Hm, strange effect - the picture at the bottom should have beem displayed instead of the third one...

Sorry for that :)

Regards,
Tomislav

Hello Tomislav,

Thank you for the reply.
Well I have a CA certificate for Exchange Server for MS outlook Anywhere.
Can I use that certificate for RDS RemoteApp?
How can I install it and use it?

Thanks,

Was this CA certificate issued by a public authority? Or your internal Enterprise CA?

This Certificate is issued by a Public authority...

?????

when I click on "Sign with a digital Certificate" then Change... there is nothing empty...
How can I import and use our CA certificate, we bought I think from Verisign or Godaddy from a long time... and it is still validate till Dec 2015...

Thanks,

OK.

I suppose it is installed at your W2K3 server and not on W2K8 RDS since if that were the case we wouldn't have to do much.

The first important thing is to access the original certificate file - the one that holds both the private and the public key of the certificate.

It would be great if any of these are true (the most preferred option at the top):
- you have the file with private/public key stored in a known location
- you can download the certificate file with private/public key from the website through which you purchased the certificate
- you have imported the certificate to Exchange server with option to export the private key

The goal is for you to gain access to the certificate file containing both private/public key.

After that we'll import the cert to RDS.

Regards,
Tomislav

If you are not sure if you have the certificate file we can immediately check if you can export it from Exchange server if you have administrative access to that server.

I have already the certificate xxxx.cert (Security Certificate) and it's imported locally to Win 2008 R2 RDS "Trusted Root Certification Authorities" to use for MS Outlook.
But how can I make it available for RDS remoteapp?

Thanks,

You can't (probably).

This is how it works. Each certificate consists od a private and a public key. Public key is something that is normally presented to the clients accessing some service or site. In order for server or service that presented the public key to sucessfully authenticate it must have private key that matches the public key presented.

That means you can have any number of clients that store the public key in their trusted certificate store - that means that they trust that public certificate and also the site or service that holds private key of that cetrificate.

In your situation your RDS (with Outlook) is a client that trusts the certificate presented by your Exchange - and that's why it is stored in trusted certificates. But that doesn't enable your RDS to use that certificate for singning stuff itself - that would mean that anyone having access to your public key could impersonate the true holder of certificate - and the purpose of certificates would be defeated.

However (just in case you actually imported full certificate to RDS - meaning public+private key) you may open your trusted certificate store on RDS, right click your certificate and choose export. If you see the option to export the private key enabled in options than we're in business. Otherwise we'll have to go knocking on your Exchange's certificate store.

Regards,
Tomislav

Thanks Tomislav,
I really do appreciate your help, but I'm getting confused with these certificate scenarios...
Tell me the best way or option on how to solve my RDS Unknown Pubisher Warning when I open an RemoteApp...

Now I'm here:
And the final option - obviously worst :) - is that you have no certificates listed when you clicked the Change button in one of the steps above. That means you have to track back a bit and create a self signed certificate. And here are the steps.

Please help with best option...

Thank You!

Just to confirm this first - can you RDP into your Exchange server with administrative access?

I tried to export our CA from Trusted Root Certificate, but unfortunately there is no Private Key...

No I cannot RDP to my Exchange Server...
But tell me, I can call the Exchange admin!

Great. Maybe the Exchange admin even has the certificate, but I'm not 100% sure hell be happy to share it.

If you can, call him and ask him if he can send you the certificate with private key.

If he agrees but doesn't know where he could access the file then ask him to:
- open Certificates.mmc for Local Computer on Exchange,
- open the container with Personal certificates,
- locate the certificate,
- right-click it and choose Export.

If he can set the options to export the private key with certificate - it's great. After he exports it ask him to send it to you and we'll go from there.

Leave it, I don't want to go to that Scenario, he told me send me e-mails and bla bla bla...
Maybe he will inform the top management...

How can we solve it without This Exchange certificate?
Other Option please...

Thanks,

Better to go with SSL Certificate...

Do you have IIS installed on your RDS machine?

No, I went to another Server with Win 2008 R2 and IIS 7.0
I created a certificate there then export it, now the certificate is xxx.pfx

Then?????

OK, but you exported it with private key - that's important.

Now go to your RDS, open Certificates.mmc - Local Computer and open your Private certificates store. Then right-click somewhere in there and choose - Import certificate.

If you don't see your PFX, just change file type in import - and then choose to put it in personal store. After that repeat the import but put it in a Trusted Root CA store.

Then you'll have to make the public version of the certificate that you will be outting in GPO but let's first finish the import.

I cannot find Private Certificate Store.
Pleae see attached screen shot.

Thanks,
Capture.JPG

Sorry - my mistake - Personal store.

After you import the cert - while you are still in Certificates.mmc we'll prepare the public certificates for your clients.

