Hello, my name is Pankaj Pande and I would like to clarify a bit about the error message “A website wants to start a remote connection. The publisher of this remote connection cannot be identified.”
Often you receive this message when you try to run your remote applications, even though you have all the certificates in place and they are configured properly. You might ask “I have already signed my application with the trusted certificate and my web single sign-on (SSO) is working fine, so why I am receiving this error message?”
The answer: Although you have signed in the application by using the trusted certificate, the client computer needs the Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (RDP) file publishers.
There are two ways that you can configure your computers so that you don’t see this error message again.
You can create a Group Policy object (GPO) by using the following settings from your domain controller and push that policy to all the client computers that are trying to access the remote application.
1. To find the SHA1 thumbprint, click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In the Available snap-ins box, click Certificates, and then click Add.
4. In the Certificates snap-in dialog box, select Computer account, and then click Next.
5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
6. In the Add or Remove Snap-ins dialog box, click OK.
7. In the Console tree, expand Certificates (Local Computer), expand Personal, and then click Certificates.
8. Double-click the certificate that you want to use.
9. In the Certificate Properties dialog box, on the Details tab, click Thumbprint. The thumbprint number will appear in the box (example: 25 1a 22 02 b3 6d b6 f0 64 0b db 8d b5 4a bb 99 0f bc ed af).
10. Copy the thumbprint number, making sure that you don’t include the space in front of the number, and then click OK. (For example, if the number starts with <space>74…, start copying from the “74.”)
1. On the domain controller, open the Group Policy Management Console (GPMC). You can open the GPMC in one of two ways:
2. Go to the location of the Group Policy setting: <computer> | < user>\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.
3. In the Settings pane, double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers.
4. Click Enabled, and then in the Comma-separated list of SHA1 trusted certificate thumbprints box, enter the SHA1 thumbprint of the certificate that you use for signing your remote applications or RemoteApp programs (i.e., paste the thumbprint number that you copied from the Certificates Properties page), and then click OK.
Note: Make sure that when you paste the number, there isn’t a space in front of it.
5. After enabling this policy setting on all the client computers, you should no longer receive the error message.
1. When you log on to the RD Web Access web page, you have an option to choose whether you are on a public or a private computer.
2. Select This is a private computer, and then click Sign in.
3. You will still see the prompt, but this time when the security warning appears, select the Don’t ask me again for remote connections to this computer check box, and then click Connect.
4. The error message should disappear the next time you open the remote application or RemoteApp program.
IMHO this does not work:
In the Certificate Properties dialog box, on the Details tab, click Thumbprint. The thumbprint number will appear in the box (example: 25 1a 22 02 b3 6d b6 f0 64 0b db 8d b5 4a bb 99 0f bc ed af).
Copy the thumbprint number, and then click OK.
See blog post here what format is needed: morgansimonsen.wordpress.com/.../sha1-thumbprints-for-trusted-rdp-publishers
Thanks for the information. Well, i don't see any change when we directly copy and paste from the certificate properties, because when i tested the functionality, i haven't made any changes to it, i just directly opened the certificate properties and copied the Thumbprint Algorithm and pasted it in the GPO and it worked for me.
BTW, on which operating system you tried?
The first comment on this blog is correct (at least sometimes) I have experienced this myself multiple times. When you copy the Thumprint and paste it directly in the GPO setting you might copy it including a leading character (which you don't see in the GPO!!) Nor will you see it hwen you copy the Thumbprint in notepad first. Copy the Thumbprint in a commandline and you'll notice to be something like:
?2c 4d 3f 75 fa 28 01 03 fa 2c 70 23.....
Remove the special character (the "?") and then copy it in the GPO
Ahh, i see what you mean, well to be very very clear on this, you have to copy exactly the Thumbprint(NOT WITH THE WHITE SPACE IN THE FRONT),
so if your thumbprint looks like this in the certificate properties -: <space>74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb e5 3e 61 74 e
Then you have to be careful in copying. Start copying it from the "74", not as a whole. That's it.
Well, you see a "?" in the cmd because, CMD dosen't recognize the <space> in the beginning.
Anyways, thanks for the information.
That's exactly what I ment! And you can go through a whole lot of troubleshooting because the GPO does not show the leading space when you paste the Thumnprint in there.
Just an update -:
I have tried this functionality on the XP SP3 with RDC Client 7.0 and it also worked with it.
The catch is -: Since we don't have the GP setting of "Specify SHA1 thumbprints of certificates representing trusted .rdp publishers" in XP, so when we deploy a group policy using the DC on all client machines, the XP box will enable this functionality.
What exactly happens ?
Xp box will now have to follow the group policy, though it doesn't have that GP in place, but then it will use a GP called "EXTRA REGISTRY SETTINGS", and on expanding which you will see, that a new entry has been made in the registry location -: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" with "TrustedCertThumbprints" which will have your SHA1 thumbprint of the Certificate.
Let me know if you have any questions or confusions.
Here is how I got rid of it:
1. Click tools
2. Click Internet Options
3. Click Advanced tab
4. Uncheck enable third party.....
It worked like a charm for me in Windows 7, IE8
I have 2 applications which make use of the RDP Avtive X control, one written in c+= and the other in c#. Both using the same interface. In the c++ application I get this prompt. Why? I am definitely not using a browser.
This only works for computers on the domain (GPO permanent fix). Is there any way get rid of the messages without user intervention on our end?
Our users will be on non-domain joined computers (read: their personal PCs), and we will no control over it. We may be able to have them download and "install" something (we already have to ask them to install the KB2524668 hotfix for WebSSO for a full remote desktop host session). Perhaps a script of some kind?
Since these are personal computers, we want minimal impact on their machines as possible.
We have the same issue. We have a secure (non internet connected network) that uses thin clients at each desk. The thin client opens a default intranet website that prompts for a name. The website looks up the assigned virtual PC in AD, generating an .RDP file with the users computer name in it and which then opens an MSTSC session to the virtual PC. The users always gets the stupid pop up.
For this to work, I had to make all of the lower case letters upper case. Then this GPO would work!
Does this work as expected if the cert used is not SHA1 but SHA2?
@Miha -- Yes, certificates using SHA2 as the signature algorithm are also supported. The certificate may use any of the supported signature algorithms (SHA1, SHA2, SHA256, etc.)
The reference to "SHA1" in the name of this GP is about how the certificate thumbprint is computed. This is just a way to identify the certificate in the certificate store and does not have any impact on the strength of the signature algorithm used by the certificate. In Windows, the thumbprint is always computed using SHA1 algorithm, regardless of the signature algorithm used by the certificate.
Hope this helps,
Samim, thank you.