Why isn't my trusted cert thumbprint ... trusted?

[Mike Leone]

This is driving me crazy. We use RDS. I took the thumbprint from the cert the RDS Web server uses, and I added it to a GPO that enables "specify SHA1 thumbprints f certificates representing trusted .rdp publishers".

Yet whenever I click on a Published Remote App, I get the warning about "Do you trust the publisher of the RemoteApp program".

The setting from the GPO (thumbprints to be trusted)

47B92CC595B0856AA1067073C05BA81F0CD43D84,503A76608510C9468C8626FDF3DE72A3D602570

Since I want to trust 2 certs.

I do an RSOP on my machine:

47B92CC595B0856AA1067073C05BA81F0CD43D84,503A76608510C9468C8626FDF3DE72A3D602570

So they are the same.

I check the thumbprint of the cert (on the IIS server):

503A76608510C9468C8626FDF3DE72A3D602570C

And that lines up with what I am pushing out.

So why am I prompted to trust the publisher of this RemoteApp?? What am I missing here?

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Philip Elder]

Is it self-issued?

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhSCrLN48afDCr_0m6WXhPcMHyno%2BHtKPJmy0rrPW_HHw%40mail.gmail.com.

[Mike Leone]

It is self issued. We push out the riot and intermediate CA certs. The Web site of the RDS Web server comes up as trusted, the browser shows the site as valid. 

     

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/821c84be0d0b424396c5ff6d4dd85b99%40MPECSInc.Ca.

[Philip Elder]

So, the root for the self-issued certificate is trusted in Server Manager à RDS à Deployment à Certificates and on a client?

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh3txJzUybuOwymhTUdrg7h6-wGPB0ruxnZQqT2s_Rk5g%40mail.gmail.com.

[Mike Leone]

On Fri, Oct 24, 2025, 4:21 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

So, the root for the self-issued certificate is trusted in Server Manager à RDS à Deployment à Certificates and on a client?

Root and intermediate are pushed via GPO to all domain members as "Trusted Root" and Intermediate CAs. So yes, it is trusted everywhere in the domain. 

In RDS deployment, do you mean am I choosing the root cert as one of the 3 to be deployed? No. I am choosing the same cert that I am using on the IIS server. 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/03133ca8b43f43dfbcae0245d36ea4b7%40MPECSInc.Ca.

[Philip Elder]

In Server Manager in the below indicated location for the RD published certificates you can click on the link for the certificate that is in use. Does the chain for each one show trusted all the way up to the root?

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bhd_57dy7WUWS9csHrCRzketEGdarP_iFNuE8v3RPpN%2Bw%40mail.gmail.com.

[James Iversen]

Is the application signed by the certificate?

Sent from my iPhone

On Oct 24, 2025, at 5:14 PM, Philip Elder <Phili...@mpecsinc.ca> wrote:



To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/07cf835ff61246f5b3f4c4313ee0cd7c%40MPECSInc.Ca.

[Mike Leone]

On Fri, Oct 24, 2025 at 9:23 PM James Iversen <jeiv...@gmail.com> wrote:

Is the application signed by the certificate?

No, it's just an application for public housing.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/43F151CE-3BD4-439F-B0DF-470A44FEB78A%40gmail.com.

[Mike Leone]

I'm off until Tuesday, but I'll let you know. I'm sure that it is. My Connection Broker and RD Web Access host are the same, so there's just the 1 cert ...

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/07cf835ff61246f5b3f4c4313ee0cd7c%40MPECSInc.Ca.

[James Iversen]

Might need to put the application (*.exe) signing cert into the trusted publishers store. If it’s a signed application, the .exe will have its own tab for the cert where you can inspect and extract for distribution. Depending on if the cert has “signers” which are also in your trusted root and intermediate stores. Check the path to root to determine. If cert is expired, contact app publisher for updated .exe that is signed correctly. Enable and check CAPI2 logs to investigate chain verification for validity  Good luck!

Sent from my iPhone

On Oct 24, 2025, at 10:38 PM, Mike Leone <tur...@mike-leone.com> wrote:



To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BheOT4j%3D_UtBa9dL5YOBm5-eoEmHSv6aSneTdgvt060uQ%40mail.gmail.com.

[Mike Leone]

The application is not doing the signing. The cert is issued by our internal CA. It is issued to a request generated by IIS on the RD Web Access server. It's the same sort of cert issued to any web site.

     

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/3C6D17C1-84CB-4D13-8A75-2BDA8E858D86%40gmail.com.

[James Iversen]

Still sound like the cert needs to be in trusted publishers and have code signing as part of its toolset. 

Sent from my iPhone

On Oct 25, 2025, at 8:46 AM, Mike Leone <tur...@mike-leone.com> wrote:



To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgWxbxtpH3nir1imp-D48Lg2wgzC%2BL8EQMT8w1%3DkPX1sA%40mail.gmail.com.

[Mike Leone]

  On Sat, Oct 25, 2025, 9:03 AM James Iversen <jeiv...@gmail.com> wrote:

Still sound like the cert needs to be in trusted publishers and have code signing as part of its toolset. 

