TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Editing: How to Remove the Access Messages and Enable the Single Sign On for RemoteApps
Wiki
>
TechNet Articles
>
How to Remove the Access Messages and Enable the Single Sign On for RemoteApps
Article
Edit
History
Title
<html> <body> <strong style="color:#2a2a2a; font-family:'Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif; line-height:17.77px; background-color:#ffffff">Note: This article is based on RDS 2008 (R2) and might not apply to RDS 2012 (R2)</strong><br> <br> [toc]<br> <br> <h1><a name="Introduction"></a>Introduction</h1> <br> After installing and publishing RemoteApp applications is normal to hear some complaints from users about the time of the remote connection. The same applies to virtual machines in <strong>Virtual Desktop Infrastructure</strong> (VDI). Two messages are displayed that hinder the use of software, the first showing a warning saying that the server certificate is not valid and the second asking for username and password. In the following procedure you will see how to create a connection free of warning messages and how to enable <strong>Single Sign On</strong> (SSO). <br> <br> <strong> <h1><a name="Procedure"></a>Procedure</h1> </strong><br> The first step is the integration of the user logged in with the RemoteApp connection, eliminating the need for a username and password again once the login has been done on the machine. This integration with the logon application is also called SSO. You can view the page in Figure 1 of the Remote Desktop Web portal with the published applications and figure 2 the logon message, forcing the user to put the user, domain and password. <br> <br> <br> <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/0654.SSO1.jpg" style="border:0px solid"> <br> <br> Figure 1 - RemoteApp Programs <br> <br> <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/8306.SSO2.jpg" style="border:0px solid"> <br> <br> Figure 2 - User and password to use the programs<br> <br> To enable SSO, you must configure a group policy. Simply click on the<strong> Start</strong> menu and type<strong> gpedit.msc</strong>. <br> <br> Click <strong>Computer Configuration</strong>, and then expand <strong>Administrative Templates> System> Credentials Delegation</strong> and click <strong>Allow Delegating Default policy Credentials</strong>. Click "<strong>Enabled"</strong> and then click<strong> Show</strong>. In the Show Contents screen put the value <strong>"TERMSRV/*"</strong>, as Figure 3. Ensure that the <strong>concatenate OS defaults</strong> option is marked with <strong>"input above"</strong>. After this procedure, restart your computer. When there are many machines, this policy can be made through a Group Policy (GPO) in Active Directory, providing centralized configuration and management. <br> <br> <br> <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/3173.SSO3.jpg" style="border:0px solid"> <br> <br> Figure 3 - Policy that enables the Single Sign On <br> <br> The next step is to ensure that the confirmation message from the server certificate does not appear too. This occurs because the default certificate is not a valid certificate by having the client do not rely on it to connect to the server. To resolve this problem you need to generate a computer certificate through a Certificate Authority. In Windows Server you can use Active Directory Certificate Services (ADCS) for the creation and management of certificates. For more information about installing the ADCS, visit the following link: <a href="http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx"> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx</a> <br> <br> After installing the certificate on the server's RemoteApp, open <strong>RemoteApp Manager</strong> and click on <strong>Digital Signature Settings</strong> on the left side of the screen and check the <strong>Sign with digital certificate</strong>, as shown in Figure 4. Select the installed certificate and click<strong> OK</strong>. <br> <br> <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/1385.Certificate.jpg" style="border:0px solid"> <br> <br> Figure 4 - Configuring Server certificate <br> <br> After this you must copy the hash code of the certificate to a local policy. Through <strong>Remote Desktop Web Portal</strong>, click on any software in the server that hosts the applications and then click in the warning message in <strong>Publisher</strong>, click the link with the server name, as shown in Figure 5. <br> <br> <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/3583.SSO4.jpg" style="border:0px solid"> <br> <br> Figure 5 - Message from untrusted certificate <br> <br> This will display the server's certificate. Click the<strong> Details</strong> tab and then click <strong>Thumbprint.</strong> Copy the value somewhere to copy it in group policy. Be sure to not copy the space before the first line of code. In Figure 6 you can see the code and the space before him. <br> <br> <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/6327.SSO5.jpg" style="border:0px solid"> <br> <br> Figure 6 - Thumbprint of the certificate <br> <br> Reopen the <strong>gpedit.msc</strong> and navigate to <strong>Computer Configuration> Administrative Templates> Windows Components> Remote Desktop Services> Remote Desktop Connection Client</strong> and open the the policy Specify SHA1 thumbprints of certificates representing trusted .rdp publishers. Click <strong>Enabled</strong> and then copy the text in the space below the policy, as Figure 7. If there is more than one server or RemoteApp with VDI, place their codes separated by commas. Then click OK and restart the client computer. <br> <br> <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/CommunityServer-Wikis-Components-Files/00-00-00-00-05/1680.SSO6.jpg" style="border:0px solid"> <br> <br> Figure 7 - Hash of certificate policy <br> <br> As mentioned earlier you can do the above procedure through group policies through Active Directory as well. <br> <br> After these two procedures the applications in RemoteApp and VDI virtual machines will run without any error or login message. <br> <br> <br> <br> <span style="font-size:10pt; font-family:tahoma,sans-serif; color:#0682eb"> <p><strong><span style="font-family:'segoe ui'">Leandro Carvalho <br> <br> </span></strong><span style="font-size:10pt; color:#0682eb"><span style="font-family:'segoe ui'">MCSA+S+M | MCSE+S | MCTS | MCITP | MCBMSS | MCT | MVP Virtual Machine <br> <br> </span><a href="http://msmvps.com/blogs/msvirtualization" target="_blank"><span style="font-family:'segoe ui'; color:#0682eb">MSVirtualization</span></a><span style="font-family:'segoe ui'"> | </span><a href="http://leandroesc.wordpress.com/" target="_blank"><span style="font-family:'segoe ui'; color:#0682eb">Wordpress</span></a><span style="font-family:'segoe ui'"> | </span><a href="http://www.winsec.org/" target="_blank"><span style="font-family:'segoe ui'; color:#0682eb">Winsec.org</span></a><span style="font-family:'segoe ui'"> | </span><a href="http://www.linhadecodigo.com.br/Colaborador.aspx?id=568" target="_blank"><span style="font-family:'segoe ui'; color:#0682eb">LinhadeCodigo</span></a><span style="font-family:'segoe ui'"> | </span><a href="https://mvp.support.microsoft.com/profile=ACB46F49-3183-486B-90E9-71DA8556786C" target="_blank"><span style="font-family:'segoe ui'; color:#0682eb">MVP Profile</span></a><br> <br> <span style="font-family:'segoe ui'"><span style="color:#548dd4">Twitter</span>: </span> <a href="http://twitter.com/leandroeduardo" target="_blank"><span style="font-family:'segoe ui'; color:#0000ff">LeandroEduardo</span></a><span style="font-family:'segoe ui'"> | </span></span><span style="font-size:10pt"><span style="font-family:'segoe ui'"><span style="color:#548dd4">LinkedIn</span>: </span><a href="http://au.linkedin.com/in/leandroesc" target="_blank"><span style="font-family:'segoe ui'; color:#0000ff">Leandroesc</span></a></span></p> </span> <p> </p> </body> </html>
Comment
Tags
Please add 6 and 8 and type the answer here: