Note: This article is based on RDS 2008 (R2) and might not apply to RDS 2012 (R2)
 

Introduction

After installing and publishing RemoteApp applications is normal to hear some complaints from users about the time of the remote connection. The same applies to virtual machines in Virtual Desktop Infrastructure (VDI). Two messages are displayed that hinder the use of software, the first showing a warning saying that the server certificate is not valid and the second asking for username and password. In the following procedure you will see how to create a connection free of warning messages and how to enable Single Sign On (SSO).

Procedure

The first step is the integration of the user logged in with the RemoteApp connection, eliminating the need for a username and password again once the login has been done on the machine. This integration with the logon application is also called SSO. You can view the page in Figure 1 of the Remote Desktop Web portal with the published applications and figure 2 the logon message, forcing the user to put the user, domain and password.




Figure 1 - RemoteApp Programs



Figure 2 - User and password to use the programs

To enable SSO, you must configure a group policy. Simply click on the Start menu and type gpedit.msc.

Click Computer Configuration, and then expand Administrative Templates> System> Credentials Delegation and click Allow Delegating Default policy Credentials. Click "Enabled" and then click Show. In the Show Contents screen put the value "TERMSRV/*", as Figure 3. Ensure that the concatenate OS defaults option is marked with "input above". After this procedure, restart your computer. When there are many machines, this policy can be made through a Group Policy (GPO) in Active Directory, providing centralized configuration and management.




Figure 3 - Policy that enables the Single Sign On

The next step is to ensure that the confirmation message from the server certificate does not appear too. This occurs because the default certificate is not a valid certificate by having the client do not rely on it to connect to the server. To resolve this problem you need to generate a computer certificate through a Certificate Authority. In Windows Server you can use Active Directory Certificate Services (ADCS) for the creation and management of certificates. For more information about installing the ADCS, visit the following link: http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx

After installing the certificate on the server's RemoteApp, open RemoteApp Manager and click on Digital Signature Settings on the left side of the screen and check the Sign with digital certificate, as shown in Figure 4. Select the installed certificate and click OK.



Figure 4 - Configuring Server certificate

After this you must copy the hash code of the certificate to a local policy. Through Remote Desktop Web Portal, click on any software in the server that hosts the applications and then click in the warning message in Publisher, click the link with the server name, as shown in Figure 5.



Figure 5 - Message from untrusted certificate

This will display the server's certificate. Click the Details tab and then click Thumbprint. Copy the value somewhere to copy it in group policy. Be sure to not copy the space before the first line of code. In Figure 6 you can see the code and the space before him.



Figure 6 - Thumbprint of the certificate

Reopen the gpedit.msc and navigate to Computer Configuration> Administrative Templates> Windows Components> Remote Desktop Services> Remote Desktop Connection Client and open the the policy Specify SHA1 thumbprints of certificates representing trusted .rdp publishers. Click Enabled and then copy the text in the space below the policy, as Figure 7. If there is more than one server or RemoteApp with VDI, place their codes separated by commas. Then click OK and restart the client computer.



Figure 7 - Hash of certificate policy

As mentioned earlier you can do the above procedure through group policies through Active Directory as well.

After these two procedures the applications in RemoteApp and VDI virtual machines will run without any error or login message.

Leandro Carvalho

MCSA+S+M | MCSE+S | MCTS | MCITP | MCBMSS | MCT | MVP Virtual Machine

MSVirtualization | Wordpress | Winsec.org | LinhadeCodigo | MVP Profile

Twitter: LeandroEduardo | LinkedIn: Leandroesc