Solved

How can I Resolve Uknown Publisher Warning Message each time I open a RemoteApp with RDS?

Posted on 2010-11-28
67
6,660 Views
Last Modified: 2013-11-21
Dear Sir,

I have Win 2008 R2 Entreprise Edition in place with RDS Server role installed.
I have DC Win 2003 R2.
I'm using RemoteApp component to publish applications to users.
I have all applications needed installed on the RDS Server.
I created the packages as .msi files, and I assign them to users desktops using Group Policy.

But, each time when I click on the icon to open the program, I receive the attached screen shot "Uknown Publisher Warning"... How can I resolve this publisher warning?
I read something about certificate to be in place.
I never used certificates before.
Could you please guide me step by step and if possible with screen shots on how to resolve this warning???

Thank You!


RemoteApp-Unknown-Publisher.JPG
0
Comment
Question by:ISC-IT-Admin
  • 34
  • 33
67 Comments
 
LVL 7

Accepted Solution

by:
tstritof earned 500 total points
ID: 34229403
Hi,

well, this is how you do it (unfortunately you will have to recreate and redeploy your msi files).

Open the RemoteApp management console. The certificate used for signing msi packages created for published remote apps is set up in Digital Signature Settings section.
 RemotApp - DigitalSignature 001
There is probably no certificate specified so click on the Change link. On the RemoteApp Deployment Settings - Digital Signature tab click the Change button to see if there are any certificates listed you might use.
 RemotApp - DigitalSignature 002
The best option would be if you see a certificate issued by a public certification authority (like Verisign, Geotrust, Godaddy...) because that certificate is trusted by anyone trusting the root certification authorities (and that's basically everyone). If you see such certificate select that one, skip remaining steps and recreate/redeploy your msi files.
 RemotApp - DigitalSignature 001
Second best option is if you had a certificate issued by your Enterprise CA. This way the certificate is automatically trusted by all computers and users in your domain. If you see such certificate select that one, skip remaining steps and recreate/redeploy your msi files.

The third best option is to have at least a so called self signed certificate. Such certificate isn't trusted by anyone (except for special purposes) but since you are deployin through group policy I'm guessing you are limiting this to your domain users. If you do see such certificate do select that one, and follow these TechNet steps to deploy it to target domain computers through GP. After you've done that and verified that the certificate is getting deployed to certificate stores on your client computers recreate/redeploy the msi files.

To deploy the self signed certificate to client computers and updated msi files you will probably have to restart client computers (or run gpupdate /force at command prompt) to have proper settings applied to client computers. This isn't a "smooth" process but one way to go about this would be to leave the deployment of msi's for a next day. In case you are using the self signed certificate first make sure that certificate deployment is functioning - pick a "victim" and restart their computer - if certificate appears in local computers trusted publishers and trusted root cert authorities - you are good to go. The idea for postponing the further msi deployment for one day is relaying on assumption that all users will shutdown their computers when leaving work and reboot them next morning thus applying proper new GPs without much hassle.

And the final option - obviously worst :) - is that you have no certificates listed when you clicked the Change button in one of the steps above. That means you have to track back a bit and create a self signed certificate. And here are the steps.

First close the RemoteApp settings property screens and RemoteApp console. Then if you have IIS installed follow the steps in this TechNet article.

You may try using selfssl tool to create an improved self-signed certificate (however it also requires IIS to be installed). The steps are described here.

After the certificate is created open it and then export it to a file in a folder on your computer. After that run the Certificates mmc snap-in to import the certificate you saved into your Local Computer - Personal certificates store. The description of the steps is here.

I hope that you'll find your eay through this :).

Regards,
Tomislav
RemoteApp---Digital-Signature---.png
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34229408
Hm, strange effect - the picture at the bottom should have beem displayed instead of the third one...

Sorry for that :)

Regards,
Tomislav
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230092
Hello Tomislav,

Thank you for the reply.
Well I have a CA certificate for Exchange Server for MS outlook Anywhere.
Can I use that certificate for RDS RemoteApp?
How can I install it and use it?

