none
Do you trust the publisher of this RemoteApp Program? prompt even though the Publisher is trusted?

    Question

  • I  have a 2008 R2 Farm and I've installed the same cert from our internal trusted CA on all the nodes. I've created a RemoteApp and signed the rdp file with the same cert I'm using for TLS.

    If I try to connect from Windows 7 or XP SP3 (mstsc 6.0.6001) I'm faced with a "Do you trust the publisher of this RemoteApp Program?" Listed next to Publisher is the fqdn of my farm and if I click on it, I can confirm that the certificate chain is trusted.

    I'm only redirecting serial ports, clipboard and printers. I have also tried to configure the GP on the clients under the "Remote Desktop Connection client" with no success.

    Is there any way to ensure the users don't receive this security message?
    Thanks
    Ben
    Wednesday, November 11, 2009 3:10 PM

Answers

  • Hi Ben,

    This is by design.  The user is prompted the first time, and they can choose Don't ask me again for remote connections to this publisher.  This is a security feature.

    Most machines trust the major low-cost certificate providers.  What this means is that a malicious person could purchase a domain name plus a certificate for very low cost, and then publish a RemoteApp.  Without the prompt, it is more likely that the end user could be tricked into launching the published application, giving the attacker access to the user's data.

    Now, I can see an argument for the client behaving differently if the certificate was located in one of the stores that do not contain the major certificate authorities.  I would need to think it through more before endorsing this.

    Workaround

    What you can do is add the publisher's certificate thumbprint under the user's PublisherBypassList registry key.  You can use the Group Policy Preferences feature to automatically create the required registry entry.  In order to see exactly what needs to be created, launch the RemoteApp, select the Don't ask me again for remote connections to this publisher option, click Connect, then examine the following registry location:

    HKCU\Software\Microsoft\Terminal Server Client\PublisherBypassList

    Under the above key you will see a REG_DWORD value named according to the publisher's thumbprint.  The data corresponds to the redirection options set.  If in the future you enable additional redirections for your RemoteApps the users will receive the security prompt.  For example, if you create the registry entry based on your RemoteApps being to set to redirect only Printers and Clipboard, and later add Drives to the redirect list, the end-users will receive the prompt because in effect they never agreed to Drive redirection.

    What this means is that if you add redirections in the future you will need to change the registry setting you are deploying via GP Preferences.  You could get around this by creating the registry entry based on all possible redirection entries if you wish.  Keep in mind that not all redirections are listed in the RemoteApp Manager deployment settings--some are only available using the Custom RDP Settings tab.

    Thanks.

    -TP

    Wednesday, November 11, 2009 4:08 PM
    Moderator

All replies

  • Hi Ben,

    This is by design.  The user is prompted the first time, and they can choose Don't ask me again for remote connections to this publisher.  This is a security feature.

    Most machines trust the major low-cost certificate providers.  What this means is that a malicious person could purchase a domain name plus a certificate for very low cost, and then publish a RemoteApp.  Without the prompt, it is more likely that the end user could be tricked into launching the published application, giving the attacker access to the user's data.

    Now, I can see an argument for the client behaving differently if the certificate was located in one of the stores that do not contain the major certificate authorities.  I would need to think it through more before endorsing this.

    Workaround

    What you can do is add the publisher's certificate thumbprint under the user's PublisherBypassList registry key.  You can use the Group Policy Preferences feature to automatically create the required registry entry.  In order to see exactly what needs to be created, launch the RemoteApp, select the Don't ask me again for remote connections to this publisher option, click Connect, then examine the following registry location:

    HKCU\Software\Microsoft\Terminal Server Client\PublisherBypassList

    Under the above key you will see a REG_DWORD value named according to the publisher's thumbprint.  The data corresponds to the redirection options set.  If in the future you enable additional redirections for your RemoteApps the users will receive the security prompt.  For example, if you create the registry entry based on your RemoteApps being to set to redirect only Printers and Clipboard, and later add Drives to the redirect list, the end-users will receive the prompt because in effect they never agreed to Drive redirection.

    What this means is that if you add redirections in the future you will need to change the registry setting you are deploying via GP Preferences.  You could get around this by creating the registry entry based on all possible redirection entries if you wish.  Keep in mind that not all redirections are listed in the RemoteApp Manager deployment settings--some are only available using the Custom RDP Settings tab.

    Thanks.

    -TP

    Wednesday, November 11, 2009 4:08 PM
    Moderator
  • Ok, I guess that makes sense.

    I think a good work around is for there to be a GP setting that would tie in domain membership. So in other words if the rdp file was signed by a trusted Certificate issued by a AD integrated Enterprise CA, that was also used to secure the TLS session, then it would be trusted by default.

    Thanks
    Ben
    Wednesday, November 11, 2009 6:27 PM
  • Hi,

    any changes on this behavior?

    we have the same issue and try to resolv this by adding the sha1 thumbprint into "Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Specify SHA1 thumbprints of certificates representing trusted .rdp publishers".

    We removed any space and changed all letters from lower to uppercase. Still no go :-(

    By adding the regkey everything is working, but, hey this cant be by design to add a regkey!

    THX

    Werner

    Wednesday, December 14, 2011 4:11 PM
  • Hi,

    found such workaround. With Group policy import reg key to

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\PublisherBypassList

    This way it works for all users.

     

    • Proposed as answer by Karl Hanns Monday, May 4, 2015 8:20 AM
    Tuesday, January 17, 2012 11:22 AM
  • Hi, WernerFroebel!

    There is no need to convert thumbprint to uppercase. It works fine through GPO "Specify SHA1 thumbprints of certificates representing trusted .rdp publishers".

    I may suggest that you copy and do not remove first invisible character in thumbprint, which is perfectly pasted in GPO setting field. It could be verified by pressing [Home] and following [->], cursor shouldn’t move and stay before first character. Despite the fact that this character is invisible, it could be deleted by [Delete] or [BS], or you could simply copy thumbprint starting first non-space character.

    "By adding the regkey everything is working" could be explained by the fact that method you use for pasting thumbprint to regkey ignores or not supported writing this invisible character.

    • Proposed as answer by Svante Gradén Monday, February 3, 2014 8:43 AM
    Thursday, March 1, 2012 12:47 AM
  • Hi all,

    For what it's worth, I found that the GPO ("SHA1 thumbprints of certificates representing trusted .rdp publishers") only worked after restarting the computer. gpupdate /force alone was not enough. I was using the no-spaces, all-caps version of the certificate thumbprint.

    Lukas

    Thursday, November 22, 2012 2:57 AM