RDS Published App question

[Mike Leone]

I'm drawing a blank on this. I set up an RDS environment, and am testing it, by trying to run notepad as a published app. I go to the web URL (https://<my-host>/rdweb). I get prompted to log in with Ad cred. I do so. I see my published app. I click on it. ANd I get "cpub-notepad-PHA-TESTIG_Pu-CmsRdsh.rdp could harm your device. Do you want to keep it anyway?".

I say Keep, it says the publisher of this RemoteApp can't be identified. (possibly because I haven't issued it a cert from our local CA yet?)

I then get prompted a 2nd time for my AD credentials. Why?

I see the whole "Preparing Windows", then I get my RemoteApp (notepad)

So what steps have I missed?

- to not get prompted to keep that .rdp file

- to trust the publisher of the RemoteApp

- to not get prompted a 2nd time to run the actual Remote App?

Thanks for your help.

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Philip Elder]

My guess is that the original environment was set up with RD Single Sign-On so all of the AD goodness and the person that set it up used a long term self-issued certificate to sign the .RDP apps/files.

 

Otherwise, users would be prompted for the publishing certificate every 12 months which is a PITA then the SHA would need to be updated in Group Policy.

 

There are two prompts because there’s a RD Gateway involved?

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhbzYxOjaYuRq%2BTVprQ6uMsC8hM9FOQjhy9THto2c%3DGPA%40mail.gmail.com.

[Aakash Shah]

I would consider checking that all of the certificates have been assigned in the Manage Certificates at from the Connection Broker, specifically for “RD Connection Broker – Publishing”:

Server Manager | Remote Desktop Services | Overview | Tasks | Edit Deployment Properties | Certificates

 

-Aakash Shah

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Thursday, September 11, 2025 10:13 AM
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] RDS Published App question

 

I'm drawing a blank on this. I set up an RDS environment, and am testing it, by trying to run notepad as a published app. I go to the web URL (https://<my-host>/rdweb). I get prompted to log in with Ad cred. I do so. I see my published app. I click on it. ANd I get "cpub-notepad-PHA-TESTIG_Pu-CmsRdsh.rdp could harm your device. Do you want to keep it anyway?".

--

[Mike Leone]

On Thu, Sep 11, 2025 at 1:51 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

My guess is that the original environment was set up with RD Single Sign-On so all of the AD goodness and the person that set it up used a long term self-issued certificate to sign the .RDP apps/files.

I'm the guy who  set up both. LOL I don't recall setting up RD Single SignOn.

The original environment has a domain wildcard certificate (I know, I know, I won't do that again). CRAP it expires in Oct 27, 2025 ... good thing I looked. Thanks for that!

Otherwise, users would be prompted for the publishing certificate every 12 months which is a PITA then the SHA would need to be updated in Group Policy.

 

There are two prompts because there’s a RD Gateway involved?

Nope, no RD Gateway. Everything is internal, so no need for a Gateway ...

[Mike Leone]

On Thu, Sep 11, 2025 at 1:58 PM Aakash Shah <aakas...@uci.edu> wrote:

I would consider checking that all of the certificates have been assigned in the Manage Certificates at from the Connection Broker, specifically for “RD Connection Broker – Publishing”:

Now, there's a good guess!

First step - issue a cert for the new environment. Thanks!

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/DM4P221MB1568BD9F0BDC815D4F94D0AAF209A%40DM4P221MB1568.NAMP221.PROD.OUTLOOK.COM.

[Mike Leone]

Closer! But I get an error on the new environment, when trying to configure the RD Gateway  ..

All 3 of these roles are on the same machine, Connection Broker, Web Access, Licensing Server. Haven't activated the licensing yet, I don't have it yet ..

So I was able to load the cert that I issued for this machine into the Connection Broker parts, but not the Web Access. And I don't understand why it thinks it couldn't configure one one or more servers. Does it mean the session hosts?

The Event Log very helpfully says:

Property page: Manage certificates update failed: due to Exception Object reference not set to an instance of an object.

The 3 session hosts are available on the network, if that's what this means.

I was able to request the cert using IIS, and complete the cert. It shows in IIS Manager.