Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How do you prevent the security warning "unknown publisher" for all users?

3,032 views
Skip to first unread message

Saucer Man

unread,
Aug 5, 2008, 9:02:21 AM8/5/08
to
When a user launches a RemoteAPP program, he gets an Open File - Security
Warning. It says "The publisher could not be verified. Are you sure you
want to run this software?" The dialog prompt refers to the drive letter
mapping and the .exe in question. How can I set up the terminal server so
these prompts do not happen to any user?

--
Thanks!


Vera Noest [MVP]

unread,
Aug 5, 2008, 9:06:14 AM8/5/08
to
Check if this helps:

When users start a RemoteApp, they get a dialog box: "a Website wants
to start a remote connection. The publisher of this remote connection
cannot be identified."
http://ts.veranoest.net/ts_faq_user_issues.htm#RemoteApp_signing

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

Saucer Man

unread,
Aug 5, 2008, 10:35:10 AM8/5/08
to
We are not getting "a Website wants to start a remote connection". I don't
know if the Cert applies here. I thought it was a Group Policy referring to
trusted intranet sites that needs to be set. Am I wrong?


"Vera Noest [MVP]" <Vera....@remove-this.hem.utfors.se> wrote in message
news:Xns9AF199A50F5DDve...@207.46.248.16...

Vera Noest [MVP]

unread,
Aug 5, 2008, 3:02:20 PM8/5/08
to
Then I would expect this message:

When users start a program, they get a "file download" dialog box,
or an error message: "Windows cannot access the specified device,
path, or file. You may not have the appropriate permissions to
access the item."
http://ts.veranoest.net/ts_faq_user_issues.htm#IEESconfig

but you can give it a try.


_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

"Saucer Man" <sauc...@nospam.com> wrote on 05 aug 2008 in
microsoft.public.windows.terminal_services:

Saucer Man

unread,
Aug 6, 2008, 8:09:59 AM8/6/08
to
Here is the exact message...

Title Bar: Open File - Security Warning
Message: The publisher could not be verified. Are you sure you want to run
this software?
Name: u:\folder\program.exe
Publisher: Unknown Publisher
Type: Application
From: u:\folder\program.exe

Run button Cancel button

This file does not have a valid digital signature that verifies its
publisher. You should only run software from publishers you trust.
How can I decide what software to run?

...It doesn't mention website or file download.

"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message
news:Xns9AF1D604C7326ve...@207.46.248.16...

Vera Noest [MVP]

unread,
Aug 6, 2008, 10:20:14 AM8/6/08
to
But have you digitally signed your rdp files? Without that, you'll
not get rid of the warning.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Saucer Man" <sauc...@nospam.com> wrote on 06 aug 2008 in
microsoft.public.windows.terminal_services:

Saucer Man

unread,
Aug 6, 2008, 11:37:02 AM8/6/08
to
That's probably the issue. How do I digitally sign these .rdp files?


"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message

news:Xns9AF2A63192154ve...@207.46.248.16...

Vera Noest [MVP]

unread,
Aug 6, 2008, 7:14:15 PM8/6/08
to
That's done in RemoteApp Manager. You'll have to get a certificate.

Terminal Services RemoteApp Step-By-Step Guide
http://technet2.microsoft.com/windowsserver2008/en/library/61d24255
-dad1-4fd2-b4a3-a91a22973def1033.mspx?mfr=true

>>>>>> ni ng

Saucer Man

unread,
Aug 7, 2008, 7:53:29 AM8/7/08
to
Ok. I was asking about a Cert in another post. If I get a CERT from
GoDaddy for the TS Gateway, it should also work for digitally signing the
.rdp files correct?


"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message

news:Xns9AF3C94CAF82ve...@207.46.248.16...

Vera Noest [MVP]

unread,
Aug 7, 2008, 8:16:14 AM8/7/08
to
Did you read the Step-by-Step guide? The answers to all of your
questions are there:

If you are already using an SSL certificate for terminal server or
TS Gateway connections, you can use the same certificate to sign
.rdp files. However, if users will connect to RemoteApp programs
from public or home computers, you must use either of the
following:

* A certificate from a public certification authority (CA) that
participates in the Microsoft Root Certificate Program Members
program (http://go.microsoft.com/fwlink/?LinkID=59547).

