none
RemoteApp Launch Warning RRS feed

  • Question

  • Windows Server 2008 RC1 Standard x86

     

    Everytime a RemoteApp launches, a dialog pops up stating that "a Website wants to start a remote connection. The publisher of this remote connection cannot be identified." How can I stop this message? Is it an SSL issue or something else?

     

    Thanks, as always, for the help!

     

    Stuart 

    Thursday, January 10, 2008 5:12 PM

Answers

  • This is not an SSL issue.  The file that launches the RemoteApp itself can be signed when they are created and if you trust the certificate that was used in signing the file, then you won't get the pop-up dialog.  There is no way to get rid of the dialog without have the RDP files signed by the publisher.  This was a security decision as this interface is scriptable and this gives you a warning that a program is about to be launched.

     

    Hope this helps,

    Kevin

    Thursday, January 10, 2008 10:16 PM
    Moderator

All replies

  • This is not an SSL issue.  The file that launches the RemoteApp itself can be signed when they are created and if you trust the certificate that was used in signing the file, then you won't get the pop-up dialog.  There is no way to get rid of the dialog without have the RDP files signed by the publisher.  This was a security decision as this interface is scriptable and this gives you a warning that a program is about to be launched.

     

    Hope this helps,

    Kevin

    Thursday, January 10, 2008 10:16 PM
    Moderator
  • Is there a way to disable the warning from poping up???

     We're testing runing remote app in 2008 and it's a pain for XP/sp3 clients.
    Friday, July 11, 2008 9:01 PM
  • Kevin London [MSFT] said:

    This is not an SSL issue.  The file that launches the RemoteApp itself can be signed when they are created and if you trust the certificate that was used in signing the file, then you won't get the pop-up dialog.  There is no way to get rid of the dialog without have the RDP files signed by the publisher.  This was a security decision as this interface is scriptable and this gives you a warning that a program is about to be launched.

     

    Hope this helps,

    Kevin

    Kevin,

    Could you be so kind to explain this a bit more in detail?  We have two 08 TS servers setup identically load balancing etc. When users click on the published .rdp they get the message listed above.  I have looked and done some research into how the RDP can be signed by the publisher and I have not found much of anything.

    Thanks

    Sunday, July 13, 2008 9:17 PM
  • hi,

     

    i get this same message when using *.rdp files containing the remote settings.

     

    if you pass the settings as a string to mstsc.exe rather than using *.rdp files you do not receive this unknown publisher message.

     

    For example:  The properties of the remote desktop connection shortcut can be changed to point to the server you want to connect to.

    %SystemRoot%\system32\mstsc.exe /v:192.168.1.1

     

    By modifying the Remote Desktop Connection shortcut with your string settings you will not receive the unknown publisher message  If you use an RDP file you will receive the unknown publisher message.

     

    Regards,

    Markcnz

    • Proposed as answer by erayit Wednesday, April 22, 2009 1:08 PM
    Monday, July 28, 2008 3:09 AM
  • So.... WHERE... and HOW.... do you make this Change?? So it will use the STRING you've mentioned?
    Tuesday, August 12, 2008 10:10 PM
  • I have seen lots of people pound their heads on this one. 

    What you need to do before you publish a RemoteApp is load a Certificate in the Digital Signatures Setting.  If you have a CA in your org use the MMC console and manual request a Cert from your Local 2k3 CA.  The 2k3 CA Web certsrv will not work with 2008 or Vista.  If not get a public acknowledged cert, use the same one for you TS Gateway if you have one. 

    You will want to refresh your TSweb configuration as well.
     
    This took care of the problems for me.

    Josh
     
    • Edited by ursenj Tuesday, August 26, 2008 11:15 PM Missed a word
    • Proposed as answer by ursenj Tuesday, August 26, 2008 11:17 PM
    Tuesday, August 26, 2008 11:10 PM
  • To the last poster... are you saying that you have to have your CA setup on a 2k3 server?  Our whole environment is 2k8 with two 08TS with a gateway setup.  We are publishing microsoft apps such as word, excel and we get this error message.  I don't see why using a cert from a 2k3 system would make any difference.  Microsoft should and must fix this issue.  We have an open ticket with them for over a month and still no resolution! 
    Wednesday, August 27, 2008 3:36 AM
  • 2008, 2003 makes no difference.  use what's in your environment.
    Wednesday, August 27, 2008 2:27 PM
    Moderator
  • All,

    if you are like me you want to have some default settings for all MSTSC connections (like your username/domain) but dont want to create .RDP files for every server (in our case 1100 servers) and you certainly dont want to have to deal with that stupid prompt.  SO... simply write a script that either pre-populates this registry key with all your servers or populates the registry key for the specific server and then launches MSTSC.