Thanks,
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230108
Was this CA certificate issued by a public authority? Or your internal Enterprise CA?
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230159
This Certificate is issued by a Public authority...

?????
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230213
when I click on "Sign with a digital Certificate" then Change... there is nothing empty...
How can I import and use our CA certificate, we bought I think from Verisign or Godaddy from a long time... and it is still validate till Dec 2015...

Thanks,
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230216
OK.

I suppose it is installed at your W2K3 server and not on W2K8 RDS since if that were the case we wouldn't have to do much.

The first important thing is to access the original certificate file - the one that holds both the private and the public key of the certificate.

It would be great if any of these are true (the most preferred option at the top):
- you have the file with private/public key stored in a known location
- you can download the certificate file with private/public key from the website through which you purchased the certificate
- you have imported the certificate to Exchange server with option to export the private key

The goal is for you to gain access to the certificate file containing both private/public key.

After that we'll import the cert to RDS.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230246
If you are not sure if you have the certificate file we can immediately check if you can export it from Exchange server if you have administrative access to that server.
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230267
I have already the certificate xxxx.cert (Security Certificate) and it's imported locally to Win 2008 R2 RDS "Trusted Root Certification Authorities" to use for MS Outlook.
But how can I make it available for RDS remoteapp?

Thanks,

0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230358
You can't (probably).

This is how it works. Each certificate consists od a private and a public key. Public key is something that is normally presented to the clients accessing some service or site. In order for server or service that presented the public key to sucessfully authenticate it must have private key that matches the public key presented.

That means you can have any number of clients that store the public key in their trusted certificate store - that means that they trust that public certificate and also the site or service that holds private key of that cetrificate.

In your situation your RDS (with Outlook) is a client that trusts the certificate presented by your Exchange - and that's why it is stored in trusted certificates. But that doesn't enable your RDS to use that certificate for singning stuff itself - that would mean that anyone having access to your public key could impersonate the true holder of certificate - and the purpose of certificates would be defeated.

However (just in case you actually imported full certificate to RDS - meaning public+private key) you may open your trusted certificate store on RDS, right click your certificate and choose export. If you see the option to export the private key enabled in options than we're in business. Otherwise we'll have to go knocking on your Exchange's certificate store.

Regards,
Tomislav
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230410
Thanks Tomislav,
I really do appreciate your help, but I'm getting confused with these certificate scenarios...
Tell me the best way or option on how to solve my RDS Unknown Pubisher Warning when I open an RemoteApp...

Now I'm here:
And the final option - obviously worst :) - is that you have no certificates listed when you clicked the Change button in one of the steps above. That means you have to track back a bit and create a self signed certificate. And here are the steps.

Please help with best option...

Thank You!
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230427
Just to confirm this first - can you RDP into your Exchange server with administrative access?
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230437
I tried to export our CA from Trusted Root Certificate, but unfortunately there is no Private Key...
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230443
No I cannot RDP to my Exchange Server...
But tell me, I can call the Exchange admin!

0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230491
Great. Maybe the Exchange admin even has the certificate, but I'm not 100% sure hell be happy to share it.

If you can, call him and ask him if he can send you the certificate with private key.

If he agrees but doesn't know where he could access the file then ask him to:
- open Certificates.mmc for Local Computer on Exchange,
- open the container with Personal certificates,
- locate the certificate,
- right-click it and choose Export.

If he can set the options to export the private key with certificate - it's great. After he exports it ask him to send it to you and we'll go from there.
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230558
Leave it, I don't want to go to that Scenario, he told me send me e-mails and bla bla bla...
Maybe he will inform the top management...

How can we solve it without This Exchange certificate?
Other Option please...

Thanks,
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230584
Better to go with SSL Certificate...
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230623
Do you have IIS installed on your RDS machine?
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230690
No, I went to another Server with Win 2008 R2 and IIS 7.0
I created a certificate there then export it, now the certificate is xxx.pfx

Then?????
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230740
OK, but you exported it with private key - that's important.

