Terminal Server RemoteApp RDWEB single sign on

I am trying to enable single sign-on and also make it so the warning about trusing the remote app does not appear.

Once the user logs into the rdweb site, they click on the pbulished app. Once this happens, they receive a message asking if they trust the publisher. I want to get rid of this prompt. I have seen here: http://blogs.msdn.com/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
that the app must be signed with this type of certificate: RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (’.

My question is, what type of cert is this?? Is it a code signing cert? They are expensive so I do not wish to purchse one if it will not work.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can sign using a signing certificate created by you own CA. As long as your clients have this CA in their Trusted Root Certificates Authorities store.
Or of course a purchased certificate. This must not be a code signing certificate, but it can. A server authentication certificate (like used for SSL) is a cheaper option.
More details on both options are on Technet: http://technet.microsoft.com/en-us/library/cc754499.aspx

kr, J.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cnptechnologiesAuthor Commented:
Some of the remote clients will not be on the domain.

I have tried the cheapest SSL from godaddy and it didn't work. Any idea which Godaddy cert will work?
Cláudio RodriguesFounder and CEOCommented:
The problem here is simple. First of all the RDP files must be signed. The issue is they must be signed with a certificate that you ALSO have the private keys. If that is NOT the case, it will NOT work.
Also note that one thing is the SSL certificate for the Web Access website. Another thing is the one for the RDP signing.
To get rid of the first prompt you need to get the Thumbprint of the certificate trusted on all clients. This is done on this registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
The second prompt usually happens if you did NOT select a certificate on the RDP-tcp connection (this must be the same certificate used for signing the RDP files). Again make sure you have the private key (select that when exporting the certificate).
I will try to resume, step by step, what needs to get done:
1. Install Web Access role on the web server that will be your portal for the RemoteApps.
2. Create two certificate requests, one for the portal (let's say portal.yourcompany.com) and one for the RDS farm (assuming you want to have more than one TS for redundancy). Let's say farm.yourcompany.com.
3. Get the certificates issued. Install both on the web server. Configure the web server to use the portal one. EXPORT the farm one and make sure you get the private key export option selected.
4. Install the FARM certificate on all TSs.
5. Under RDP-tcp make sure you select the FARM certificate.
6. Select the FARM certificate on all TSs to be used to sign RemoteApps.

On the clients make sure you have (assuming XP clients):
- Windows XP Service Pack 3.
- .NET Framework 3.5 SP1. http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988efdaa79a8ac3d/dotnetfx35.exe
- Remote Desktop Connection 7.0 Client Update. http://support.microsoft.com/kb/969084
- Single Sign-on Hotfix for Windows XP SP3 clients. http://support.microsoft.com/kb/953760/en-us
- The CREDSSP registry changes, the Thumbprints registry changes and the Single Signon registry changes too.

That will do it. I know it is a PITA and I do HATE the way Microsoft did this on 2008 R2. But that is what it is unfortunately.

Cláudio Rodrigues
Citrix CTP
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

cnptechnologiesAuthor Commented:
In my case, I purchased a cert from godaddy. www.my-site.com

I am using said certificate on:
The SSL site for IIS
The RDP connections
The signing of the RemoteApps

Are you saying I must use a self signed cert for the RDP connections and the signing of the RemoteApp?
No, it should not be self-signed.
BTW, are you using RD Session Broker to publish the Remote Apps? If yes then it must also use the same cert.

Can you post a link to the type of GoDaddy cert you purchased?

kr, J.
Why a delete with full refund, for a question which has been answered? Only the final part has not been closed because the asker has not responded anymore. kr, J.
I recommend #3.
Because there is no feedback from the asker, any of the answers could have helped, but I recommend accepting:
- http:#31372214 :  this answers the initial question 'what type of cert is this?'
- http:#31765367 : this answers the additional questions by the asker

kr, J.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.