Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Certificate issues with RemoteApp and the internet

Posted on 2010-11-09
4
Medium Priority
?
1,844 Views
Last Modified: 2012-06-27
I'm trying to set up RemoteApp with Server 2008 and terminal services.
I want employees to be able to access an internal application from the outside.

So far I think I seem to be doing pretty well, but I've hit a snag I can't seem to get past. I've gotten the TS website ported through the router and can access it successfully from the outside. I've also gotten the TS website SSL'd up and that seems to be working fine.
My problem is when I click on the application I want to launch inside the TS website it gives me the usual logins, and then throws a certificate error.

"The remote computer could not be authenticated due to problems with its security certicate. It may be unsafe to proceed"
"The certificate is not from a trusted certifying authority"

I have two options. One to view the certificate and the other to click "OK"
When I click "OK" the error screen goes away but nothing happens.
Installing the certificate on the remote machine did not change the error.

How do I move past this error? Can I somehow self sign my certificate in order for it to work. I would prefer not to purchase anything.

Thanks for any advice.
screenshot.jpg
0
Comment
Question by:plymouthmuscle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 34095906
Many issues with certificates ...
When you set up any secure connections with certificates, you need to know the eternal URL to connect before generating the certificate.
If i look at your certificate, the external url should be orionserver.drugrecovery.dri
Looks like an internal name ...

The name you type in your browser (or mstsc.exe) must be the name included in the certificate.

So what solutions ?
- You could use a self signed certificate. If you haven't any certification authority on your network, I think the system will generate the certificate itself, but most probably with the internal computer name ... we want it with another name.
- You can use a Certification Authority (private on your network, or public but you will pay). In that cas, you can ask a certificate and set the name of the certificate as you want. The name must be the external name, when users will gain access to your site from home.

More, in order to work, the computer where you try to access the application must trust the certificate.
In the case where you use a self signed certificate, you need to put that certificate in the "trusted root certificate" store.

In the case where you use a signed certificate (set up with an internal certification authority), you will need to import the Certification Authority certificate in the "trusted root certificates" store on any external computer.

If you use a public signed certificate, you won't need to do anything because most certification enterprise are already trusted by Microsoft (Like Verisign ...)

0
 

Author Comment

by:plymouthmuscle
ID: 34096303
Your are correct that "orionserver" is an internal name and does not work on the outside. In order to get that to work I changed the Server name to the outside ip address in the RemoteApp deployment settings. I also changed the port to a custom port that's NAT'd through the router.

I currently do have a self signed certificate assigned in the RemoteApp manager. I have also taken this certificate and imported it into the Trusted Root Cert. Auth. on the computer I'm dialing from. It's still no good. Still throws the same untrusted publisher error.

Can I purchase a certificate from say go daddy that would work and import into my remoteapp? Will they let me create a certificate with the name as an ip address?

Is there a way I can not use certificates on the program logins? The website itself is already secured and the logins will be secured. I don't use certificates to normally login my computers/servers from the outside. I've noticed that the "Sign with a digital certificate" checkbox in the RemoteApp deployment settings doesn't seem to change anything.
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 2000 total points
ID: 34105331
try review this guide http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx

you find in :
# If any client computers are running Windows Server 2003 with SP1, Windows Server 2003 with SP2, or Windows XP with SP2, you must configure the terminal server to use a Secure Sockets Layer (SSL) certificate. (You cannot use a self-signed certificate.)
# If the RemoteApp program is for intranet use, and all client computers are running either Windows Server 2008 or Windows Vista, you do not have to configure the terminal server to use an SSL certificate. In this case, Network Level Authentication is used.

later :
The server name must match what is specified in the SSL certificate for the TS Gateway server.

You can review this guide, it helps in choosing certificate.
http://technet.microsoft.com/en-us/library/cc754252(WS.10).aspx

It's difficult to help you from start to end in a such scenario.

here are some information about single prompt for authentication
http://blogs.msdn.com/b/rds/archive/2007/05/04/single-credential-prompt-for-ts-gateway-server-and-terminal-server.aspx

TS gateway certificates
http://blogs.msdn.com/b/rds/archive/2008/12/04/introduction-to-ts-gateway-certificates.aspx

some step by step guide very usefull :
http://blogs.msdn.com/b/rds/archive/2009/07/07/new-step-by-step-guides-available-for-remote-desktop-services.aspx

Part 2 :http://blogs.msdn.com/b/rds/archive/2008/12/18/ts-gateway-certificates-part-ii-how-to-deploy-a-certificate-on-ts-gateway.aspx
Part 3 : http://blogs.msdn.com/b/rds/archive/2008/12/18/ts-gateway-certificates-part-iii-connection-time-issues-related-to-ts-gateway-certificates.aspx

Review all this posts : http://blogs.msdn.com/b/rds/archive/tags/ts+gateway/
0
 

Author Closing Comment

by:plymouthmuscle
ID: 34233264
Ugg
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question