Sent from my iPhone

The cert *is* in Trusted Publishers, pushed out to all domain members via GPO. It doesn't have code signing, I didn't think, because that's not what IIS usually requests in it's very request, I believe. 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/DDABF95C-8A18-47E6-BC86-8CE671C5F3DA%40gmail.com.

[Robert ECEO Townley]

I feel your pain.  The Certificate Templates impose restrictions but not always where the problem is coming from or if one is looking at it the right way.   

A.) If you were to sign a rdp file with the same cert, does that also complain?   Wondering if the server side is fine but the client is saying no way.   iirc, client signed rdp files are supposed to be generated from a separate template than the server side. 

B.) You mention SHA1, but no browser trusts SHA1 and I know you know that.   Meaning, they do not trust certificates that were generated using SHA1 or weaker algorithms.  Whether browsers still trust sha1 signatures is a separate question.     Further, what browsers trust evolves to be very short expiration dates.   But even a brand new sha256 certificate that has a single sha1 ancestor is rejected.  It could be Trusted by the OS and even the browser itself, but  browsers have executable code that reject almost all SHA1 certificates anywhere in the chain except for a select few by the Certificate Authorities web Browser Forum,  “CABForum”.     Would they trust a SHA1 signature of a sha256 certificate?   Would not be surprised if that has even changed to nope.

p.s. Up until December 2024, there were problems with non HMAC sha256 in that extra stuff could be added on at the end but still have the same sha256 sig as content without the extra stuff.  Same with sha512, but sha384 was always safe.  

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/DDABF95C-8A18-47E6-BC86-8CE671C5F3DA%40gmail.com.

[James Iversen]

I’m sorry, thought you said it was in trusted root, and intermediate. Publishers is a different store. 

Sent from my iPhone

On Oct 25, 2025, at 9:46 AM, Robert ECEO Townley <rob...@eyeconsultantspc.com> wrote:



To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CACE8Fwm659GYMKpwQewh2qCaEVvVcZxZen9r0n-b_R7-pQK6bw%40mail.gmail.com.

[Michael Leone]

On Sat, Oct 25, 2025, 9:46 AM Robert ECEO Townley <rob...@eyeconsultantspc.com> wrote:

I feel your pain.  The Certificate Templates impose restrictions but not always where the problem is coming from or if one is looking at it the right way.   

A.) If you were to sign a rdp file with the same cert, does that also complain?   Wondering if the server side is fine but the client is saying no way.   iirc, client signed rdp files are supposed to be generated from a separate template than the server side. 

I'm not doing any signing. I wouldn't know how to make an. RDP, or how to use that particular cert to do so  LOL

B.) You mention SHA1, but no browser trusts SHA1 and I know you know that.  

The GPO wants the SHA1 thumbprint of certificates that are to be treated as trusted. Or so says the GPO.

Meaning, they do not trust certificates that were generated using SHA1 or weaker algorithms. 

The browser trusts the cert, it shows as valid, the chain is there and trusted.  I've got a lot of certs in production this way, all trusted. It's only this RDP that's generated my this RDS Web page that says it is untrusted. The browser has no issues with the Web page itself. 

  ,    

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CACE8Fwm659GYMKpwQewh2qCaEVvVcZxZen9r0n-b_R7-pQK6bw%40mail.gmail.com.

[Mike Leone]

     

On Sat, Oct 25, 2025, 10:16 AM James Iversen <jeiv...@gmail.com> wrote:

I’m sorry, thought you said it was in trusted root, and intermediate. Publishers is a different store. 

No, I said my root and intermediate CA certs are in those stores. So that any cert issued by them is trusted. 

The cert for this RDS environment  is in Trusted Publishers .

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/1C04544B-CF0B-42CB-86F2-459B7DD472C7%40gmail.com.

[Robert ECEO Townley]

Mike, 

i had the same exact problem and never solved it.  I hope it is as simple as the missing last character on the 503A7 thumbprint.  The 503A7 one from the gpo has one less character than the one from your iis server.  SHA1 signatures should be 40 hexadecimal representing 20bytes or 160bits.   Please let us know whether this was a totally understandable fat finger or if the GPO accepted 39 Hexadecimal numbers instead of the FIPS required 40.   Hopefully, the following solves my nightmare with this as well.

47B92CC595B0856AA1067073C05BA81F0CD43D84

503A76608510C9468C8626FDF3DE72A3D602570

503A76608510C9468C8626FDF3DE72A3D602570C

[Robert ECEO Townley]

Would not be surprised if the COMMA character was used as input and that was used for the first byte of the second hash.  

I don’t know offhand how it is supposed to be formatted - maybe one SHA1 per line?   It was five+ years ago and  not sure if the dialog box indicated how to format multiple SHA1 hashes.   

I really hated that MS removed the builtin help files and switched to websites, especially since configuration of something like this probably means you are running as admin.   Launching a web browser as admin is big NO for me.

