Windows Server TechCenter >
Windows Server Forums
>
Terminal Services
>
Remote Desktop Client 6.1 ActiveX "Unknown publisher" warning
Remote Desktop Client 6.1 ActiveX "Unknown publisher" warning
- To make a somewhat long story short, we have a webpage that loads the Remote Desktop Connection ActiveX and connects to a Win2003 server. The activeX is embeded using an object tag and connected to the server using javascript. Everything on that end works fine. However, on client machines that have the RDP 6.1 update (included in XP sp3) the users see a very annoying warning message that states the following:
"A website wants to start a remote connection. The publisher of this remote connection cannot be identified.
This remote connection could harm your computer. Do not connect unless you know where this connection came from or have used it before.
Publisher: Unknown publisher
Type: Remote Desktop Connection
Remote computer: MyServerName"
And the dialog has "Connect" and "Cancel" buttons.
The website is on our intranet and is even listed specifically in the trusted sites.
I have seen a lot of articles on the web regarding people using and signing .rdp files to get around this type of error, or signing the "RemoteApp" that is launched, but have not found anything regarding the activeX simply connecting to a server and displaying the session.
I noticed that when connecting to the server using the desktop application I received a similar warning message. My research led me to the following article: http://technet.microsoft.com/en-us/library/cc782610.aspx which describes creating a certificate to authenticate the server. After completing all these steps, the warning message no longer appears on the desktop application, but still appears when connecting to the same server though a webpage!
This has become very frustrating for me as I struggle to make this warning go away. I really find it hard to believe that nobody else has run into this issue. Hopefully it is something simple that I have missed.
Thanks ahead of time for any help that can be provided on this.
T.J.
Answers
- Hi TJ,
the reason we do have to show the warning when you connect with the browser is because we need to account for any random website your user may visit attempting to launch a connection to a malicious remote server.
In the case of connections from the remote desktop application, the chances of a user launching a random connection to a malicious server are lower - hence we can allow hte user to dismiss this warning.
We will look into how we can improve this experience in future versions of Windows.
Thanks for your input.
Ayesha- Marked As Answer byAyesha Mascarenhas MSFTMSFT, OwnerTuesday, March 31, 2009 1:48 AM
- Proposed As Answer byAyesha Mascarenhas MSFTMSFT, OwnerWednesday, August 27, 2008 9:15 PM
All Replies
- TJ -
I think my problem is similar to yours. I get the same error message. I have a Windows 2003 Terminal Server which users connect to a webpage with the TSAC ActiveX client. The ActiveX control is issued by Microsoft so why is it untrusted? This is a recent development so I guess one of the recent Internet Explorer patches is responsible for this behavior. So I guess the question is how do you sign an ActiveX component that was issued by Microsoft?
Will Hello TJ K and Texcal - are any of the device redirections enabled for users who are seeing this warning UI?
There is currently no way for you to disable this warning from your web page with the ActiveX control within it - the warning dialog is a security dialog to inform users that they connecting to a remote computer and some of their devices (like drives) may be redirected.
In future versions of Windows, we can consider giving Admins the ability to script the activeX so that the warning dialog is not displayed if the following 2 conditions are met:
1) the website is within the browser's trusted zone
2) no devices are being redirected
- Proposed As Answer byAyesha Mascarenhas MSFTMSFT, OwnerTuesday, August 26, 2008 8:23 PM
- This is not a satisfactory solution. Our users have logged on to what they consider a trusted site, but are met with warnings referring to "Unknown publisher". This prevents us from presenting a professional site to end users.
Allowing us to sign the ActiveX so that we will appear is the publisher is satisfactory.
Allowing us to script the ActiveX if the website is within the trusted zone is satisfactory.
The combination of 1 and 2 above is not.
And could someone please point me to updated documentation for scripting the new ActiveX for RDP 6.1 users? Very difficult to find.
