Terminal Server RemoteApp RDWEB single sign on

I am trying to enable single sign-on and also make it so the warning about trusing the remote app does not appear.

Once the user logs into the rdweb site, they click on the pbulished app. Once this happens, they receive a message asking if they trust the publisher. I want to get rid of this prompt. I have seen here: http://blogs.msdn.com/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
that the app must be signed with this type of certificate: RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (’.

My question is, what type of cert is this?? Is it a code signing cert? They are expensive so I do not wish to purchse one if it will not work.
Who is Participating?
PowerITConnect With a Mentor Commented:
You can sign using a signing certificate created by you own CA. As long as your clients have this CA in their Trusted Root Certificates Authorities store.
Or of course a purchased certificate. This must not be a code signing certificate, but it can. A server authentication certificate (like used for SSL) is a cheaper option.
More details on both options are on Technet: http://technet.microsoft.com/en-us/library/cc754499.aspx

kr, J.
cnptechnologiesAuthor Commented:
Some of the remote clients will not be on the domain.

I have tried the cheapest SSL from godaddy and it didn't work. Any idea which Godaddy cert will work?
Cláudio RodriguesConnect With a Mentor Founder and CEOCommented:
The problem here is simple. First of all the RDP files must be signed. The issue is they must be signed with a certificate that you ALSO have the private keys. If that is NOT the case, it will NOT work.
Also note that one thing is the SSL certificate for the Web Access website. Another thing is the one for the RDP signing.
To get rid of the first prompt you need to get the Thumbprint of the certificate trusted on all clients. This is done on this registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
The second prompt usually happens if you did NOT select a certificate on the RDP-tcp connection (this must be the same certificate used for signing the RDP files). Again make sure you have the private key (select that when exporting the certificate).
I will try to resume, step by step, what needs to get done:
1. Install Web Access role on the web server that will be your portal for the RemoteApps.
2. Create two certificate requests, one for the portal (let's say portal.yourcompany.com) and one for the RDS farm (assuming you want to have more than one TS for redundancy). Let's say farm.yourcompany.com.
3. Get the certificates issued. Install both on the web server. Configure the web server to use the portal one. EXPORT the farm one and make sure you get the private key export option selected.
4. Install the FARM certificate on all TSs.
5. Under RDP-tcp make sure you select the FARM certificate.
6. Select the FARM certificate on all TSs to be used to sign RemoteApps.

On the clients make sure you have (assuming XP clients):
- Windows XP Service Pack 3.
- .NET Framework 3.5 SP1. http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988efdaa79a8ac3d/dotnetfx35.exe
- Remote Desktop Connection 7.0 Client Update. http://support.microsoft.com/kb/969084
- Single Sign-on Hotfix for Windows XP SP3 clients. http://support.microsoft.com/kb/953760/en-us
- The CREDSSP registry changes, the Thumbprints registry changes and the Single Signon registry changes too.

That will do it. I know it is a PITA and I do HATE the way Microsoft did this on 2008 R2. But that is what it is unfortunately.

Cláudio Rodrigues
Citrix CTP
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

cnptechnologiesAuthor Commented:
In my case, I purchased a cert from godaddy. www.my-site.com

I am using said certificate on:
The SSL site for IIS
The RDP connections
The signing of the RemoteApps

Are you saying I must use a self signed cert for the RDP connections and the signing of the RemoteApp?
No, it should not be self-signed.
BTW, are you using RD Session Broker to publish the Remote Apps? If yes then it must also use the same cert.

Can you post a link to the type of GoDaddy cert you purchased?

kr, J.
Why a delete with full refund, for a question which has been answered? Only the final part has not been closed because the asker has not responded anymore. kr, J.
I recommend #3.
Because there is no feedback from the asker, any of the answers could have helped, but I recommend accepting:
- http:#31372214 :  this answers the initial question 'what type of cert is this?'
- http:#31765367 : this answers the additional questions by the asker

kr, J.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.