Editing: How to Remove the Access Messages and Enable the Single Sign On for RemoteApps

Title
<html> <body> Note: This article is based on RDS 2008 (R2) and might not apply to RDS 2012 (R2)   [toc] <h1><a name="Introduction"></a>Introduction</h1> After installing and publishing RemoteApp applications is normal to hear some complaints from users about the time of the remote connection. The same applies to virtual machines in Virtual Desktop Infrastructure (VDI). Two messages are displayed that hinder the use of software, the first showing a warning saying that the server certificate is not valid and the second asking for username and password. In the following procedure you will see how to create a connection free of warning messages and how to enable Single Sign On (SSO). <h1><a name="Procedure"></a>Procedure</h1> The first step is the integration of the user logged in with the RemoteApp connection, eliminating the need for a username and password again once the login has been done on the machine. This integration with the logon application is also called SSO. You can view the page in Figure 1 of the Remote Desktop Web portal with the published applications and figure 2 the logon message, forcing the user to put the user, domain and password. <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/0654.SSO1.jpg" style="border:0px solid"> Figure 1 - RemoteApp Programs <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/8306.SSO2.jpg" style="border:0px solid"> Figure 2 - User and password to use the programs To enable SSO, you must configure a group policy. Simply click on the Start menu and type gpedit.msc. Click Computer Configuration, and then expand Administrative Templates> System> Credentials Delegation and click Allow Delegating Default policy Credentials. Click "Enabled" and then click Show. In the Show Contents screen put the value "TERMSRV/*", as Figure 3. Ensure that the concatenate OS defaults option is marked with "input above". After this procedure, restart your computer. When there are many machines, this policy can be made through a Group Policy (GPO) in Active Directory, providing centralized configuration and management. <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/3173.SSO3.jpg" style="border:0px solid"> Figure 3 - Policy that enables the Single Sign On The next step is to ensure that the confirmation message from the server certificate does not appear too. This occurs because the default certificate is not a valid certificate by having the client do not rely on it to connect to the server. To resolve this problem you need to generate a computer certificate through a Certificate Authority. In Windows Server you can use Active Directory Certificate Services (ADCS) for the creation and management of certificates. For more information about installing the ADCS, visit the following link: <a href="http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx"> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx</a> After installing the certificate on the server's RemoteApp, open RemoteApp Manager and click on Digital Signature Settings on the left side of the screen and check the Sign with digital certificate, as shown in Figure 4. Select the installed certificate and click OK. <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/1385.Certificate.jpg" style="border:0px solid"> Figure 4 - Configuring Server certificate After this you must copy the hash code of the certificate to a local policy. Through Remote Desktop Web Portal, click on any software in the server that hosts the applications and then click in the warning message in Publisher, click the link with the server name, as shown in Figure 5. <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/3583.SSO4.jpg" style="border:0px solid"> Figure 5 - Message from untrusted certificate This will display the server's certificate. Click the Details tab and then click Thumbprint. Copy the value somewhere to copy it in group policy. Be sure to not copy the space before the first line of code. In Figure 6 you can see the code and the space before him. <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/6327.SSO5.jpg" style="border:0px solid"> Figure 6 - Thumbprint of the certificate Reopen the gpedit.msc and navigate to Computer Configuration> Administrative Templates> Windows Components> Remote Desktop Services> Remote Desktop Connection Client and open the the policy Specify SHA1 thumbprints of certificates representing trusted .rdp publishers. Click Enabled and then copy the text in the space below the policy, as Figure 7. If there is more than one server or RemoteApp with VDI, place their codes separated by commas. Then click OK and restart the client computer. <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/1680.SSO6.jpg" style="border:0px solid"> Figure 7 - Hash of certificate policy As mentioned earlier you can do the above procedure through group policies through Active Directory as well. After these two procedures the applications in RemoteApp and VDI virtual machines will run without any error or login message. Leandro Carvalho MCSA+S+M | MCSE+S | MCTS | MCITP | MCBMSS | MCT | MVP Virtual Machine <a href="http://msmvps.com/blogs/msvirtualization" target="_blank">MSVirtualization</a> | <a href="http://leandroesc.wordpress.com/" target="_blank">Wordpress</a> | <a href="http://www.winsec.org/" target="_blank">Winsec.org</a> | <a href="http://www.linhadecodigo.com.br/Colaborador.aspx?id=568" target="_blank">LinhadeCodigo</a> | <a href="https://mvp.support.microsoft.com/profile=ACB46F49-3183-486B-90E9-71DA8556786C" target="_blank">MVP Profile</a> Twitter: <a href="http://twitter.com/leandroeduardo" target="_blank">LeandroEduardo</a> | LinkedIn: <a href="http://au.linkedin.com/in/leandroesc" target="_blank">Leandroesc</a>   </body> </html>
Comment
Tags
Please add 1 and 4 and type the answer here:

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?