Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1864
  • Last Modified:

Certificate issues with RemoteApp and the internet

I'm trying to set up RemoteApp with Server 2008 and terminal services.
I want employees to be able to access an internal application from the outside.

So far I think I seem to be doing pretty well, but I've hit a snag I can't seem to get past. I've gotten the TS website ported through the router and can access it successfully from the outside. I've also gotten the TS website SSL'd up and that seems to be working fine.
My problem is when I click on the application I want to launch inside the TS website it gives me the usual logins, and then throws a certificate error.

"The remote computer could not be authenticated due to problems with its security certicate. It may be unsafe to proceed"
"The certificate is not from a trusted certifying authority"

I have two options. One to view the certificate and the other to click "OK"
When I click "OK" the error screen goes away but nothing happens.
Installing the certificate on the remote machine did not change the error.

How do I move past this error? Can I somehow self sign my certificate in order for it to work. I would prefer not to purchase anything.

Thanks for any advice.
screenshot.jpg
0
plymouthmuscle
Asked:
plymouthmuscle
  • 2
  • 2
1 Solution
 
TasmantCommented:
Many issues with certificates ...
When you set up any secure connections with certificates, you need to know the eternal URL to connect before generating the certificate.
If i look at your certificate, the external url should be orionserver.drugrecovery.dri
Looks like an internal name ...

The name you type in your browser (or mstsc.exe) must be the name included in the certificate.

So what solutions ?
- You could use a self signed certificate. If you haven't any certification authority on your network, I think the system will generate the certificate itself, but most probably with the internal computer name ... we want it with another name.
- You can use a Certification Authority (private on your network, or public but you will pay). In that cas, you can ask a certificate and set the name of the certificate as you want. The name must be the external name, when users will gain access to your site from home.

More, in order to work, the computer where you try to access the application must trust the certificate.
In the case where you use a self signed certificate, you need to put that certificate in the "trusted root certificate" store.

In the case where you use a signed certificate (set up with an internal certification authority), you will need to import the Certification Authority certificate in the "trusted root certificates" store on any external computer.

If you use a public signed certificate, you won't need to do anything because most certification enterprise are already trusted by Microsoft (Like Verisign ...)

0
 
plymouthmuscleAuthor Commented:
Your are correct that "orionserver" is an internal name and does not work on the outside. In order to get that to work I changed the Server name to the outside ip address in the RemoteApp deployment settings. I also changed the port to a custom port that's NAT'd through the router.

I currently do have a self signed certificate assigned in the RemoteApp manager. I have also taken this certificate and imported it into the Trusted Root Cert. Auth. on the computer I'm dialing from. It's still no good. Still throws the same untrusted publisher error.

Can I purchase a certificate from say go daddy that would work and import into my remoteapp? Will they let me create a certificate with the name as an ip address?

Is there a way I can not use certificates on the program logins? The website itself is already secured and the logins will be secured. I don't use certificates to normally login my computers/servers from the outside. I've noticed that the "Sign with a digital certificate" checkbox in the RemoteApp deployment settings doesn't seem to change anything.
0
 
TasmantCommented:
try review this guide http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx

you find in :
# If any client computers are running Windows Server 2003 with SP1, Windows Server 2003 with SP2, or Windows XP with SP2, you must configure the terminal server to use a Secure Sockets Layer (SSL) certificate. (You cannot use a self-signed certificate.)
# If the RemoteApp program is for intranet use, and all client computers are running either Windows Server 2008 or Windows Vista, you do not have to configure the terminal server to use an SSL certificate. In this case, Network Level Authentication is used.

later :
The server name must match what is specified in the SSL certificate for the TS Gateway server.

You can review this guide, it helps in choosing certificate.
http://technet.microsoft.com/en-us/library/cc754252(WS.10).aspx

It's difficult to help you from start to end in a such scenario.

here are some information about single prompt for authentication
http://blogs.msdn.com/b/rds/archive/2007/05/04/single-credential-prompt-for-ts-gateway-server-and-terminal-server.aspx

TS gateway certificates
http://blogs.msdn.com/b/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx

some step by step guide very usefull :
http://blogs.msdn.com/b/rds/archive/2009/07/07/new-step-by-step-guides-available-for-remote-desktop-services.aspx

Part 2 :http://blogs.msdn.com/b/rds/archive/2008/12/18/ts-gateway-certificates-part-ii-how-to-deploy-a-certificate-on-ts-gateway.aspx
Part 3 : http://blogs.msdn.com/b/rds/archive/2008/12/18/ts-gateway-certificates-part-iii-connection-time-issues-related-to-ts-gateway-certificates.aspx

Review all this posts : http://blogs.msdn.com/b/rds/archive/tags/ts+gateway/
0
 
plymouthmuscleAuthor Commented:
Ugg
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now