    DWORD - HKCU\Software\Microsoft\Terminal Server Client\LocalDevices\<yourservername> = 68 (decimal)

    ***updated ****

    I decided to write the .vbs for you... enjoy


    **************************************
    on error resume next

    dim objShell
    dim objArgs
    dim server

    set objShell = createObject("wscript.shell")
    set objArgs = wscript.arguments

    if objArgs.Length <= 0 then
     wscript.echo "you must pass in a server name to connect to"
     wscript.quit
    end if

    server = objArgs(0)

    err.clear
    objShell.RegRead("HKCU\Software\Microsoft\Terminal Server Client\LocalDevices\" & server)

    if err.number <> 0 then
     objShell.RegWrite "HKCU\Software\Microsoft\Terminal Server Client\LocalDevices\" & server,68,"REG_DWORD"
    end if

    objShell.Run "mstsc.exe /v:" & server & " c:\<yourfolderhere>\default.rdp",,false

    **************************************

    This will allow you to have some default settings (launch the default.rdp file) without having that annoying prompt... enjoy

    • Edited by erayit Wednesday, April 22, 2009 1:25 PM added script
    • Proposed as answer by erayit Wednesday, April 22, 2009 1:31 PM
    Wednesday, April 22, 2009 1:12 PM
  • For those who dont like command line.. change script to this and create a shortcut to the script.

    on error resume next

    dim objShell
    dim objArgs
    dim server

    set objShell = createObject("wscript.shell")

    server = InputBox("Enter server to connect to")

    if Len(server) <= 0 then
     wscript.echo "Error, no server name provided"
     wscript.quit
    end if

    err.clear
    objShell.RegRead("HKCU\Software\Microsoft\Terminal Server Client\LocalDevices\" & server)

    if err.number <> 0 then
     objShell.RegWrite "HKCU\Software\Microsoft\Terminal Server Client\LocalDevices\" & server,68,"REG_DWORD"
    end if

    objShell.Run "mstsc.exe /v:" & server & " c:\<yourfolderhere>\default.rdp",,false

    Wednesday, April 22, 2009 1:35 PM
  • on the Terminal Server that you are running the Web connection from open Server Manager
    Open Roles - Web Server (IIS)
    Click on Internet Infomation Services (IIS) Manager
    In the pane to the right click on the name of the server just below Start Page
    In the pane to the right of that click on Server Certicates
    In the actions pane click on "Create Self-Signed Certificate"
    for the friendly name use the Fully Qualified Domain Name" (FQDN) of the terminal server
          (AN INCORRECT FRIENDLY NAME MAY CAUSE THE CERTIFICATE TO NOT WORK CORRECTLY)
    in the server certicates pane double click on the listed certificate.
    Click on the details tab and click on copy to file
    click next
    select No, do not export private key and click next
    select DER encoded binary and click next
    browse to a location you wish to save the file and type a file name. save as type DER (.cer)

    ( YOU WILL NEED TO DO THIS FOR ALL PC'S CONNECTING TO THE TERMINAL SERVER WEB PAGE )
    copy this file to the pc you are connecting from.
    right click on the file and select install
    click next
    select Place all certificates in the following store
    click on browse and select Trusted Root Certifcation Authorities
    import should show successful

    back on the terminal server
    using the Server Manager
    open Roles -  Terminal Services - and click on TS RemoteApp Manger
    in center pane click on Digital Signature Settings Change
    check Sign with a digital certificate
    click on Change
    click on the certificate
    click ok
    click ok again

    create your RemoteApp programs...
    you may need to recreate any that already exist for the certificate to work.


    from the pc you imported the certificate on
    connect to the Terminal Sever Web page (\\servername\ts)
    Click on your published app.
    you will be prompted with the warning and a check box not to prompt again.
    check this box...


    NOTE: THIS CERTIFICATE WILL EXIPRE AND YOU WILL NEED TO CREATE A NEW ONE AND RE-INSTALL ON ALL PC'S

     

    Friday, June 26, 2009 1:59 AM
  • For me, our Windows 2008 TS server had recently had it's cert renewed for the web interface. We had not gone into the TS RemoteApp Manager to add the new cert there. Once the old cert expired, users started to get this warning message. I had to go to Digital Signature Settings and then go to the Digital Signature Tab, and browse to the new Cert.
    Monday, July 26, 2010 2:22 PM
  • Import the server certificate into the Trusted Root Certification Authority using the certificates snap in on the RD Gateway server.  Problem solved after much headbanging.

    Wednesday, December 14, 2011 8:11 PM
  • For me, our Windows 2008 TS server had recently had it's cert renewed for the web interface. We had not gone into the TS RemoteApp Manager to add the new cert there. Once the old cert expired, users started to get this warning message. I had to go to Digital Signature Settings and then go to the Digital Signature Tab, and browse to the new Cert.
    I am having the same issue and did as you did.  I am still getting the warning when trying to open a TS App.  Did you have to restart a service or anything?
    Wednesday, July 11, 2012 1:48 PM
  • Did you have to create and reinstall the apps?
    Wednesday, July 11, 2012 2:06 PM
  • At "open Roles -  Terminal Services - and click on TS RemoteApp Manger", I stopped. I can't find it.

    Wednesday, May 14, 2014 12:57 AM
  • With Windows 2008 R2, "68" don't work. When I connect and click checkbox, this value changes to "76".

    Wednesday, May 14, 2014 5:46 PM
  • I confirm that "68" does not work on 2008 R2. If you check the checkbox manually it creates a value of 5, so it seems for 2008 R2 it is 5 and not 68 to put in the registry
    Friday, April 10, 2015 11:44 AM