Share via


RDS Troubleshooting: “A website wants to start a remote connection. The publisher of this remote connection cannot be identified.”

Issue

“A website wants to start a remote connection. The publisher of this remote connection cannot be identified.”

Often you receive this message when you try to run your remote applications, even though you have all the certificates in place and they are configured properly. You might ask “I have already signed my application with the trusted certificate and my web single sign-on (SSO) is working fine, so why I am receiving this error message?”

Solution

The answer: Although you have signed in the application by using the trusted certificate, the client computer needs the Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (RDP) file publishers.

There are two ways that you can configure your computers so that you don’t see this error message again.

Method 1: Create a GPO with RDP signing settings (permanent fix)

You can create a Group Policy object (GPO) by using the following settings from your domain controller and push that policy to all the client computers that are trying to access the remote application.

Locate the SHA1 thumbprint

  1. To find the SHA1 thumbprint, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Available snap-ins box, click Certificates, and then click Add.
  4. In the Certificates snap-in dialog box, select Computer account, and then click Next.
  5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
  6. In the Add or Remove Snap-ins dialog box, click OK.
  7. In the Console tree, expand Certificates (Local Computer), expand Personal, and then click Certificates.
  8. Double-click the certificate that you want to use.
  9. In the Certificate Properties dialog box, on the Details tab, click Thumbprint. The thumbprint number will appear in the box (example: 25 1a 22 02 b3 6d b6 f0 64 0b db 8d b5 4a bb 99 0f bc ed af).
  10. Copy the thumbprint number, making sure that you don’t include the space in front of the number, and then click OK. (For example, if the number starts with <space>74…, start copying from the “74.”)

http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-65-40-metablogapi/5460.clip_5F00_image001_5F00_thumb_5F00_6C31A4C9.png

Add the SHA1 thumbprint to the Group Policy setting

1. On the domain controller, open the Group Policy Management Console (GPMC). You can open the GPMC in one of two ways:

  • Click Start, point to Administrative Tools, and then click Group Policy Management Console.
  • Click Start, click Run, type gpmc.msc and then click OK or press ENTER.

2. Go to the location of the Group Policy setting: <computer> | < user>\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-65-40-metablogapi/6153.clip_5F00_image003_5F00_thumb_5F00_525D6E9A.jpg

3. In the Settings pane, double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers.

http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-65-40-metablogapi/5657.clip_5F00_image004_5F00_thumb_5F00_5910781D.png

4. Click Enabled, and then in the Comma-separated list of SHA1 trusted certificate thumbprints box, enter the SHA1 thumbprint of the certificate that you use for signing your remote applications or RemoteApp programs (i.e., paste the thumbprint number that you copied from the Certificates Properties page), and then click OK.

Note: Make sure that when you paste the number, there isn’t a space in front of it.

http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-65-40-metablogapi/8206.clip_5F00_image006_5F00_thumb_5F00_7133E278.jpg

5. After enabling this policy setting on all the client computers, you should no longer receive the error message.

Method 2: Change logon settings (temporary fix)

1. When you log on to the RD Web Access web page, you have an option to choose whether you are on a public or a private computer.

http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-65-40-metablogapi/2330.clip_5F00_image008_5F00_thumb_5F00_1AC7ADAC.jpg

2. Select This is a private computer, and then click Sign in.

3. You will still see the prompt, but this time when the security warning appears, select the Don’t ask me again for remote connections to this computer check box, and then click Connect.

4. The error message should disappear the next time you open the remote application or RemoteApp program.

http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-65-40-metablogapi/3823.clip_5F00_image009_5F00_thumb_5F00_4F6809E7.png

Applies to:

  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows 7
  • Windows Vista

Reference

 http://blogs.msdn.com/b/rds/archive/2011/04/05/how-to-resolve-the-issue-a-website-wants-to-start-a-remote-connection-the-publisher-of-this-remote-connection-cannot-be-identified.aspx