Now go to your RDS, open Certificates.mmc - Local Computer and open your Private certificates store. Then right-click somewhere in there and choose - Import certificate.

If you don't see your PFX, just change file type in import - and then choose to put it in personal store. After that repeat the import but put it in a Trusted Root CA store.

Then you'll have to make the public version of the certificate that you will be outting in GPO but let's first finish the import.
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230794
I cannot find Private Certificate Store.
Pleae see attached screen shot.

Thanks,
Capture.JPG
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230799
Sorry - my mistake - Personal store.
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230817
After you import the cert - while you are still in Certificates.mmc we'll prepare the public certificates for your clients.
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230831
Why I need to put it in a 2 different places.
Personal Store and Trusted Root?
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230841
This is how you do it:
- in Personal store - right click the imported certificate and choose Export
- on options DESELECT or DO NOT SELECT export of private key - this is something you will be distributing so you must not give away your private key
- choose CER as file type and save it under nama that contains word "public"
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230851
Personal - that means it's your cert - trusted root - means you trust the issuer - well - yourself :)

Not always critical - but can help avoid problems in certain scenarios.
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230852
Done, I have imported to Personal Store, I can see it in Personal Store.
Then I imported to Trusted Root CA, but I cannot see it in Root CA.
I can see in Personal Store that the Certificate status is OK NOW...

Next???
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230856
Do the export of public part - couple of posts up are directions
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230871
Now I can see it in Remote App, Change settings...
I selected My SSL there...

What about here:
You must select the certificate you want for the RDP-tcp listener. That is the issue.
Launch '‘Remote Desktop Session Host Configuration' and double click RDP-tcp. You will see on the window that pops up the place to select the certificate you want.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Remote_Desktop-Terminal_Services/Q_26105321.html
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230873
After you finish the export of public cert - go to your RemoteApp setup and finally :) select a certificate for signing your msis
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230890
You can place this certificate there too. It's not intended for msi signing its intended for encrypting the communication betwen RDP client and your server (for SSL/TLS) - you can set encryption level there to negotiate
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230904
Sorry I didn't understand the export part of public cert?
What I want to here?
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34230915
For what I want to export my certificate again?
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230922
Just remember - you are not done
- you have to recreate your msi files now (they will be signed with new certificate and upload them to group policy)
- you must tell the RDP clients to trust your self-signed certificate through GP (you can place it in the same policy as the one through which you deploy the msis) - the steps for doing that are repeated here

observe the parts for self-signed certificate
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230941
Your public cert must be placed in GPO to be sent to clients (CAREFUL - without private key) - only then will your clients trust your new certificate - not before because it's only you yourself (and not your Enterprise or public authority) who claims that you are who you are

But anyone that imports your public cert - will trust you - however that must be done explicitly. Not implicitly because they trust the issuer.
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34230962
Imagine it like this - customs trust the passport because it was issued by the state (the trusted root :)

But if you forge a passport or issue one to yourself - that is not a trusted situation :) oul have to sweettalk the oficers to let you pass :)
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231008
After putting new msi and public cert in GPO choose a single client, open command prompt and run gpupdate /force.

After that run the new msi and see what happens. If everything is OK - wait for tomorrow - after folks restart their machines the GP will be applied to them and no "Unsigned" issue should be happening for new signed msi-s

If you need more assistance - I'll stick around a bit more to help out :)
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231153
I'm testing... I recreate the msi... but I didn't export the cert yet...
I'm still receiving the same Unkown error Publisher.
So I will import the cert to the same GP which I'm deploying msi..

RIGHT?
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231181
Where I want to put the cert in the group policy???
Please step by step?
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231205
This one is a copy/paste from TechNet:

Deploy Certificates by Using Group PolicyUpdated: August 31, 2007
Applies To: Windows Server 2008

You can use this procedure to deploy a certificate to multiple computers by using Active Directory Domain Services and a Group Policy object (GPO). A GPO can contain multiple configuration options, and is applied to all computers that are within the scope of the GPO.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To deploy a certificate by using Group Policy
1.Open Group Policy Management Console.

