How can I clean up certificate errors with RemoteApp?

You can import as you found or I would recommend get a commercial cert which will be trusted.   The cost for a commercial cert can be less than $50

Go Daddy and a few others will work.

So the reason the GPO distribution doesn't work, is because I'm not using a commercial certificate?

Are commercial certificates assigned per FQDN, server, or just organization in general and I can change/manipulate it later on?  This server is not expected to be in use long term (although $50 isn't very much).

No sorry if you have a commercial cert there is not a need to deploy since it will be trusted.   I see your point if it will not be around no real need to spend the money.

Deploying the cert via GPO are you doing something like this:

http://unixwiz.net/techtips/deploy-webcert-gp.html   (About half way down on the page)

Funny - that is the exact website I used to create the GPO.  According to the clients, the GPO is sucessfully received and proccesed, and the cert shows up in the Certificates snap-in.  That's sort of what brought me here - I must be missing a step?

For a workstation/user that your attempting to get it applied can you do a gpupdate /force then run rsop.msc to see if its actually attempted to be applied?

I'm glad you pointed this out.  On my GPO, on my DC, the entry is listed as "Trusted Root Certification Authorities".

On the client, the entry is changed to "Domain Root Certification Authorities", but the certificate is listed.

Perhaps that's why RemoteApp is telling me that the certificate isn't found in "Trusted Root CAs"?  But if that's the case, how do I add it when it seems to change somewhere between the client and the server?

Any other takers?  We've decided that spending $100 or so on a proper certificate would be worth it, *IF* we knew for sure that would fix the problem.

If I could get some recommendations on certificate providers, that would be great.  I'm not sure what sort of things to look for when choosing, in terms of the good and the bad.  

I know this is an old thread but I have to comment.  This entire process is a total scam by Microsoft and the security certificate companies.  Why the heck do I have to BUY a cert when the cert that is issued from the TS server is just as good for what I need it for?  Trusted root authorities were initially set up so that people who are putting sensative information over the internet could know they are "really" protected and not just a fake cert.  99% of the time in business applications that doesn't apply because you are using it for some internal purpose.  Microsoft knows this and they are just pushing this crap so that millions of people just like you will go buy a cheap $30 cert because it's easier to do that then going around and manually installing a cert.  Why does nobody think it's odd that you can't just click "Continue" like you used to be able to?  Microsoft used to just prompt you saying the cert you're getting is not matching any trusted source and then ask you if you want to continue.  But now they just plain don't let you continue??!!?!?!?   Not unless you BUY something?  This is a total scam and I hope all of you out there with more than half a brain realizes this and fights back against Microsoft for doing this.

Oh and one more thing, the cert that gets issued from the TS server is JUST AS GOOD as any you'll get from a so called trusted source.  Most people don't know that but just because it is self generated by the TS server doesn't mean it's any less secure than anywhere else.  The 1024 bit cert you get from the TS server is just as secure as the 1024 bit cert you're going to get from GoDaddy or any other trusted source.  Microsoft can go jump in a friggin lake and take their money making scam with them.

Don't be an idiot and just give in because paying money is easier than doing the right thing.