Ronald de Kock

I have been playing with the Windows Server 2008 R2 Remote Desktop Services (formerly Terminal Services) and ran into a problem with a security warning popping up when clicking a signed rdp file in the RD Web Access interface. I have set up the following environment:

 

To be able to use the Single Sign On feature which is included in the RD Web Access you need to sign your RemoteApp’s with a certificate. How you can set this up is explained in an article on the Microsoft RDS Team Blog.

After implemting the RemoteApp signing you’re not quite finished. The following happens: Every time a user clicks on one of the RemoteApp a security warning comes up which states: A Website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

 Of course this is very annoying and we want this security warning to disappear. There are two ways to do this.

1. Changing logon settings.

When you log on to the RD Web Access web page you can choose whether you are on a public or on a private computer.

 If you change the radio button to Private computer before you logon to the RD Web Access web page the security warning still comes up, but you will see a checkbox you can enable to never warn you again for this and the pop-up will dissapear the next time you will click the RemoteApp.

 2. Create a GPO with .rdp signing settings

You can also create a GPO with the follwing settings:

{Computer | User}\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

“Specify SHA1 thumprint of certificates representing trusted .rdp publishers”  and enter the SHA1 thumprint of the certificate you use for signing your RemoteApp’s.

You can find the SHA1 thunmprint on the details tab when you open the certificate.

 When you use this second option your users do not need to change the logon radio button whether they are on a private or public computer.

I have had some discussion with the guys @ Microsoft from the RDS Team. They came up with the what I call workaround. Because it seems that there are no real solutions available at the moment because the behaviour is “By Design”. Microsoft promised to get back to me when they find a better option to solve this issue because the workaround does not work for users who are working on non-domain joined workstations where we cannot apply GPO’s. Users on non-domain joined computers will always get the security warning.

This entry was posted on Wednesday, November 25th, 2009 at 22:38 and is filed under Remote Desktop Services, Security, Server 2008 R2. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.