Thursday, May 5, 2011

RD WebAccess and the "unknown publisher story"

Anyone who had worked with RD WebAccess will have seen the following error one time or another:
The question: can we configure RD WebAccess to sign the .RDP that is used so that this warning does not pop-up on our end-users computers?
The answer: The answer is, as with all IT-questions, it depends!

And here’s why: There are two ways to have users access your RD Session Host farm from RD WebAccess. The first one is by making use of RemoteApp. RemoteApp is the technique on the RD Session Host that is used to deliver seamless applications to your end-users that “blend in” with the users locally installed applications. You can use RD WebAccess to publish these RemoteApps via a webpage. In the example below I have published Calculator and WordPad to be available via RD Web Access.

 In the RemoteApp configuration on the RD Session Host we can actually configure the SSL certificate that is used to sign the “.rdp file” that is used to run the RemoteApp.
 That’s great! Now we have a publisher available and a user can check that he trusts the publisher. (Or we can use a GPO that automatically trusts all RDP connections that were signed using a specific SSL certificate, by making use of the hash of the SSL certificate).
 Now comes the catch, the second method is making use of the option Remote Desktop tab in RD Web Access. This way you can publish a full desktop instead of a RemoteApp.

Can we sign the .RDP that is used for this connection as well to get rid of the publisher warning?
No, we can’t.
The reason for this is that is that there’s a difference in how the .RDP file is built when using Remote App RD Web Access and when using Remote Desktop via RD Web Access.
When you connect to a RemoteApp, a .RDP file is created on the RD Session Host based on the settings that we configured in the Remote App Manager. Remember that we specified a SSL certificate there. So the .RDP file will be signed here before its being channeled to the client from where it is executed.
When you connect to a Remote Desktop, the .RDP file is actually created on the client itself based on parameters that it gets from the RD Web Access (which reside in the web.config and aspx pages) plus the settings that might have been done in the Remote Desktop page by the user. The client does not sign the .RDP file, and thus, you still get the warning about the unknown publisher!


  1. If you want to get rid of those Unknown Publisher messages, you need a code signing certificate.

    K Software sells Comodo code signing certificates at a significant discount -

    They'll walk anyone through the whole process, too.

  2. Hi Mitchell,

    Thanks for your comment, but I don't think a code signing certificate will work in this case. See the conclusion of my blogpost. The RDP file is generated on the fly by the client based upon information retreived the the RD WebAccess. There's no way you could intercept this with a code signing certificate.

  3. and over 5 years later it's still a problem!

  4. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. Danilo