Solved

How can I clean up certificate errors with RemoteApp?

Posted on 2009-07-02
12
4,501 Views
Last Modified: 2013-11-21
I'm trying to test out RemoteApp, and I keep running into a certificate "error."  I can install the certificate by hand; I thought adding the certificate to a GPO would alleviate this extra step?  I created a GPO that includes the certificate in Trusted Root Certificattion Authorities, and the certificate appears on the clients with the Certificates snap-in.

Specifically, the error is "The certificate is not from a trusted certifying authority."  I can import this certificate manually, and then my connection is fine, but it seems silly that I can't deploy it successfully via GPO?  gpresult reports the GPO is processed fine, and the certificate shows up in certificates snap-in on the client.  I guess I'm just missing something?

Clients are XP SP2, servers are 2003R2 Standard.  I'm wondering if perhaps I need Datacenter or Enterprise edition?
0
Comment
Question by:sbumpas
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:EndureKona
ID: 24765741
You can import as you found or I would recommend get a commercial cert which will be trusted.   The cost for a commercial cert can be less than $50

Go Daddy and a few others will work.
0
 

Author Comment

by:sbumpas
ID: 24765798
So the reason the GPO distribution doesn't work, is because I'm not using a commercial certificate?

Are commercial certificates assigned per FQDN, server, or just organization in general and I can change/manipulate it later on?  This server is not expected to be in use long term (although $50 isn't very much).
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24765842
No sorry if you have a commercial cert there is not a need to deploy since it will be trusted.   I see your point if it will not be around no real need to spend the money.

Deploying the cert via GPO are you doing something like this:

http://unixwiz.net/techtips/deploy-webcert-gp.html   (About half way down on the page)

0
 

Author Comment

by:sbumpas
ID: 24765881
Funny - that is the exact website I used to create the GPO.  According to the clients, the GPO is sucessfully received and proccesed, and the cert shows up in the Certificates snap-in.  That's sort of what brought me here - I must be missing a step?
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24765894
For a workstation/user that your attempting to get it applied can you do a gpupdate /force then run rsop.msc to see if its actually attempted to be applied?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:sbumpas
ID: 24767696
I'm glad you pointed this out.  On my GPO, on my DC, the entry is listed as "Trusted Root Certification Authorities".

On the client, the entry is changed to "Domain Root Certification Authorities", but the certificate is listed.

Perhaps that's why RemoteApp is telling me that the certificate isn't found in "Trusted Root CAs"?  But if that's the case, how do I add it when it seems to change somewhere between the client and the server?
0
 

Author Comment

by:sbumpas
ID: 24871336
Any other takers?  We've decided that spending $100 or so on a proper certificate would be worth it, *IF* we knew for sure that would fix the problem.
0
 

Author Comment

by:sbumpas
ID: 24999077
If I could get some recommendations on certificate providers, that would be great.  I'm not sure what sort of things to look for when choosing, in terms of the good and the bad.  
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24999334

I can give you some recommendations on providers and also probably explain to you why the Group Policy approach isn't working.

Certificates have what is known as a Certification Path. This is a hierarchy which comes from the root Certification Authority and drills down to the actual certificate. In your case, the certificate you issued yourself would probably have been generated from a Certification Authority you have installed on your network. If so, that CA has its own certificate in order to issue other certificates. It is the certificate *of the CA* which you would have to push out by Group Policy; that would then validate the certification tree and make all the certificates that CA generates - trusted.

I've uploaded an example of a certification path as an attachment to this comment - you should see it below. The example I've used is from a commercial certificate, but the principal is the same. In this case, 'Starfield Class 2 Certification Authority' is the root CA which the issuer uses. As a commercial provider, it is that CA's certification which is installed in most common browsers; this makes the other certificates it generates (such as the Starfield Secure Certification Authority and finally the mail.company.com) trusted.

I don't think I explained that particularly well so please let me know if you are confused. In your case, it is probably (I can't be certain, but this is usually the case) the certificate in place of the Class 2 Certification Authority in the below example which is not trusted, and thus giving you this error.

As for commercial providers, I would highly recommend you look into them. Standard single domain certificates are not that expensive.

There are the likes of Verisign or Thawte but they charge a lot - more than $100 in most cases. Instead, I'd suggest you take a look at either GoDaddy or Certificates for Exchange. These both use a company called 'Starfield Technologies' (thus the name 'Starfield' in the attached example) to obtain the certificates. The latter (Certificates for Exchange) does not matter that it has 'Exchange' in the title - all SSL certificates are standard and work with anything.

Certificates for Exchange are currently charging $30/yr for a Standard, Single Domain SSL certificate: http://www.certificatesforexchange.com/.

-Matt
certification-path.png
0
 
LVL 2

Expert Comment

by:tphelps19
ID: 36560982
I know this is an old thread but I have to comment.  This entire process is a total scam by Microsoft and the security certificate companies.  Why the heck do I have to BUY a cert when the cert that is issued from the TS server is just as good for what I need it for?  Trusted root authorities were initially set up so that people who are putting sensative information over the internet could know they are "really" protected and not just a fake cert.  99% of the time in business applications that doesn't apply because you are using it for some internal purpose.  Microsoft knows this and they are just pushing this crap so that millions of people just like you will go buy a cheap $30 cert because it's easier to do that then going around and manually installing a cert.  Why does nobody think it's odd that you can't just click "Continue" like you used to be able to?  Microsoft used to just prompt you saying the cert you're getting is not matching any trusted source and then ask you if you want to continue.  But now they just plain don't let you continue??!!?!?!?   Not unless you BUY something?  This is a total scam and I hope all of you out there with more than half a brain realizes this and fights back against Microsoft for doing this.
0
 
LVL 2

Expert Comment

by:tphelps19
ID: 36561004
Oh and one more thing, the cert that gets issued from the TS server is JUST AS GOOD as any you'll get from a so called trusted source.  Most people don't know that but just because it is self generated by the TS server doesn't mean it's any less secure than anywhere else.  The 1024 bit cert you get from the TS server is just as secure as the 1024 bit cert you're going to get from GoDaddy or any other trusted source.  Microsoft can go jump in a friggin lake and take their money making scam with them.

Don't be an idiot and just give in because paying money is easier than doing the right thing.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2012 R2 Server -- SERIVCES checklist ? 4 101
Robocopy Skipped Directory 12 42
Upgrade 2008R2 to 2016 with Hyper-V 4 57
Windows IPv6 DHCP server 8 38
Learn about cloud computing and its benefits for small business owners.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now