none
UAG, Remote App & SSL warnings RRS feed

  • Question

  • Hi again,

    This is the setup we have:

    1 x UAG_Server ; 1 x RemoteApp_Server ; 1 x Application Server (that RemoteApp connects to).

    UAG_Server has a self signed cert (UAGCert). RemoteApp_Server has a self signed cert (RemoteAppCert).

    All remote apps are being signed by RemoteAppCert. (This is to satisfy Web SSO) as per: http://blogs.technet.com/askperf/archive/2008/09/23/unknown-publisher-where-did-this-dialog-box-come-from.aspx

    RemoteAppCert and UAGCert are set up as Trusted Publishers on both UAG_Server and RemoteApp_Server.

    If I connect to RemoteApp server (via URL) from an intranet computer, and clilck on the published remote app - we initially get the SSL warning, then clicked the “Don’t ask me again for remote connections from this publisher” - and it now works without any hassles (no more SSL warnings.)

    The remote application has also been published on the UAG server portal. When we connect to the portal (from the 'Internet') we still get the SSL warning. Why?

    Thanks.

    Monday, April 19, 2010 9:37 AM

Answers

  • I'm marking this question as resolved, even though it is not, as it appears that this issue has too many variables to be resolved within the limited abilities of a supprot forum. If this is still unresolved, Mr. Kwan, I might suggest you open a support case with Microsoft CSS, and have it investigated throroughly. If it turns out to be a bug in the product, this is the best path to resolve it.


    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Wednesday, May 12, 2010 7:42 PM
    Wednesday, May 12, 2010 7:41 PM

All replies

  • Have you read the following blog: http://blogs.technet.com/edgeaccessblog/archive/2010/04/11/how-to-publish-remoteapp-applications-successfully-with-uag.aspx? Maybe it helps to solve your issue...

    Cheers,
    Dominik

    Monday, April 19, 2010 9:45 AM
  • Thanks for that link, this is what I can confirm I have done:

    1. RDS server certificate is self signed (and trusted on both UAG and RD Server machines)

    2. There is no AIA or CDP (since its a self signed cert, and no PKI exists). I have not disabled CRL checking, as again it does not make sense...what you think?

    3. RDP files are digitally signed by the RDS certificate (which is trusted on both RDS and UAG servers). I have exported and imported the .rdp file again, after signing it...

    The problem still exists.

     

    Monday, April 19, 2010 10:01 AM
  • Well, I guess you have to install the self-signed cert on the client's computer store as well. Please see: http://technet.microsoft.com/en-us/library/dd320345(WS.10).aspx 
    Monday, April 19, 2010 10:18 AM
  • The client computer that I am connecting from (to test the RemoteApp via UAG) IS the actual UAG server itself.

    Everything works 100% - except that RD Security Warning message....I don't understand why it is still there...

    Monday, April 19, 2010 10:29 AM
  • Have you ever tried to establish a connection from a different client (not from UAG)?
    Monday, April 19, 2010 10:35 AM
  • Just connected from an 'Internet' client - a separate machine on the same subnet as the external IP of UAG. And the problem still persists.

    Monday, April 19, 2010 10:38 AM
  • Why are you using self-signed certs?

    If you are testing, why not use proper test certs from a public CA? It will probably save you a lot of headaches!

    Here is an example of a full func. 45 day one: http://www.globalsign.co.uk/free-trial/free-ssl-certificate/

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, April 19, 2010 11:19 AM
    Moderator
  • Just connected from an 'Internet' client - a separate machine on the same subnet as the external IP of UAG. And the problem still persists.


    There are a number of different SSL errors that can possibly be presented. What is the exact error message you're seeing?

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, April 19, 2010 11:25 AM
  • OK, let me try this route instead.

    Where do I need to generate the CSR from, UAG or the Remote Desktop Server?