* If you are using an enterprise CA, your enterprise CA-issued
certificate must be co-signed by a public CA that participates in
the Microsoft Root Certification Program Members program.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Saucer Man" <sauc...@nospam.com> wrote on 07 aug 2008 in
microsoft.public.windows.terminal_services:

> Ok. I was asking about a Cert in another post. If I get a CERT
> from GoDaddy for the TS Gateway, it should also work for
> digitally signing the .rdp files correct?
>
>
> "Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9AF3C94CAF82ve...@207.46.248.16...
>> That's done in RemoteApp Manager. You'll have to get a
>> certificate.
>>
>> Terminal Services RemoteApp Step-By-Step Guide
>> http://technet2.microsoft.com/windowsserver2008/en/library/61d24

>> 255 -dad1-4fd2-b4a3-a91a22973def1033.mspx?mfr=true

>>>>>>>> ig ni ng

Saucer Man

unread,
Aug 7, 2008, 8:26:49 AM8/7/08
to
Yes, I did read it. And it is this paragraph that is a bit confusing...

> If you are already using an SSL certificate for terminal server or
> TS Gateway connections, you can use the same certificate to sign
> .rdp files. However, if users will connect to RemoteApp programs
> from public or home computers, you must use either of the
> following:
>
> * A certificate from a public certification authority (CA) that
> participates in the Microsoft Root Certificate Program Members
> program (http://go.microsoft.com/fwlink/?LinkID=59547).


We do have users that will connect from home computers and we are purchasing
a GoDaddy CERT for the TS Gateway. GoDaddy is on the list but it is not
clear to me if because I have home computers connecting, I will need a
different CERT from that list.


"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message

news:Xns9AF3912AF5567ve...@207.46.248.16...

Vera Noest [MVP]

unread,
Aug 7, 2008, 3:12:31 PM8/7/08
to
GoDaddy is on the list, so a certifcate from them is OK for both
purposes.

>>>> 24 255 -dad1-4fd2-b4a3-a91a22973def1033.mspx?mfr=true

>>>>>>>>>> _ Vera Noest

Saucer Man

unread,
Aug 11, 2008, 8:04:46 AM8/11/08
to
Thank you!

Rich

"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message

news:Xns9AF3D7BB03FE6ve...@207.46.248.16...

Saucer Man

unread,
Aug 28, 2008, 8:06:16 AM8/28/08
to
Vera, I installed a cert and I am now digitally signing my .rdp files.
However, I am now getting an error and I can no longer connect to the
terminal server with them. I created a new thread called "Problem digitally
signing .rdp files" on 8/27. Could you offer some insight please?

Thanks.


"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message

news:Xns9AF2A63192154ve...@207.46.248.16...

Vera Noest [MVP]

unread,
Aug 28, 2008, 4:22:30 PM8/28/08
to
OK, let's continue in the new thread, has a more appropriate
subject line.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___


"Saucer Man" <sauc...@nospam.com> wrote on 28 aug 2008 in
microsoft.public.windows.terminal_services:

>>>>>> ni ng

Saucer Man

unread,
Aug 29, 2008, 1:12:20 PM8/29/08
to
OK. Now that the .rdp files are working again, we are still getting the
security warning. The .rdp file points to an .exe. This .exe is our
accounting software and it launches different .exes from within. Whenever
it launches the other .exes, these warnings prompt the user. Any ideas?


"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message

news:Xns9B08E39CA3C01ve...@207.46.248.16...

