Archive for November, 2009

Getting rid of the RDS Single Sign on security warning.

Wednesday, November 25th, 2009

I have been playing with the Windows Server 2008 R2 Remote Desktop Services (formerly Terminal Services) and ran into a problem with a security warning popping up when clicking a signed rdp file in the RD Web Access interface. I have set up the following environment:

 rds_nevironment

To be able to use the Single Sign On feature which is included in the RD Web Access you need to sign your RemoteApp’s with a certificate. How you can set this up is explained in an article on the Microsoft RDS Team Blog.

After implemting the RemoteApp signing you’re not quite finished. The following happens: Every time a user clicks on one of the RemoteApp a security warning comes up which states: A Website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

rds_security_warning_nocheckbox

 Of course this is very annoying and we want this security warning to disappear. There are two ways to do this.

1. Changing logon settings.

When you log on to the RD Web Access web page you can choose whether you are on a public or on a private computer.

rds_login_private

rds_security_warning

 If you change the radio button to Private computer before you logon to the RD Web Access web page the security warning still comes up, but you will see a checkbox you can enable to never warn you again for this and the pop-up will dissapear the next time you will click the RemoteApp.

 2. Create a GPO with .rdp signing settings

You can also create a GPO with the follwing settings:

{Computer | User}\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

“Specify SHA1 thumprint of certificates representing trusted .rdp publishers”  and enter the SHA1 thumprint of the certificate you use for signing your RemoteApp’s.

sha1_policy

You can find the SHA1 thunmprint on the details tab when you open the certificate.

certificate_sha1_trumbprint

 When you use this second option your users do not need to change the logon radio button whether they are on a private or public computer.

I have had some discussion with the guys @ Microsoft from the RDS Team. They came up with the what I call workaround. Because it seems that there are no real solutions available at the moment because the behaviour is “By Design”. Microsoft promised to get back to me when they find a better option to solve this issue because the workaround does not work for users who are working on non-domain joined workstations where we cannot apply GPO’s. Users on non-domain joined computers will always get the security warning.

Posted in Remote Desktop Services, Security, Server 2008 R2 | 4 Comments »

Forefront UAG (Unified Access Gateway)

Wednesday, November 11th, 2009

Today I have attended a session @Tech-ed Berlin where the product Forefront Unified Access Gateway has been presented. Although the product is currently still in Beta. The Senior Product Manager told us that the RTM will be available before end of 2009. The product is the follow up from IAG 2007 (Intelligent Application Gateway).However UAG includes the follow up from ISA known as the Forefront Threat Management Gateway and it includes Microsoft DirectAccess which is a HOT product with high potential, access for any employee, business partner or customer from anyplace, anywhere from any device. A step forward that should eliminate the entire microsoft product thinking. Microsoft finally understands that it needs to supply acces form other platforms into their servers. Shortly after the Tech-Ed I will evaluate the Beta of UAG and you will find some interesting posts on my blog.

Posted in Security, TechEd | No Comments »