Hello everyone. Just to give a little background, I have three servers involved in all of this. One is running RDS with RemoteApp Manager, Remote Desktop Connection manager, RD Session Host Configuration and Remote Desktop Services Manager. This server is also running IIS for RD Web. I am not currently hosting RemoteApps, but this is how users in our satellite offices obtain access to our VDI environment. The second server is running Hyper-V and is hosting the virtual servers. The third server is a Microsoft CA server. Currently our VDI/RDS solution is something that simply works. It was put together dirty and quickly (not by me...I'm just the guy who is getting tossed into the middle of the project and was told to hit the ground running). What does that mean? It means that when the users visit https://vdi/rdweb they get a certificate error. Shortly after they get an error that states "A website wants to run a RemoteApp program. The publisher of this RemoteApp program cannot be identified." Once they allow all of these items to go through, they can get in and work. Now that the proof of concept for the bosses are done, we want to clean up the two issues I mentioned. Now please bear in mind that my experience with certs is extremely limited. I have worked with it probably two times in my life and followed very detailed directions. So during my research, I read that both of these have to do with certs and digitally signing everything for the RDS. I also read that I can use the same cert for both items. So with that and some of my basic knowledge of everything, I went onto IIS and went through the request a cert wizard where I requsted a cert with the common name VDI. I set it to 2048 and created my text file. I was unable to pull it into my CA server using their wizard but was able to use the certreq command and generate a cert. I then imported it into IIS and that looked good. I later tried making changes to RDS where I *thought* I needed to. However, it always ended up with something breaking. Either the icons on the web portal disappeared or I would get errors from the XP boxes in our satellite offices (The connection has been terminated because an unexpected server authentication certificate was received from the remote computer. Try connecting again. if the problem continues, contact the owner of the remote computer or your network administrator). So I am at a lost and would love it if someone could help me out and tell me what I'm doing wrong or what steps I missed in being able to successfully complete my task. Or even if someone has a clear cut document with detailed steps that would be awesome because I am having a hell of a time trying to figure out what is going on. Thank you in advance to anyone who reads/thinks about/answers anything on here.

1) can you provie exact error message? This is because there might be several reasons: name mismatch, certificate is expired, is not trusted, etc. Depending on particular reason you will have to take appropriate actions. 2) signing certificate (that was used to sign remoteapp files must be issued by trusted issuer (CA) and placed in the Trusted Publishers store of the local computer.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

1) I did supply the error message my XP users were getting. It is the one inside the parentheses. Other than that there really aren't any other error messages. There is an error when attempting to import the cert into my CA. I don't currently have that handy though. It does mention something about a template not being defined. However, it seems to work fine when I use the certreq with the template being set to Web Server. 2) I am pretty sure I placed it in the trusted area as well but with some of the changes I made and then my boss attempting to help out, it may have been a step we skipped. I will have access to it again on Monday to try and remake the cert and try it again.

so it looks like you are running just one RDP server, right? ok then, start with the simple things - if you start MSTSC client on Windows XP (! not vista+) and type the FQDN name (means something like rdp1.company.local) of the RDS server, do you receive any certificate error? If yes, we need to repair this problem first. on the RDS server start MMC, add Certficiates console for Local Computer and check Trusted Root Certification Authorities list contains the certificate of your CA. Be careful, the certificate of the CA must have the same Issuer = Subject. Unless that is met, you are not handling with the CA certificate itself. So make sure the CA cert with the same Issuer=Subject fields is present in the Trusted Root Certification Authorities list. then proceed to righ-click on the Personal folder and Request new certificate. What templates can you enroll for? Is there "Computer" template? then enroll for it. After you have the certificate, go to the RDS Session Host Configuration and assign the certificate to the RDP protocol. ... and finally test the solution from your clients with the MSTSC client application. If the clients still do not trust the certificate, repeat the same procedure to ensure their local computer Trusted Root Certification Authorities container contains the CA certificate (that one with its name and Issuer=Subject). After this is working, you can improve the things in the Web SErver .Start IIS console, rightclick on the Default Web Site (or the site that hosts your RDWEB) and select Bindings. In the bindings, find the 443 binding and ensure it uses the same certificate you have assigned to the RDP protocol. ondrej.