2.Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

3.Right-click the GPO, and then select Edit.

Group Policy Management Editor opens, and displays the current contents of the policy object.

4.In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.

5.Click the Action menu, and then click Import.

6.Follow the instructions in the Certificate Import Wizard to find and import the certificate.

7.If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.

0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231248
Done, but Know I'm receiving when I click on the remote app a different warning:

Do you trust the publisher for this RemoteApp program.
I can see the publisher my certificate.
But why this warning? and how to resolve it?

Thanks,
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231269
Open Certificates.msc on client computer (for Local Computer) and check if your public certificate is in the Trusted Publishers and Trusted Root CAs. If not - have you run gpupdate /force
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231281
Screen Shot...
Capture.JPG
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231292
I can see my certificate in Trusted Root CA only...
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231300
Yes I run gpupdate /force...
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231313
Recheck the GPO - have you placed it in Trusted Publishers too?
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231331
There is no Trusted Publisher in the Group Policy to put it...
There is Trusted Root CA, Entreprise Trust, Automatic..., Encryption File...
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231353
Screen Shot GPO
Capture.JPG
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231360
I have Win 2003 DC...
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231373
Despair not :) This is for 2003 - copied from Technet:

To set trusted publisher options
1.Open Software Restriction Policies.


2.Double-click Trusted Publishers.


3.Click the users that you want to decide which certificates will be trusted, and then click OK.


Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.


To open Software Restriction Policies, see "Open Software Restriction Policies" in Related Topics.


It may be necessary to create a new software restriction policy setting for the Group Policy object (GPO) if you have not already done so. For information about how to create new software restriction policies, see Related Topics.


You can use this procedure to determine whether users, local administrators, or enterprise administrators can add trusted publishers. For example, you can use this tool to prevent users from making trust decisions about publishers of ActiveX controls.


Local computer administrators have the right to specify trusted publishers on the local computer, while enterprise administrators have the right to specify trusted publishers on an organizational-unit level.


Information about functional differences
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231405
Hm... maybe some more trouble...
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231422
Here is the procedure for final steps

I just hope clients (XP, Vista, W7) will all understand this one
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34231433
Still same...

Screen shot...
Capture.JPG
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231442
Please chek the previous post!
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34231471
Is it working now?
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34232464
LET ME CHECK AND GET BACK TO YOU...
Stay tuned...

Thx!
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34236226
Hi Tomislav,

I just did the Final procedure
http://www.bibble-it.com/2008/09/03/adding-trusted-publishers-certificate-with-group-policy
I checked on the client side, and I found my certificate, under Root CA and Trusted Publisher. GREAT!
But the strange things, that I'm still receiving this different warning, but If I click "Don't aske me again for remote connections from this publisher", it will not come anymore if I open Remoteapp again...

Any Idea???

Thank You...
Capture-1.JPG
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34238787
Sorry for late answer.

This behavior is by design. The question here is directed to the user to confirm that they trust the publisher of the RemoteApp program enough to share local resources (printers, drives, ports...) with computer they are connecting to. After you confirm your answer is saved to client computer registry and linked to certificate "thumbprint".

If you want to override this you would have to deploy that registry value to your clients either through logon script or GP (through custom ADM file). It's quite a bit of work, but if you are determined to push this all the way I can gude you through.

Regards,
Tomislav
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34240365
Thank you Tomislav for the reply.
It's not a big deal, they can click don't ask me again for remote... :)
If you could please post for me the .adm file here and I'll try it through Group Policy???? THX...

In fact, on the Client Side I'm using HP Thin Clients with Windows Embedded joined to the domain, instead of using normal desktops, less headache and support :) My Document Folder on the Thin Client is redirected to a file server using Folder Redirection Policy. GOOD?

