure that the RDS certificate configuration shows an OK value in the "Status" field of all certificate records inside the RDS management console, as shown in the following screenshot.

To navigate to the above page, open the RDS management console inside Windows Server Manager of a domain joined machine which has all RDS servers added to the Server Manager console. Then navigate to the RDS Collection in question and under the "Tasks" drop down box click on "Edit Deployment Properties". The path to follow inside Server Manager is "Remote Desktop Services –> Collections –> Tasks –> Edit Deployment Properties".

Then you need to replace the existing (expired) TLS certificates with new certificates by importing the newly issued certificates for each RDS role. Usually each certificate will be available in the form of .pfx file, which includes the certificate private key.