Solved

How can I clean up certificate errors with RemoteApp?

Posted on 2009-07-02
12
4,500 Views
Last Modified: 2013-11-21
I'm trying to test out RemoteApp, and I keep running into a certificate "error."  I can install the certificate by hand; I thought adding the certificate to a GPO would alleviate this extra step?  I created a GPO that includes the certificate in Trusted Root Certificattion Authorities, and the certificate appears on the clients with the Certificates snap-in.

Specifically, the error is "The certificate is not from a trusted certifying authority."  I can import this certificate manually, and then my connection is fine, but it seems silly that I can't deploy it successfully via GPO?  gpresult reports the GPO is processed fine, and the certificate shows up in certificates snap-in on the client.  I guess I'm just missing something?

Clients are XP SP2, servers are 2003R2 Standard.  I'm wondering if perhaps I need Datacenter or Enterprise edition?
0
Comment
Question by:sbumpas
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:EndureKona
Comment Utility
You can import as you found or I would recommend get a commercial cert which will be trusted.   The cost for a commercial cert can be less than $50

Go Daddy and a few others will work.
0
 

Author Comment

by:sbumpas
Comment Utility
So the reason the GPO distribution doesn't work, is because I'm not using a commercial certificate?

Are commercial certificates assigned per FQDN, server, or just organization in general and I can change/manipulate it later on?  This server is not expected to be in use long term (although $50 isn't very much).
0
 
LVL 20

Expert Comment

by:EndureKona
Comment Utility
No sorry if you have a commercial cert there is not a need to deploy since it will be trusted.   I see your point if it will not be around no real need to spend the money.

Deploying the cert via GPO are you doing something like this:

http://unixwiz.net/techtips/deploy-webcert-gp.html   (About half way down on the page)

0
 

Author Comment

by:sbumpas
Comment Utility
Funny - that is the exact website I used to create the GPO.  According to the clients, the GPO is sucessfully received and proccesed, and the cert shows up in the Certificates snap-in.  That's sort of what brought me here - I must be missing a step?
0
 
LVL 20

Expert Comment

by:EndureKona
Comment Utility
For a workstation/user that your attempting to get it applied can you do a gpupdate /force then run rsop.msc to see if its actually attempted to be applied?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:sbumpas
Comment Utility
I'm glad you pointed this out.  On my GPO, on my DC, the entry is listed as "Trusted Root Certification Authorities".

On the client, the entry is changed to "Domain Root Certification Authorities", but the certificate is listed.

Perhaps that's why RemoteApp is telling me that the certificate isn't found in "Trusted Root CAs"?  But if that's the case, how do I add it when it seems to change somewhere between the client and the server?
0
 

Author Comment

by:sbumpas
Comment Utility
Any other takers?  We've decided that spending $100 or so on a proper certificate would be worth it, *IF* we knew for sure that would fix the problem.
0
 

Author Comment

by:sbumpas
Comment Utility
If I could get some recommendations on certificate providers, that would be great.  I'm not sure what sort of things to look for when choosing, in terms of the good and the bad.  
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
Comment Utility

I can give you some recommendations on providers and also probably explain to you why the Group Policy approach isn't working.

Certificates have what is known as a Certification Path. This is a hierarchy which comes from the root Certification Authority and drills down to the actual certificate. In your case, the certificate you issued yourself would probably have been generated from a Certification Authority you have installed on your network. If so, that CA has its own certificate in order to issue other certificates. It is the certificate *of the CA* which you would have to push out by Group Policy; that would then validate the certification tree and make all the certificates that CA generates - trusted.

I've uploaded an example of a certification path as an attachment to this comment - you should see it below. The example I've used is from a commercial certificate, but the principal is the same. In this case, 'Starfield Class 2 Certification Authority' is the root CA which the issuer uses. As a commercial provider, it is that CA's certification which is installed in most common browsers; this makes the other certificates it generates (such as the Starfield Secure Certification Authority and finally the mail.company.com) trusted.

I don't think I explained that particularly well so please let me know if you are confused. In your case, it is probably (I can't be certain, but this is usually the case) the certificate in place of the Class 2 Certification Authority in the below example which is not trusted, and thus giving you this error.

As for commercial providers, I would highly recommend you look into them. Standard single domain certificates are not that expensive.

There are the likes of Verisign or Thawte but they charge a lot - more than $100 in most cases. Instead, I'd suggest you take a look at either GoDaddy or Certificates for Exchange. These both use a company called 'Starfield Technologies' (thus the name 'Starfield' in the attached example) to obtain the certificates. The latter (Certificates for Exchange) does not matter that it has 'Exchange' in the title - all SSL certificates are standard and work with anything.

Certificates for Exchange are currently charging $30/yr for a Standard, Single Domain SSL certificate: http://www.certificatesforexchange.com/.

-Matt
certification-path.png
0
 
LVL 2

Expert Comment

by:tphelps19
Comment Utility
I know this is an old thread but I have to comment.  This entire process is a total scam by Microsoft and the security certificate companies.  Why the heck do I have to BUY a cert when the cert that is issued from the TS server is just as good for what I need it for?  Trusted root authorities were initially set up so that people who are putting sensative information over the internet could know they are "really" protected and not just a fake cert.  99% of the time in business applications that doesn't apply because you are using it for some internal purpose.  Microsoft knows this and they are just pushing this crap so that millions of people just like you will go buy a cheap $30 cert because it's easier to do that then going around and manually installing a cert.  Why does nobody think it's odd that you can't just click "Continue" like you used to be able to?  Microsoft used to just prompt you saying the cert you're getting is not matching any trusted source and then ask you if you want to continue.  But now they just plain don't let you continue??!!?!?!?   Not unless you BUY something?  This is a total scam and I hope all of you out there with more than half a brain realizes this and fights back against Microsoft for doing this.
0
 
LVL 2

Expert Comment

by:tphelps19
Comment Utility
Oh and one more thing, the cert that gets issued from the TS server is JUST AS GOOD as any you'll get from a so called trusted source.  Most people don't know that but just because it is self generated by the TS server doesn't mean it's any less secure than anywhere else.  The 1024 bit cert you get from the TS server is just as secure as the 1024 bit cert you're going to get from GoDaddy or any other trusted source.  Microsoft can go jump in a friggin lake and take their money making scam with them.

Don't be an idiot and just give in because paying money is easier than doing the right thing.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now