    Also, when I apply they want an email address with one of the following..which we dont have:

    admin@company.com
    administrator@company.com
    hostmaster@company.com
    postmaster@company.com
    root@company.com
    ssladmin@company.com
    sysadmin@company.com
    webmaster@company.com
    info@company.com
    it@company.com

    Pity....

    Monday, April 19, 2010 11:27 AM
  • Just add an alias to an existing email account - no?

    Create the CSR using IIS; either on box or remote and then export the PFX to UAG:

    http://www.globalsign.com/support/csr/serversign_iis7.php

    http://www.globalsign.com/support/csr/serversign_iis5.php

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, April 19, 2010 1:26 PM
    Moderator
  • OK I did it.

    Got a Trial cert for the correct URL from Verisign.

    Imported this cert as a trusted cert on UAG and RD Server. (cert name for post purposes: UAGCert).

    UAG and RD Server both trust the UAGCert.

    UAGCert is used on RemoteApp server to sign the RDP file.

    If I connect to https://RDServer/RDweb from an intranet computer, the SSL on the website is trusted, then on first run of the RemoteApp I can select the "Don’t ask me again for remote connections from this publisher" - and the SSL Warning never pops up again.

    If I connect from the Internet, I have a legitimate SSL session to the UAG Portal, then I click on the RemoteApp and every single time I get this error message:

    "A Website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program"

    The publisher (UAGCert & the relevant Root Verisign Certificate) is in the Trusted Root Authorities of the machine I am connecting from.

    We are lost. Please help. SOS.

    Monday, April 19, 2010 2:26 PM
  • Hi Amigo. The warning you see is not related to the SSL certificate of the portal, but to the one used for signing the applications. When accessing locally to the RemoteApps Web Access you can select if your computer is "public" or "private". In case you select "private" you can tick a box to say "don't ask me again for connections from this publisher". The fact is that accesing from UAG doesn't let choose whether the computer os public or private. It is always "public" so you cannot avoid RDC client asking for confirmation. I guess if you want to disable the annoying advice you should install the root certificate not in the Root CAs store but in the Trusted Publishers store. Why don't you try?

    Hope it helps


    // Raúl - I love this game
    Monday, April 19, 2010 4:19 PM
  • Hi Amigo. I have tried and it doesn't work :(

    Let me check something else and I will come back to you asap


    // Raúl - I love this game
    Monday, April 19, 2010 4:26 PM
  • Found some more info. For domain joined computers, it can be configured with GPO.

    Take a look here http://technet.microsoft.com/ja-jp/library/cc753945(WS.10).aspx at the setting Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

    Hope it helps

     


    // Raúl - I love this game
    Monday, April 19, 2010 4:39 PM
  • RMoros,

    Have seen this SHA1 setting before - and it does work - for domain joined machines.

    However, what about non-domain joined machines? If we purchase a legitimate cert, public (authenticated) partner clients when connecting will not want to see this SSL warning "A Website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program".

    It seems you have a similar setup to mine then?

     

    To reply to Paul Adare: the warning message is: "A Website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program"

    Regards.

    Monday, April 19, 2010 5:34 PM
  • AFAIK from internal discussions, the first dialog with the warning "A website wants to run a RemoteApp program ... " can only be avoided when configuring the appropriate registry key. Unfortunately... :-(

     

    Monday, April 19, 2010 9:46 PM
  • To reply to Paul Adare: the warning message is: "A Website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program"

    This is why I asked the question I asked. This is not an error related to SSL at all but is rather a warning about code signing. If you're using a certificate whose purpose is for SSL (Server Authentication) and not also for code signing, then this warning message won't go away.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, April 20, 2010 5:48 AM
  • Ah - Paul you may have hit the nail on the head there....ok, the certificate is for Server Authentication - so Code Signing fails as predicted.

    I now have removed the code-signing from RemoteApp server properties, and have created a new RemoteApp and published it in RDWeb.

