Pages

Wednesday, June 17, 2015

Removing the: “A website is trying to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.” message prompt when launching RD Web Access RemoteApp

Problem

You’ve configured your RemoteApp resources on your Remote Desktop Services and attempt to launch an application but receive the following warning message:

A website is trying to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

This RemoteApp program could harm your local or remote computer. Make sure that you trust the publisher before you connect to run this program.

Don’t ask me again for remote connections from this publisher

image

imageimage

As shown in the screenshots above, you have the option of checking the checkbox that reads:

Don’t ask me again for remote connections from this publisher

… to remove this prompt but you do not want everyone in the organization to receive this prompt.

Solution

One of the ways to remove this warning prompt is to implement a GPO and apply it to the user or computer account to trust the SHA1 thumbprint of the certificate presented.  Begin by opening the properties of the certificate and navigating to the Details tab that is used for your Remote Desktop Services portal:

image

Scroll down to the bottom where the Thumbprint is listed:

image

Select the Thumbprint field:

image

Select the thumbprint and copy the text:

image

Now before we proceed to copy this into the setting of the GPO we’ll be using, it is important to paste the thumbprint you have just copied into a command prompt as such:

image

Notice how there is a question mark: ? in front of the thumbprint? Note that paste this into Notepad does not reveal this unwanted question mark:

image

Proceed and copy the thumbprint from the command prompt without the question mark.

Next, create a new GPO or open an existing GPO that you would like to use and navigate to:

Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

Note that this policy can be applied to either a computer object or a user account so use whichever fits better for your environment.

image

Proceed and open the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers:

image

Paste the copied thumbprint into the Comma-separated list of SHA1 trusted certificate thumbprints field:

image

Apply the configuration:

image

The user should no longer see the warning prompt once the policy is applied to a computer object or user account.

5 comments:

Unknown said...

How do I open the properties of the certificate. I do not see that option.

Douglas Gaigher said...

Thanks man, removing that ghost char did the trick! Amazing.

Unknown said...

Awesome

Thank you Terence.

MJ

Anonymous said...

what about for the outside computers ? where u can not apply a GPO ?

Anonymous said...

One additional piece of setup which is assumed here is that you have already attached the certificate to the RD Web App website and within Remote Desktop Services. When following these steps after updating a certificate, this did not work for me until I had also changed the cert selection within the Remote Desktop Services deployment.

For adding or updating a Certificate to a Remote Desktop Services deployment, the certificate should be installed per usual within the MMC snap-in for managing certificates. Also, from the MMC snap-in, take an export of the Private Key (.pfx extension) for use later in importing into Remote Desktop Services. Then, in IIS, modify your website bindings for the Remote Desktop website, so that the new security certificate is assigned for use (on port 443). Finally, within Server Manager (Windows Server 2012 and newer) under Remote Desktop Services, under the Deployment Overview choose to Edit Deployment Properties. Under the certificates section, for each Role Service, choose Select existing certificate and then specify the location of the Private Key (.pfx) file that was just exported (move to the local drive of that server, in multiple server setups), input the previously specified password and finally click the OK button to update. Again, repeat this for each RD Connection Broker, RD Web Access and RD Gateway that are accessible within the listing.

This will ensure that all of the other required setup is completed, so that this Group Policy setting will work. When I updated my cert for my Remote App Website, it took me a little while to remember all of these other things that needed to be updated.