Solved

Certificate issues with RemoteApp and the internet

Posted on 2010-11-09
4
1,751 Views
Last Modified: 2012-06-27
I'm trying to set up RemoteApp with Server 2008 and terminal services.
I want employees to be able to access an internal application from the outside.

So far I think I seem to be doing pretty well, but I've hit a snag I can't seem to get past. I've gotten the TS website ported through the router and can access it successfully from the outside. I've also gotten the TS website SSL'd up and that seems to be working fine.
My problem is when I click on the application I want to launch inside the TS website it gives me the usual logins, and then throws a certificate error.

"The remote computer could not be authenticated due to problems with its security certicate. It may be unsafe to proceed"
"The certificate is not from a trusted certifying authority"

I have two options. One to view the certificate and the other to click "OK"
When I click "OK" the error screen goes away but nothing happens.
Installing the certificate on the remote machine did not change the error.

How do I move past this error? Can I somehow self sign my certificate in order for it to work. I would prefer not to purchase anything.

Thanks for any advice.
screenshot.jpg
0
Comment
Question by:plymouthmuscle
  • 2
  • 2
4 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 34095906
Many issues with certificates ...
When you set up any secure connections with certificates, you need to know the eternal URL to connect before generating the certificate.
If i look at your certificate, the external url should be orionserver.drugrecovery.dri
Looks like an internal name ...

The name you type in your browser (or mstsc.exe) must be the name included in the certificate.

So what solutions ?
- You could use a self signed certificate. If you haven't any certification authority on your network, I think the system will generate the certificate itself, but most probably with the internal computer name ... we want it with another name.
- You can use a Certification Authority (private on your network, or public but you will pay). In that cas, you can ask a certificate and set the name of the certificate as you want. The name must be the external name, when users will gain access to your site from home.

More, in order to work, the computer where you try to access the application must trust the certificate.
In the case where you use a self signed certificate, you need to put that certificate in the "trusted root certificate" store.

In the case where you use a signed certificate (set up with an internal certification authority), you will need to import the Certification Authority certificate in the "trusted root certificates" store on any external computer.

If you use a public signed certificate, you won't need to do anything because most certification enterprise are already trusted by Microsoft (Like Verisign ...)

0
 

Author Comment

by:plymouthmuscle
ID: 34096303
Your are correct that "orionserver" is an internal name and does not work on the outside. In order to get that to work I changed the Server name to the outside ip address in the RemoteApp deployment settings. I also changed the port to a custom port that's NAT'd through the router.

I currently do have a self signed certificate assigned in the RemoteApp manager. I have also taken this certificate and imported it into the Trusted Root Cert. Auth. on the computer I'm dialing from. It's still no good. Still throws the same untrusted publisher error.

Can I purchase a certificate from say go daddy that would work and import into my remoteapp? Will they let me create a certificate with the name as an ip address?

Is there a way I can not use certificates on the program logins? The website itself is already secured and the logins will be secured. I don't use certificates to normally login my computers/servers from the outside. I've noticed that the "Sign with a digital certificate" checkbox in the RemoteApp deployment settings doesn't seem to change anything.
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 34105331
try review this guide http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx

you find in :
# If any client computers are running Windows Server 2003 with SP1, Windows Server 2003 with SP2, or Windows XP with SP2, you must configure the terminal server to use a Secure Sockets Layer (SSL) certificate. (You cannot use a self-signed certificate.)
# If the RemoteApp program is for intranet use, and all client computers are running either Windows Server 2008 or Windows Vista, you do not have to configure the terminal server to use an SSL certificate. In this case, Network Level Authentication is used.

later :
The server name must match what is specified in the SSL certificate for the TS Gateway server.

You can review this guide, it helps in choosing certificate.
http://technet.microsoft.com/en-us/library/cc754252(WS.10).aspx

It's difficult to help you from start to end in a such scenario.

here are some information about single prompt for authentication
http://blogs.msdn.com/b/rds/archive/2007/05/04/single-credential-prompt-for-ts-gateway-server-and-terminal-server.aspx

TS gateway certificates
http://blogs.msdn.com/b/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx

some step by step guide very usefull :
http://blogs.msdn.com/b/rds/archive/2009/07/07/new-step-by-step-guides-available-for-remote-desktop-services.aspx

Part 2 :http://blogs.msdn.com/b/rds/archive/2008/12/18/ts-gateway-certificates-part-ii-how-to-deploy-a-certificate-on-ts-gateway.aspx
Part 3 : http://blogs.msdn.com/b/rds/archive/2008/12/18/ts-gateway-certificates-part-iii-connection-time-issues-related-to-ts-gateway-certificates.aspx

Review all this posts : http://blogs.msdn.com/b/rds/archive/tags/ts+gateway/
0
 

Author Closing Comment

by:plymouthmuscle
ID: 34233264
Ugg
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now