    Now I get the following error message (if I connect from the intranet to the RDWeb URL):

    "The website wants to run a RemoteApp program. The publisher of this RemoteApp program cannot be identified."

    Under Publisher it says: "Unknown publisher"

    The application I am publishing is simply the Windows Calc.exe

    I have restarted the RemoteApp service. Ensured that the correct certificates are under 'Trusted Publishers' and 'Trusted Root CA' stores.

     

    Here's another strange one:

    If I connect to the UAG portal and click 'Calc' I still get the same error message "A Website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program" - and this time the publisher name is filled in with the [Server Auth] certificate name.

    Even though I have disabled RDP signing, created a new RemoteApp, exported a new .tspub, created a new RemoteApp on UAG. Why is the Publisher still there???

    Any ideas?

    Tuesday, April 20, 2010 6:39 AM
  • Then...according to http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/330caf39-c40d-4b79-9db9-4578909f3841/ if we DO NOT sign the .rdp files...we will always get the 'Unknown Publisher' warning - its a design security feature by MS....is that still correct?

    So the only way to have this SSL pop-up to disappear is to obtain a code-signing certificate...or get a cert with multiple purposes [Server Auth] [code sign] [client auth] etc etc

    Am I finally on the right track?

    But here's a curve-ball from the RD Help File:

    "you can sign .rdp files that are used for remoteapp connections by using a Server Authentication certificate [SSL certificate]. a code signing certificate, or a specially defined RDP Signing certificate"

    So theoretically our [Server Auth] certificate should work (it contains the private key) :-) But it doesn't :-(

    • Edited by D Wind Tuesday, April 20, 2010 9:53 AM
    Tuesday, April 20, 2010 8:16 AM
  • We have even enabled these settings on a GPO that applies to the client, UAG and RD Servers:

    - Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

    - Allow .rdp files from valid publishers and user's default .rdp settings

    - Allow .rdp files from unknown publishers

    And the SSL pop-ups still appear (when connecting from Intranet and Internet).

    We don't even get the “Don’t ask me again for remote connections from this publisher" when connecting from the Internet.

     

    Is there someone here from MS dev team for Remote Desktop and/or UAG that can confirm as this being a potential bug?

    Regards

    Tuesday, April 20, 2010 9:43 AM
  • I'm marking this question as resolved, even though it is not, as it appears that this issue has too many variables to be resolved within the limited abilities of a supprot forum. If this is still unresolved, Mr. Kwan, I might suggest you open a support case with Microsoft CSS, and have it investigated throroughly. If it turns out to be a bug in the product, this is the best path to resolve it.


    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Wednesday, May 12, 2010 7:42 PM
    Wednesday, May 12, 2010 7:41 PM
  • Hi all,

    I've just installed trial UAG with latest update2, and have the same problem.

    Any update to that? 



    Wednesday, October 6, 2010 10:40 AM
  • Perhaps some things are mixed up here and this might help you find the answer. So the portal page is not causing the problem. The portal needs to have an valid ssl certificate and if you are using a self-signed certificate this should also be placed into the trusted root authorities container on the local machine. There should not be a warning if you are accessing the portal page with such a client. The published RemoteApp needs to be signed with an authenticode certificate which also needs to be placed in the trusted publishers conatiner on the machine which is accessing the RemoteApp. I think it needs to be an authenticode type of certificate. This certificate needs to be placed in the trusted root certification authorities container on the local machine. Otherwise the trustchain can not be validated. If you are running clients in a ad environment all of these steps can be done using group policies. If untrusted machines are accessing your portal these steps have to be done manually. Are you accessing the RemoteApps through RDS Gateway? Then this certificate needs to be installed also. I believe the easiest way to solve the issue is to use a certification authority running on an windows enterprise edition server. You can define your own templates and the root certificate is automatically published via ad to your client computers. If you need some more information about building a ca infrastructure feel free to drop me some lines.
    Andreas Hecker
    Wednesday, October 6, 2010 7:52 PM