 Whether the form of the GPO is taking UTF-8 or UTF-16 would also determine the number of hex symbols and you could have an unprintable 1/2 byte  nibble at the end.   

[Mike Leone]

On Sat, Oct 25, 2025 at 12:51 PM Robert ECEO Townley <rob...@eyeconsultantspc.com> wrote:

Would not be surprised if the COMMA character was used as input and that was used for the first byte of the second hash.  

I don’t know offhand how it is supposed to be formatted - maybe one SHA1 per line?   It was five+ years ago and  not sure if the dialog box indicated how to format multiple SHA1 hashes.   

I really hated that MS removed the builtin help files and switched to websites, especially since configuration of something like this probably means you are running as admin.   Launching a web browser as admin is big NO for me.

 Whether the form of the GPO is taking UTF-8 or UTF-16 would also determine the number of hex symbols and you could have an unprintable 1/2 byte  nibble at the end.   

The GPO settings are:

Allow .rdp files from valid publishers and user's default .rdp settings - ENABLED

Explanation: This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store.

Specify SHA1 thumbprints of certificates representing trusted .rdp publishers - ENABLED.

Values: 47B92CC595B0856AA1067073C05BA81F0CD43D84,503A76608510C9468C8626FDF3DE72A3D602570C (comma separated list of SHA1 trusted certificate thumbprints)

Explanation: 

If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file

Those values above are from the RSOP of my workstation.

I have verified that the SHA1 thumbprint of the website is  503A76608510C9468C8626FDF3DE72A3D602570C, which is the value above.

The cert of the web site shows in my browser as trusted. The extensions for Certificate Key Usage show as "Critical, Signing, Key Encipherment", with Extended Key Usage of TLS WWW Server and Client Authentication.

The browser doesn't show the SHA1 thumbprint, I got that using Poweshell on the web host itself.

And NOW it didn't prompt me to trust that .rdp file!!

Must have been a problem when I copied the value into the GPO, maybe I caught it off?

Translation: I was an idiot and didn't look close enough, probably ...

Well, so far, so good. I got that part resolved, anyway. And it's also trusting that 2nd thumbprint (which is the RDS environment that will be replacing this one, hopefully by the end of this week). So it's not prompting to trust that one, either - which  is what I want!

Now, if I can just figure out why it's always asking me what I want to do with the .rdp file when I click on a published RemoteApp .. I always say "Open". It says that the .rdp could harm my device, do I want to keep it anyway. I say Keep.

Then I get prompted to log in, as I expect.

Why is it not just opening that .rdp? I've missed setting something somewhere, but where?

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CACE8FwmtMu8o6ydyNBS2T%2Baq77D5YMUKdR8UngqKwU89LMF8rA%40mail.gmail.com.

[James Iversen]

Congratulations on a successful resolution!

Sent from my iPhone

On Oct 28, 2025, at 11:00 AM, Mike Leone <tur...@mike-leone.com> wrote:



To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg5k097Vk3WFGrzj%3DYcPi1S063VugZVP5C2S95iDvR9hw%40mail.gmail.com.

[Philip Elder]

Put the URI Remote.Domain.Com into “Trusted Sites” it should work.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Tuesday, October 28, 2025 09:01
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Why isn't my trusted cert thumbprint ... trusted?

 

On Sat, Oct 25, 2025 at 12:51 PM Robert ECEO Townley <rob...@eyeconsultantspc.com> wrote:

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg5k097Vk3WFGrzj%3DYcPi1S063VugZVP5C2S95iDvR9hw%40mail.gmail.com.

[Mike Leone]

On Tue, Oct 28, 2025 at 12:10 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

Put the URI Remote.Domain.Com into “Trusted Sites” it should work.

So that would be the URI generated by RDS?

https://rdsapp.wrk.ads.pha.phila.gov/RDWeb/Pages/en-US/Default.aspx

Do I need the whole thing, or just the hostname?

You mean this trusted site:

Computer Configuration — Administrative Tools — Windows Components — Internet Explorer — Internet Control Panel — Security Page and then double click to the “Site to zone assignment list”

Edge still respects those settings?

I'll check for similar settings  for Chrome and IE, I guess.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/68abda5a79cf4370a7f620a206a131c7%40MPECSInc.Ca.

[Philip Elder]

Yes the URI users use with the certificate common name to access RemoteApps.

 

Just the URI without the destination file.

 

And yes but on the local computer to start with. You start dropping stuff into Group Policy and things get wonky fast with the Internet security settings.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjF7NUMTpSOTzvzy7rQvWTDinrd5LhFJVUOvH%3DK5ht-bQ%40mail.gmail.com.

[Mike Leone]

On Tue, Oct 28, 2025 at 12:50 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

Yes the URI users use with the certificate common name to access RemoteApps.

 

Just the URI without the destination file.

 

And yes but on the local computer to start with. You start dropping stuff into Group Policy and things get wonky fast with the Internet security settings.

OK. I have a GPO that applies only to certain test users in a specific OU.  I'll set it there ....

Lemme poke at it this way ....