Why I need to put it in a 2 different places.
Personal Store and Trusted Root?

This is how you do it:
- in Personal store - right click the imported certificate and choose Export
- on options DESELECT or DO NOT SELECT export of private key - this is something you will be distributing so you must not give away your private key
- choose CER as file type and save it under nama that contains word "public"

Personal - that means it's your cert - trusted root - means you trust the issuer - well - yourself :)

Not always critical - but can help avoid problems in certain scenarios.

Done, I have imported to Personal Store, I can see it in Personal Store.
Then I imported to Trusted Root CA, but I cannot see it in Root CA.
I can see in Personal Store that the Certificate status is OK NOW...

Next???

Do the export of public part - couple of posts up are directions

Now I can see it in Remote App, Change settings...
I selected My SSL there...

What about here:
You must select the certificate you want for the RDP-tcp listener. That is the issue.
Launch '‘Remote Desktop Session Host Configuration' and double click RDP-tcp. You will see on the window that pops up the place to select the certificate you want.

https://www.experts-exchange.com/questions/26105321/RemoteApp-Server-SSL-Certificate.html

After you finish the export of public cert - go to your RemoteApp setup and finally :) select a certificate for signing your msis

You can place this certificate there too. It's not intended for msi signing its intended for encrypting the communication betwen RDP client and your server (for SSL/TLS) - you can set encryption level there to negotiate

Sorry I didn't understand the export part of public cert?
What I want to here?

For what I want to export my certificate again?

Just remember - you are not done
- you have to recreate your msi files now (they will be signed with new certificate and upload them to group policy)
- you must tell the RDP clients to trust your self-signed certificate through GP (you can place it in the same policy as the one through which you deploy the msis) - the steps for doing that are repeated here

observe the parts for self-signed certificate

Your public cert must be placed in GPO to be sent to clients (CAREFUL - without private key) - only then will your clients trust your new certificate - not before because it's only you yourself (and not your Enterprise or public authority) who claims that you are who you are

But anyone that imports your public cert - will trust you - however that must be done explicitly. Not implicitly because they trust the issuer.

Imagine it like this - customs trust the passport because it was issued by the state (the trusted root :)

But if you forge a passport or issue one to yourself - that is not a trusted situation :) oul have to sweettalk the oficers to let you pass :)

After putting new msi and public cert in GPO choose a single client, open command prompt and run gpupdate /force.

After that run the new msi and see what happens. If everything is OK - wait for tomorrow - after folks restart their machines the GP will be applied to them and no "Unsigned" issue should be happening for new signed msi-s

If you need more assistance - I'll stick around a bit more to help out :)

I'm testing... I recreate the msi... but I didn't export the cert yet...
I'm still receiving the same Unkown error Publisher.
So I will import the cert to the same GP which I'm deploying msi..

RIGHT?

Where I want to put the cert in the group policy???
Please step by step?

This one is a copy/paste from TechNet:

Deploy Certificates by Using Group PolicyUpdated: August 31, 2007
Applies To: Windows Server 2008

You can use this procedure to deploy a certificate to multiple computers by using Active Directory Domain Services and a Group Policy object (GPO). A GPO can contain multiple configuration options, and is applied to all computers that are within the scope of the GPO.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To deploy a certificate by using Group Policy
1.Open Group Policy Management Console.

2.Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

3.Right-click the GPO, and then select Edit.

Group Policy Management Editor opens, and displays the current contents of the policy object.

4.In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.

5.Click the Action menu, and then click Import.

6.Follow the instructions in the Certificate Import Wizard to find and import the certificate.

7.If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.

Done, but Know I'm receiving when I click on the remote app a different warning:

Do you trust the publisher for this RemoteApp program.
I can see the publisher my certificate.
But why this warning? and how to resolve it?

Thanks,

Open Certificates.msc on client computer (for Local Computer) and check if your public certificate is in the Trusted Publishers and Trusted Root CAs. If not - have you run gpupdate /force

Screen Shot...
Capture.JPG

I can see my certificate in Trusted Root CA only...

Yes I run gpupdate /force...

Recheck the GPO - have you placed it in Trusted Publishers too?

There is no Trusted Publisher in the Group Policy to put it...
There is Trusted Root CA, Entreprise Trust, Automatic..., Encryption File...

Screen Shot GPO
Capture.JPG

I have Win 2003 DC...

Despair not :) This is for 2003 - copied from Technet:

To set trusted publisher options
1.Open Software Restriction Policies.


2.Double-click Trusted Publishers.


3.Click the users that you want to decide which certificates will be trusted, and then click OK.


Notes

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.


To open Software Restriction Policies, see "Open Software Restriction Policies" in Related Topics.


It may be necessary to create a new software restriction policy setting for the Group Policy object (GPO) if you have not already done so. For information about how to create new software restriction policies, see Related Topics.