I have a different question, I would really appreciate if you could help me as well:
Now I'm using one physical server on the back-end side RDS Server with Remote App!
But for now I installed RDS server under Hyper-V for demo testing and Hyper-V is very good for Production environment too...
But what if the server went down???... I need to have full redundancy...
We will buy an identical server hardware, but what configuration and scenario to configure to have an automatic fail over if on the server goes down???
For now if my server went down, users cannot access their remote apps...
Please I need your help as well...  

Thank you very much...
Waiting for your support...

0
 
LVL 7

Expert Comment

by:tstritof
ID: 34241851
I'm afraid you'll have to create ADM file yourself because I don't have the necessary data.

Do the following:

1) Open your public certificate (doesn't matter where you do it). Go to details tab and locate Thumbprint value.
 Certificate Thumbprint
2) On the machine where you already clicked the "Always trust..." when running the MSI navigate to the HKCU\Software\Microsoft\Terminal Server Client\PublisherBypassList key. There you should see the value that matches the thumbprint of your certificate.
 PublisherBypassList in Registry
Make note of the number in the Data column for that value - it matches the device mapping settings you have set for your remote apps. Note the decimal value in parentheses ()

3) Open Notepad and paste the below code in there.
 
CLASS USER



CATEGORY "RemoteApp Settings (Custom)"

  POLICY "Trusted Publisher Bypass List"

  EXPLAIN !!PolicyHelp

  KEYNAME "Software\Microsoft\Terminal Server Client\PublisherBypassList"

    PART !!TrustedPublisher001

      NUMERIC

      VALUENAME "<Place the thumbprint of your server certificate here.>"

    END PART

  END POLICY

END CATEGORY 



[strings]

TrustedPublisher001="Allowed RemoteApp settings for <the name in your server certificate>:"



; explains

PolicyHelp="This policy enables you to set the allowed settings of RemoteApp programs published by trusted publishers that will be bypassed in security check when users start the RemoteApp program."

Open in new window


Replace the entire text:
<Place the thumbprint of your server certificate here.>
with the exact Name of registry value that matches your certificate thumbprint. For example - the value that should be placed there for certificate I used for this example would be:
C19ED739A9ACD026336919BF4E1C1B065B5F77C600

Replace the entire text:
<the name in your server certificate>
with the name that appers in your certificate (this is probably name of your computer). This will help you if you ever need to add additional values. For example - the value that could be placed there for certificate I used for this example would be:
example.mydomain.local

Save the text file and change it's extension to ADM.

This is how it would look in my example:
 
CLASS USER



CATEGORY "RemoteApp Settings (Custom)"

  POLICY "Trusted Publisher Bypass List"

  EXPLAIN !!PolicyHelp

  KEYNAME "Software\Microsoft\Terminal Server Client\PublisherBypassList"

    PART !!TrustedPublisher001

      NUMERIC

      VALUENAME "C19ED739A9ACD026336919BF4E1C1B065B5F77C600"

    END PART

  END POLICY

END CATEGORY 



[strings]

TrustedPublisher001="Allowed RemoteApp settings for example.mydomain.com:"



; explains

PolicyHelp="This policy enables you to set the allowed settings of RemoteApp programs published by trusted publishers that will be bypassed in security check when users start the RemoteApp program."

Open in new window


After this go to your GPO and add this template to User Settings > Policy > Administrative Templates.

Since you are doing this on a W2K3 DC follow these steps:

1) Open your GPO in GPO Editor.