Vera Noest [MVP]

unread,
Aug 31, 2008, 9:06:08 AM8/31/08
to
Have you used the GPO settings here:

Administrative Templates\Windows Components\Terminal Services
\Remote Desktop Connection Client

About Digitally Signing RemoteApp Programs
http://technet.microsoft.com/en-us/library/cc754499.aspx

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Saucer Man" <sauc...@nospam.com> wrote on 29 aug 2008 in
microsoft.public.windows.terminal_services:

>>>>>>>> ig ni ng

Saucer Man

unread,
Sep 2, 2008, 8:24:00 AM9/2/08
to
I saw those settings, however, the users will be connecting from home so I
didn't think group policy would affect them. Am I correct?


"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message

news:Xns9B0B99A0BA7AAve...@207.46.248.16...

Vera Noest [MVP]

unread,
Sep 2, 2008, 8:31:38 AM9/2/08
to
No. And I don't feel that it would be the right why to solve the
problem either. But I'm out of ideas, sorry.
I'd call support again.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

>>>>>>>>>> http://ts.veranoest.net/ts_faq_user_issues.htm#RemoteApp
>>>>>>>>>> _s ig ni ng
>>>>>>>>>>
>>>>>>>>>> ________________________________________________________

>>>>>>>>>> _ Vera Noest

TP

unread,
Sep 2, 2008, 10:00:27 AM9/2/08
to
Hi Vera,

If "Launching applications and unsafe files" is set to Disable
for the applicable security zone, then the user will receive the
message you expect. If, however, the setting is set to Prompt
then the user will receive the message that Saucer Man is
receiving.

The instructions in your FAQ are relevant. If Saucer Man
still has trouble after following them he should post back
and we can help him troubleshoot.

Thanks.

-TP

Vera Noest [MVP]

unread,
Sep 2, 2008, 3:01:02 PM9/2/08
to
Aaaaah, I see! I was completely focused on the signed rdp files,
thought that the IEES problem was already solved.
Thanks, TP!

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"TP" <tperson....@mailandnews.com> wrote on 02 sep 2008 in
microsoft.public.windows.terminal_services:

Saucer Man

unread,
Sep 2, 2008, 3:23:52 PM9/2/08
to
Setting the GPO per the FAQ seems to solve the issue. However, I.E. warns
that this setting is not secure and not recommended. I would think that I
can somehow get it to recognize that these applications are safe without
having to use this setting. I have a call with Microsoft and they are still
trying to figure it out.

"TP" <tperson....@mailandnews.com> wrote in message
news:ujeMCRQD...@TK2MSFTNGP05.phx.gbl...

Vera Noest [MVP]

unread,
Sep 3, 2008, 9:05:03 AM9/3/08
to
Yes, I agree with you, Saucer Man, one thinks that you shouldn't
need to use this setting when you have digitally signed your rdp
file.
I would appreciate it very much if you can report back here what MS
support finally suggests to solve the problem!

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Saucer Man" <sauc...@nospam.com> wrote on 02 sep 2008 in
microsoft.public.windows.terminal_services:

> Setting the GPO per the FAQ seems to solve the issue. However,

Saucer Man

unread,
Sep 5, 2008, 10:00:13 AM9/5/08
to
OK. The issue has been solved by Microsoft. They think the app itself
isn't digitally signed which is why the problem is occuring. Here's what
they did...

The opened the Local Group Policy Editor on the 2008 Terminal Server (I only
have 2003 admin templates in our 2003 AD so we couldn't do it with group
policy in my current group pllicty management console). They went to User
Configuration\Administrative Templates\Windows Components\Attachment
Manager. There is a policy setting for "Inclusion list for moderate risk
file types". They enabled this and added .exe in the list. I didn't want
to add all exe's so we changed it and put the entire executable name in the
exclusion list.

Thanks all for hanging through this long process. I appreciate it!

"Vera Noest [MVP]" <vera....@remove-this.hem.utfors.se> wrote in message

news:Xns9B0E997054F38ve...@207.46.248.16...

Vera Noest [MVP]

unread,
Sep 6, 2008, 8:38:53 AM9/6/08
to
OK, that makes sense.
I'm glad that your problem is solved, and thanks for sharing the
solution with us, Saucer Man!

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Saucer Man" <sauc...@nospam.com> wrote on 05 sep 2008 in
microsoft.public.windows.terminal_services:

0 new messages