We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

How can I clean up certificate errors with RemoteApp?

Medium Priority
4,639 Views
Last Modified: 2013-11-21
I'm trying to test out RemoteApp, and I keep running into a certificate "error."  I can install the certificate by hand; I thought adding the certificate to a GPO would alleviate this extra step?  I created a GPO that includes the certificate in Trusted Root Certificattion Authorities, and the certificate appears on the clients with the Certificates snap-in.

Specifically, the error is "The certificate is not from a trusted certifying authority."  I can import this certificate manually, and then my connection is fine, but it seems silly that I can't deploy it successfully via GPO?  gpresult reports the GPO is processed fine, and the certificate shows up in certificates snap-in on the client.  I guess I'm just missing something?

Clients are XP SP2, servers are 2003R2 Standard.  I'm wondering if perhaps I need Datacenter or Enterprise edition?
Comment
Watch Question

Rick FeeMessaging Engineer - Disaster Recovery Engineer
CERTIFIED EXPERT

Commented:
You can import as you found or I would recommend get a commercial cert which will be trusted.   The cost for a commercial cert can be less than $50

Go Daddy and a few others will work.

Author

Commented:
So the reason the GPO distribution doesn't work, is because I'm not using a commercial certificate?

Are commercial certificates assigned per FQDN, server, or just organization in general and I can change/manipulate it later on?  This server is not expected to be in use long term (although $50 isn't very much).
Rick FeeMessaging Engineer - Disaster Recovery Engineer
CERTIFIED EXPERT

Commented:
No sorry if you have a commercial cert there is not a need to deploy since it will be trusted.   I see your point if it will not be around no real need to spend the money.

Deploying the cert via GPO are you doing something like this:

http://unixwiz.net/techtips/deploy-webcert-gp.html   (About half way down on the page)

Author

Commented:
Funny - that is the exact website I used to create the GPO.  According to the clients, the GPO is sucessfully received and proccesed, and the cert shows up in the Certificates snap-in.  That's sort of what brought me here - I must be missing a step?
Rick FeeMessaging Engineer - Disaster Recovery Engineer
CERTIFIED EXPERT

Commented:
For a workstation/user that your attempting to get it applied can you do a gpupdate /force then run rsop.msc to see if its actually attempted to be applied?

Author

Commented:
I'm glad you pointed this out.  On my GPO, on my DC, the entry is listed as "Trusted Root Certification Authorities".

On the client, the entry is changed to "Domain Root Certification Authorities", but the certificate is listed.

Perhaps that's why RemoteApp is telling me that the certificate isn't found in "Trusted Root CAs"?  But if that's the case, how do I add it when it seems to change somewhere between the client and the server?

Author

Commented:
Any other takers?  We've decided that spending $100 or so on a proper certificate would be worth it, *IF* we knew for sure that would fix the problem.

Author

Commented:
If I could get some recommendations on certificate providers, that would be great.  I'm not sure what sort of things to look for when choosing, in terms of the good and the bad.  
Site Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
tphelps19IT Manager

Commented:
I know this is an old thread but I have to comment.  This entire process is a total scam by Microsoft and the security certificate companies.  Why the heck do I have to BUY a cert when the cert that is issued from the TS server is just as good for what I need it for?  Trusted root authorities were initially set up so that people who are putting sensative information over the internet could know they are "really" protected and not just a fake cert.  99% of the time in business applications that doesn't apply because you are using it for some internal purpose.  Microsoft knows this and they are just pushing this crap so that millions of people just like you will go buy a cheap $30 cert because it's easier to do that then going around and manually installing a cert.  Why does nobody think it's odd that you can't just click "Continue" like you used to be able to?  Microsoft used to just prompt you saying the cert you're getting is not matching any trusted source and then ask you if you want to continue.  But now they just plain don't let you continue??!!?!?!?   Not unless you BUY something?  This is a total scam and I hope all of you out there with more than half a brain realizes this and fights back against Microsoft for doing this.
tphelps19IT Manager

Commented:
Oh and one more thing, the cert that gets issued from the TS server is JUST AS GOOD as any you'll get from a so called trusted source.  Most people don't know that but just because it is self generated by the TS server doesn't mean it's any less secure than anywhere else.  The 1024 bit cert you get from the TS server is just as secure as the 1024 bit cert you're going to get from GoDaddy or any other trusted source.  Microsoft can go jump in a friggin lake and take their money making scam with them.

Don't be an idiot and just give in because paying money is easier than doing the right thing.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.