2) Right-click User Configuration > Administrative Templates and choose Add/Remove Template.
 Import  ADM 001
3) Click Add on Add/Remove Templates window.
 Import  ADM 002
4) Locate your ADM file (I've named it test policy but you better name it "RemoteApp Settings (Custom).ADM") and click Open.
 Import  ADM 003
5) The template will appear in the list. Click Close on this window.
 Import  ADM 004
6) For new template to display in the editor you will have to modify the view filter. First click then right click Administrative Templates container, then choose View > Filtering.
 Import  ADM 005
7) Remove the check from Only show policy settings that can be fully managed and click OK.
 Import  ADM 006
8) Expand Administrative Templates. You should see your new "RemoteApp Settings (Custom)" group. When you click it you will see "Trusted Publisher Bypass List" policy on the right. (Note how parts of ADM file show up in GP editor.) Open policy properties.
 Import  ADM 007
9) Enable the policy and set the value in the bottom screen to the value you found in Data column of your registry key. In my example the value was 79 (remember - the decimal value). Click OK.
 Import  ADM 008
10) The enabled policy is visible in editor.
 Import  ADM 009
You will even see the new setting in GP management window.

Now, you have to go to some client that doesn't have this registry key - and run gpupdate /force. No security warning should appear at msi installation (if you havent't changed msi settings in the meantime).

And this is it. I'm done with this question :)

Regarding your second issue on redundancy I will point you to setting up a load balanced terminal server farm using RD Session Host, but how to do this is way beyond this question. However there's really good reading material here. From my own experience - it works OK, with some minor extension in logon times when compared to single server environments.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34241873
One more thought - I'm not sure how the registry setting will apply to your thin clients so you may need to make appropriate modifications there.

Good luck!
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34245352
Thank You Tomislav for above information:

One small question:
If I have a public certificate CA, I will not face this warning once the user double click the icon shortcuts on their desktops to open .rdp applications???
Please note that this warning is not during the msi installation, it's when the user needs to launch the application for the first time...

Now in my case my certificate is SSL and issued for 1 year, so it will expire after one year... what will happen in this case? What shall I do?

Thank You!
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34245434
Hello Tomislav,

Now I'm facing issue with Printers:
I have already installed a printer driver on the user Thin Client.
But when they open Office for example and attemp to print, they cannot see their default printer locally... only they see the Server deafault printer, I don't want to use server Printer. I need to use the local one.
Please help...

Thank You!
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34246687
Hi,

could you open another question for this please?

I don't know if I'll have time for this today and I'm sure other experts can help you with that. As a small pointer:
- you have to enable printer redirection on RDS (in RDS host configuration and when setting up RemoteApps) - you've probably done that
- if you are not using RDP6.1 capable client or later than you don't have the option of using EasyPrint driver (sort of RDS universal printer) so you will have to either install correct drivers for your client printers on RDS or install universal printer drivers on RDS (most printer manufacturers have them) and map them to client printer drivers through a custom mapping file - either option will include some GP modifications

Here are some links regarding questions this topic that I've participated here on EE (still open though):
- printer drivers on W2K3 TS
- alternatives for EasyPrint

Regards,
Tomislav
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34246831
Thank you Tomislav for the reply.
I have installed the same network printer driver on RDS server as well, now it's fine...

What abou this:
One small question:
If I have a public certificate CA, I will not face this warning once the user double click the icon shortcuts on their desktops to open .rdp applications???
Please note that this warning is not during the msi installation, it's when the user needs to launch the application for the first time...

Now in my case my certificate is SSL and issued for 1 year, so it will expire after one year... what will happen in this case? What shall I do?

Thank You!
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34246906
:) I'll answer the certificate related question.

The warning will happen for the public CA issued certificate too. You will not have to go through the procedure of deploying the certificate through GP (since it will be trusted automatically) but you will have to confirm that you allow the RemoteApps you publish with that certificate to acces your local computer.

When your self signed cert expires, just redeploy the new cert through GP. Again this only has to be done for self-signed certs - not ones issued by Enterprise CA or public root CA.

Regards,
Tomislav
0
 
LVL 1

Author Comment

by:ISC-IT-Admin
ID: 34247616
Hi Tomislav,
Thanks for the info..

What is the difference between Enterprise CA/Public root CA and SSL.
Why for Entreprise CA and SSL I don't need to go through GP???
From Where can I get Entreprise CA? I need it to buy it from Verisign or Godaddy???


0

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now