Solved

How can I clean up certificate errors with RemoteApp?

Posted on 2009-07-02
12
4,507 Views
Last Modified: 2013-11-21
I'm trying to test out RemoteApp, and I keep running into a certificate "error."  I can install the certificate by hand; I thought adding the certificate to a GPO would alleviate this extra step?  I created a GPO that includes the certificate in Trusted Root Certificattion Authorities, and the certificate appears on the clients with the Certificates snap-in.

Specifically, the error is "The certificate is not from a trusted certifying authority."  I can import this certificate manually, and then my connection is fine, but it seems silly that I can't deploy it successfully via GPO?  gpresult reports the GPO is processed fine, and the certificate shows up in certificates snap-in on the client.  I guess I'm just missing something?

Clients are XP SP2, servers are 2003R2 Standard.  I'm wondering if perhaps I need Datacenter or Enterprise edition?
0
Comment
Question by:sbumpas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:EndureKona
ID: 24765741
You can import as you found or I would recommend get a commercial cert which will be trusted.   The cost for a commercial cert can be less than $50

Go Daddy and a few others will work.
0
 

Author Comment

by:sbumpas
ID: 24765798
So the reason the GPO distribution doesn't work, is because I'm not using a commercial certificate?

Are commercial certificates assigned per FQDN, server, or just organization in general and I can change/manipulate it later on?  This server is not expected to be in use long term (although $50 isn't very much).
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24765842
No sorry if you have a commercial cert there is not a need to deploy since it will be trusted.   I see your point if it will not be around no real need to spend the money.

Deploying the cert via GPO are you doing something like this:

http://unixwiz.net/techtips/deploy-webcert-gp.html   (About half way down on the page)

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:sbumpas
ID: 24765881
Funny - that is the exact website I used to create the GPO.  According to the clients, the GPO is sucessfully received and proccesed, and the cert shows up in the Certificates snap-in.  That's sort of what brought me here - I must be missing a step?
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24765894
For a workstation/user that your attempting to get it applied can you do a gpupdate /force then run rsop.msc to see if its actually attempted to be applied?
0
 

Author Comment

by:sbumpas
ID: 24767696
I'm glad you pointed this out.  On my GPO, on my DC, the entry is listed as "Trusted Root Certification Authorities".

On the client, the entry is changed to "Domain Root Certification Authorities", but the certificate is listed.

Perhaps that's why RemoteApp is telling me that the certificate isn't found in "Trusted Root CAs"?  But if that's the case, how do I add it when it seems to change somewhere between the client and the server?
0
 

Author Comment

by:sbumpas
ID: 24871336
Any other takers?  We've decided that spending $100 or so on a proper certificate would be worth it, *IF* we knew for sure that would fix the problem.
0
 

Author Comment

by:sbumpas
ID: 24999077
If I could get some recommendations on certificate providers, that would be great.  I'm not sure what sort of things to look for when choosing, in terms of the good and the bad.  
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24999334

I can give you some recommendations on providers and also probably explain to you why the Group Policy approach isn't working.

Certificates have what is known as a Certification Path. This is a hierarchy which comes from the root Certification Authority and drills down to the actual certificate. In your case, the certificate you issued yourself would probably have been generated from a Certification Authority you have installed on your network. If so, that CA has its own certificate in order to issue other certificates. It is the certificate *of the CA* which you would have to push out by Group Policy; that would then validate the certification tree and make all the certificates that CA generates - trusted.

I've uploaded an example of a certification path as an attachment to this comment - you should see it below. The example I've used is from a commercial certificate, but the principal is the same. In this case, 'Starfield Class 2 Certification Authority' is the root CA which the issuer uses. As a commercial provider, it is that CA's certification which is installed in most common browsers; this makes the other certificates it generates (such as the Starfield Secure Certification Authority and finally the mail.company.com) trusted.

I don't think I explained that particularly well so please let me know if you are confused. In your case, it is probably (I can't be certain, but this is usually the case) the certificate in place of the Class 2 Certification Authority in the below example which is not trusted, and thus giving you this error.

As for commercial providers, I would highly recommend you look into them. Standard single domain certificates are not that expensive.

There are the likes of Verisign or Thawte but they charge a lot - more than $100 in most cases. Instead, I'd suggest you take a look at either GoDaddy or Certificates for Exchange. These both use a company called 'Starfield Technologies' (thus the name 'Starfield' in the attached example) to obtain the certificates. The latter (Certificates for Exchange) does not matter that it has 'Exchange' in the title - all SSL certificates are standard and work with anything.

Certificates for Exchange are currently charging $30/yr for a Standard, Single Domain SSL certificate: http://www.certificatesforexchange.com/.

-Matt
certification-path.png
0
 
LVL 2

Expert Comment

by:tphelps19
ID: 36560982
I know this is an old thread but I have to comment.  This entire process is a total scam by Microsoft and the security certificate companies.  Why the heck do I have to BUY a cert when the cert that is issued from the TS server is just as good for what I need it for?  Trusted root authorities were initially set up so that people who are putting sensative information over the internet could know they are "really" protected and not just a fake cert.  99% of the time in business applications that doesn't apply because you are using it for some internal purpose.  Microsoft knows this and they are just pushing this crap so that millions of people just like you will go buy a cheap $30 cert because it's easier to do that then going around and manually installing a cert.  Why does nobody think it's odd that you can't just click "Continue" like you used to be able to?  Microsoft used to just prompt you saying the cert you're getting is not matching any trusted source and then ask you if you want to continue.  But now they just plain don't let you continue??!!?!?!?   Not unless you BUY something?  This is a total scam and I hope all of you out there with more than half a brain realizes this and fights back against Microsoft for doing this.
0
 
LVL 2

Expert Comment

by:tphelps19
ID: 36561004
Oh and one more thing, the cert that gets issued from the TS server is JUST AS GOOD as any you'll get from a so called trusted source.  Most people don't know that but just because it is self generated by the TS server doesn't mean it's any less secure than anywhere else.  The 1024 bit cert you get from the TS server is just as secure as the 1024 bit cert you're going to get from GoDaddy or any other trusted source.  Microsoft can go jump in a friggin lake and take their money making scam with them.

Don't be an idiot and just give in because paying money is easier than doing the right thing.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question