Remote Desktop Services – RemoteApp Certificate Issue

I was recently involved in a Remote Desktop Services deployment for three hundred users. After configured Remote Desktop Services and publishing a RemoteApp, which had been digitally signed with a Go Daddy certificate and deployed via an MSI, I was prompted with a “Do you trust the publisher of this RemoteApp program” warning as shown in the below screenshot.

Remote Desktop Services Do you trust the publisher of this RemoteApp program 300x172 Remote Desktop Services   RemoteApp Certificate Issue

Obviously this was going to be an inconvenience for users, so to resolve this issue I performed the following actions.

1. Create a new Group Policy object via the Group Policy Management Console.

2. Edit the GPO and navigate to the following location, User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

3. Within the Remote Desktop Connection Client folder double click the “Specify SHA1 thumbprints of certificates representing trusted .rdp publishers” group policy object and check the enabled radio button.

4. Now open the SSL certificate you are using for RemoteApp signing, click the Details tab and then scroll down the details pane until you see the “Thumbprint” item. Click the thumbprint entry and you should now see a large alphanumeric string, copy this string and paste the contents into the “Comma separated list of SHA1 trusted certificate thumbprints” box in the GPO we were editing in step 3.

5. Now that you have pasted the thumprint string into the GPO, remove all space and capitalise all lower case letters of the string. For example, if your thumprint looks like this, “95 1f 22 02 c3 6e a6 b0 64 0c db 8e b5 4a bb 98 0c bd ed af” once you have pasted it into the GPO, you need to modify it to read like this, “951F2202C36EA6B0640CBD8EB54ABB980CBDEDAF”.

6. Close down the GPO editor and then link the created GPO to a users organisational unit where the RemoteApp users reside. Log a RemoteApp user off and back on again and test the RemoteApp program, you should now hopefully see that the certificate warning is suppressed and the application loads straight away.

That’s it, your all done.

Remote Desktop Services – Windows XP Single Sign On

I recently experienced an issue with getting RemoteApp single sign on working from Windows XP workstations. When launching a published RemoteApp through either an .RDP or MSI file, users were prompted for authentication even though they had already authenticated on login. In order to stop this from occurring, the following actions were performed.

1. Ensure that the Windows XP workstation is running service pack 3 and ensure that the Remote Desktop Connection 7.0 Client is also installed. The Remote Desktop Connection 7.0 client can be obtained from here.

2. Install the Credential Security Support Provider (CredSSP) package. This enables credentials to be passed to target servers. The CredSSP package can be obtained from here.

3. Ensure that at least .NET Framework 3.5 SP1 is also installed on the workstation.

4. Configure a computer level Group Policy on a domain controller to enable delegating default credentials. A detailed explanation of how to configure the group policy object is detailed here.

5. The final step is to apply hotfix KB953760 which address a particular single sign on issue with Windows XP SP3 based workstations. The hotfix can be directly downloaded from here. When the hotfix has been applied reboot the workstation.

That’s it, you should hopefully now no longer be prompted for authentication when opening published RemoteApp’s on Windows XP SP3 workstations.