You can use this procedure to determine whether users, local administrators, or enterprise administrators can add trusted publishers. For example, you can use this tool to prevent users from making trust decisions about publishers of ActiveX controls.


Local computer administrators have the right to specify trusted publishers on the local computer, while enterprise administrators have the right to specify trusted publishers on an organizational-unit level.


Information about functional differences
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

Hm... maybe some more trouble...

Here is the procedure for final steps

I just hope clients (XP, Vista, W7) will all understand this one

Still same...

Screen shot...
Capture.JPG

Please chek the previous post!

Is it working now?

LET ME CHECK AND GET BACK TO YOU...
Stay tuned...

Thx!

Hi Tomislav,

I just did the Final procedure
http://www.bibble-it.com/2008/09/03/adding-trusted-publishers-certificate-with-group-policy
I checked on the client side, and I found my certificate, under Root CA and Trusted Publisher. GREAT!
But the strange things, that I'm still receiving this different warning, but If I click "Don't aske me again for remote connections from this publisher", it will not come anymore if I open Remoteapp again...

Any Idea???

Thank You...
Capture-1.JPG

Sorry for late answer.

This behavior is by design. The question here is directed to the user to confirm that they trust the publisher of the RemoteApp program enough to share local resources (printers, drives, ports...) with computer they are connecting to. After you confirm your answer is saved to client computer registry and linked to certificate "thumbprint".

If you want to override this you would have to deploy that registry value to your clients either through logon script or GP (through custom ADM file). It's quite a bit of work, but if you are determined to push this all the way I can gude you through.

Regards,
Tomislav

Thank you Tomislav for the reply.
It's not a big deal, they can click don't ask me again for remote... :)
If you could please post for me the .adm file here and I'll try it through Group Policy???? THX...

In fact, on the Client Side I'm using HP Thin Clients with Windows Embedded joined to the domain, instead of using normal desktops, less headache and support :) My Document Folder on the Thin Client is redirected to a file server using Folder Redirection Policy. GOOD?

I have a different question, I would really appreciate if you could help me as well:
Now I'm using one physical server on the back-end side RDS Server with Remote App!
But for now I installed RDS server under Hyper-V for demo testing and Hyper-V is very good for Production environment too...
But what if the server went down???... I need to have full redundancy...
We will buy an identical server hardware, but what configuration and scenario to configure to have an automatic fail over if on the server goes down???
For now if my server went down, users cannot access their remote apps...
Please I need your help as well...  

Thank you very much...
Waiting for your support...

I'm afraid you'll have to create ADM file yourself because I don't have the necessary data.

Do the following:

1) Open your public certificate (doesn't matter where you do it). Go to details tab and locate Thumbprint value.
 
2) On the machine where you already clicked the "Always trust..." when running the MSI navigate to the HKCU\Software\Microsoft\Terminal Server Client\PublisherBypassList key. There you should see the value that matches the thumbprint of your certificate.
 
Make note of the number in the Data column for that value - it matches the device mapping settings you have set for your remote apps. Note the decimal value in parentheses ()

3) Open Notepad and paste the below code in there.
 

CLASS USER

CATEGORY "RemoteApp Settings (Custom)"
  POLICY "Trusted Publisher Bypass List"
  EXPLAIN !!PolicyHelp
  KEYNAME "Software\Microsoft\Terminal Server Client\PublisherBypassList"
    PART !!TrustedPublisher001
      NUMERIC
      VALUENAME "<Place the thumbprint of your server certificate here.>"
    END PART
  END POLICY
END CATEGORY 

[strings]
TrustedPublisher001="Allowed RemoteApp settings for <the name in your server certificate>:"

; explains
PolicyHelp="This policy enables you to set the allowed settings of RemoteApp programs published by trusted publishers that will be bypassed in security check when users start the RemoteApp program."

Select allOpen in new window

Replace the entire text:
<Place the thumbprint of your server certificate here.>
with the exact Name of registry value that matches your certificate thumbprint. For example - the value that should be placed there for certificate I used for this example would be:
C19ED739A9ACD026336919BF4E1C1B065B5F77C600

Replace the entire text:
<the name in your server certificate>
with the name that appers in your certificate (this is probably name of your computer). This will help you if you ever need to add additional values. For example - the value that could be placed there for certificate I used for this example would be:
example.mydomain.local

Save the text file and change it's extension to ADM.