- Proposed As Answer byRobert Laube Monday, August 17, 2009 1:40 PM
Ayesha,
There are no device redirections enabled for this situation. In fact, I specifically disable them. And the website is in the browser's trusted zone. I understand the security issue, but it seems to me that if I have a certificate for that server I shouldn't get the warning anymore. I know the certificate is installed correctly because I no longer get the same warning when connecting to the server with the desktop application. Why the difference when connecting from the ActiveX control?
Thanks,
T.J.- Hi TJ,
the reason we do have to show the warning when you connect with the browser is because we need to account for any random website your user may visit attempting to launch a connection to a malicious remote server.
In the case of connections from the remote desktop application, the chances of a user launching a random connection to a malicious server are lower - hence we can allow hte user to dismiss this warning.
We will look into how we can improve this experience in future versions of Windows.
Thanks for your input.
Ayesha- Marked As Answer byAyesha Mascarenhas MSFTMSFT, OwnerTuesday, March 31, 2009 1:48 AM
- Proposed As Answer byAyesha Mascarenhas MSFTMSFT, OwnerWednesday, August 27, 2008 9:15 PM
- Ayesha,
Thank you for your responses. As much as I don't like the answer I am getting, I understand that there is no way around this issue for now. I just hope the users can understand what we tell them.
As for the reasoning behind always showing the warning in the browser, I am still not convinced. I am not talking about checking the box that says "Don't show this warning next time...", I am talking about installing the a security certificate (per instructions on the website I referenced in my original post) so that the warning is never displayed to begin with. I understand and agree that if you don't have a security certificate for a server and you are connecting through a website you should always be warned and not have the checkbox option to dismiss the warning in the future. I think that the real issue may be that the ActiveX control never checks for installed security certificates. I mean, isn't the point of the security certificate to verify that you've connected to a trusted server? Why ignore that system when connecting to a server over a website? By showing this warning through the browser even when the secrurity certificate is installed, it shows a lack of confidence in Microsoft's own security system. Its basically saying "Ok, the server was verified with the security certificate, but we really can't be sure its the trusted server, so we'll warn the user anyway." What's the point of having a security certificate if you can't trust it in all circumstances?
Again, I appreciate your responses, and understand that it was most likely not your descision behind this. I just think that whoever made this decesion (assuming it was done intentionally and not just something that was overlooked) really botched this one. I can only hope that this issue is resolved in the next version. I hope I have been clear in my issue. I really hope that a future version of this ActiveX control is able to trust the security certificate that Microsoft itself creates.
Thanks again,
T.J. - I have this exact same problem accross 12,000 thin clients. We just upgraded our back office infrastucture to windows server 03 64bit and every time users connect to a page that runs a RDP session to a back office server they get the exact same error.
"A website wants to start a remote connection. The publisher of this remote connection cannot be identified.
This remote connection could harm your computer. Do not connect unless you know where this connection came from or have used it before.
Publisher: Unknown publisher
Type: Remote Desktop Connection
Remote computer: MyServerName"
I have found nothing other than this post and I find it hard to beleive there is no solution. I made sure the site was in trusted site list and Active x was enabled which runs fine its just the RDP piece.
Has anyone found a solution to this?- Edited byjpvelaz Wednesday, September 17, 2008 9:23 PM
- This problem occurs because you at microsoft would rather inconvience the user rather than do the real work and allow sufficient controls to allow a good user expericnce. This type message comming up is highly distained by the user community. How about getting off your lazy rears and focus on the user for a change.
Hi,
It has been over 6 months since this thread started. We run into the same situation since the SP3 upgrade, and I share the frustration that TJ expressed. Are there any updates on a solution? Any time frame for a fix?
Thanks in advance,
Nir.I can avoid this prompt by changing security settings for my Trusted Internet Zone [http://support.microsoft.com/kb/182569]
Specifially, by setting:
ActiveX controls and plug-ins: Initialize and script ActiveX controls not marked as safe for scripting = Enabled
Naturally, there are risks with this method...- Proposed As Answer byOPSCC Tuesday, November 03, 2009 5:28 PM