This is how it would look in my example:
 

CLASS USER

CATEGORY "RemoteApp Settings (Custom)"
  POLICY "Trusted Publisher Bypass List"
  EXPLAIN !!PolicyHelp
  KEYNAME "Software\Microsoft\Terminal Server Client\PublisherBypassList"
    PART !!TrustedPublisher001
      NUMERIC
      VALUENAME "C19ED739A9ACD026336919BF4E1C1B065B5F77C600"
    END PART
  END POLICY
END CATEGORY 

[strings]
TrustedPublisher001="Allowed RemoteApp settings for example.mydomain.com:"

; explains
PolicyHelp="This policy enables you to set the allowed settings of RemoteApp programs published by trusted publishers that will be bypassed in security check when users start the RemoteApp program."

Select allOpen in new window

After this go to your GPO and add this template to User Settings > Policy > Administrative Templates.

Since you are doing this on a W2K3 DC follow these steps:

1) Open your GPO in GPO Editor.

2) Right-click User Configuration > Administrative Templates and choose Add/Remove Template.
 
3) Click Add on Add/Remove Templates window.
 
4) Locate your ADM file (I've named it test policy but you better name it "RemoteApp Settings (Custom).ADM") and click Open.
 
5) The template will appear in the list. Click Close on this window.
 
6) For new template to display in the editor you will have to modify the view filter. First click then right click Administrative Templates container, then choose View > Filtering.
 
7) Remove the check from Only show policy settings that can be fully managed and click OK.
 
8) Expand Administrative Templates. You should see your new "RemoteApp Settings (Custom)" group. When you click it you will see "Trusted Publisher Bypass List" policy on the right. (Note how parts of ADM file show up in GP editor.) Open policy properties.
 
9) Enable the policy and set the value in the bottom screen to the value you found in Data column of your registry key. In my example the value was 79 (remember - the decimal value). Click OK.
 
10) The enabled policy is visible in editor.
 
You will even see the new setting in GP management window.

Now, you have to go to some client that doesn't have this registry key - and run gpupdate /force. No security warning should appear at msi installation (if you havent't changed msi settings in the meantime).

And this is it. I'm done with this question :)

Regarding your second issue on redundancy I will point you to setting up a load balanced terminal server farm using RD Session Host, but how to do this is way beyond this question. However there's really good reading material here. From my own experience - it works OK, with some minor extension in logon times when compared to single server environments.

Regards,
Tomislav

One more thought - I'm not sure how the registry setting will apply to your thin clients so you may need to make appropriate modifications there.

Good luck!

Thank You Tomislav for above information:

One small question:
If I have a public certificate CA, I will not face this warning once the user double click the icon shortcuts on their desktops to open .rdp applications???
Please note that this warning is not during the msi installation, it's when the user needs to launch the application for the first time...

Now in my case my certificate is SSL and issued for 1 year, so it will expire after one year... what will happen in this case? What shall I do?

Thank You!

Hello Tomislav,

Now I'm facing issue with Printers:
I have already installed a printer driver on the user Thin Client.
But when they open Office for example and attemp to print, they cannot see their default printer locally... only they see the Server deafault printer, I don't want to use server Printer. I need to use the local one.
Please help...

Thank You!

Hi,

could you open another question for this please?

I don't know if I'll have time for this today and I'm sure other experts can help you with that. As a small pointer:
- you have to enable printer redirection on RDS (in RDS host configuration and when setting up RemoteApps) - you've probably done that
- if you are not using RDP6.1 capable client or later than you don't have the option of using EasyPrint driver (sort of RDS universal printer) so you will have to either install correct drivers for your client printers on RDS or install universal printer drivers on RDS (most printer manufacturers have them) and map them to client printer drivers through a custom mapping file - either option will include some GP modifications

Here are some links regarding questions this topic that I've participated here on EE (still open though):
- printer drivers on W2K3 TS
- alternatives for EasyPrint

Regards,
Tomislav

Thank you Tomislav for the reply.
I have installed the same network printer driver on RDS server as well, now it's fine...

What abou this:
One small question:
If I have a public certificate CA, I will not face this warning once the user double click the icon shortcuts on their desktops to open .rdp applications???
Please note that this warning is not during the msi installation, it's when the user needs to launch the application for the first time...

Now in my case my certificate is SSL and issued for 1 year, so it will expire after one year... what will happen in this case? What shall I do?

Thank You!

:) I'll answer the certificate related question.

The warning will happen for the public CA issued certificate too. You will not have to go through the procedure of deploying the certificate through GP (since it will be trusted automatically) but you will have to confirm that you allow the RemoteApps you publish with that certificate to acces your local computer.

When your self signed cert expires, just redeploy the new cert through GP. Again this only has to be done for self-signed certs - not ones issued by Enterprise CA or public root CA.

Regards,
Tomislav

Hi Tomislav,
Thanks for the info..

What is the difference between Enterprise CA/Public root CA and SSL.
Why for Entreprise CA and SSL I don't need to go through GP???
From Where can I get Entreprise CA? I need it to buy it from Verisign or Godaddy???