Sunday, January 10, 2010

RDWEB Message: Internet Explorer cannot display the webpage

So, this is pretty simple, but it took me a few minutes to figure out what went wrong, so I thought I'd throw it up here.

I installed RDSH on a server that was already running RDWEB Access (I needed a RDSH in redirection mode and this box was not doing much at the moment...).

After a reboot I tested the RDWeb Access page, and I got this:

Internet Explorer cannot display the webpage

I scratched my head and checked the certificate I had bound to 443, and presto chango, it was suddenly missing.

Re-applying it fixed my issue and the website came right up.

But something to watch out for if you ever instal RDSH after RD Web Access.

Wednesday, January 6, 2010

Certificates and Web SSO

This post is adapted from the forthcoming Windows Server 2008 R2 Remote Desktop Services Resource Kit

Regarding the setup of Web SSO for use with the RD Web Access website:

The Web SSO feature alloows users to login to the RD Web Access Website, and then access RemoteApps published to the RD WEb Access website with no need for the user to supply credentials again (hence the name "Web Single Sign On" ;)

Check out the RDS Team Blog for an intro to this topic.

Web SSO requires signing certficates (SSL cert) be applied to each RDSH server (in RemoteApp Manager). MAKE SURE THESE CERTS are the EXACT SAME CERT for all farm members! Otherwise Web SSO will not work.

This is because the certificate is used for credential sharing, not just proving they are legit by a CA. The hash is looked at and it needs to be the same hash on each certificate.

This is also true if you are publishing Remoteapps from multiple farms. If you want the user to log in to RD WEb Access only once and be able to access RemoteApps from all farms without entering credentials again for each farm, then make the signing cert the same across all farms.

Monday, January 4, 2010

RemoteApp and Desktop Connections: How to distribute and install the URL Feed

This post is adapted from the forthcoming Windows Server 2008 R2 Remote Desktop Services Resource Kit

RemoteApp and Desktop Connections new to Windows 7. It uses a feed from the RD Web Access server to populate Windows 7 clients with RemoteApps and Desktop Connections from designated RDSH servers or farms.

To configure RemoteApps and Desktop Connections on Windows 7 clients you either enter the feed URL manually in Windows 7 RemoteApps and Desktop Connections Control Panel applet, or you distribute a configuration file that you run on the Windows 7 client.

Creating this config file is easy. 

Logon to the RD Connection Broker server
·         start the Remote Desktop Connection Manager
·         Right click Remote Desktop Connection Manager and choose Create Configuration File
·         Add the URL of the RAD feed in the form of:
·                https://your-RD-Web-Access-Server/Feed/webfeed.aspx

But what if you want to distribute and execute this config file without any user intervention?

These articles tell you that you CAN do this and even show you how to create the config file:

But they don’t tell you HOW to do this.   Here is the script that you can use to distribute the config file:

So now that you have the script you might be asking yourself “How the heck do I implement this??” Good question.  One I asked myself.  Let me make it easy for you.

Basically, you will want to sign the PowerShell code (unless you want to allow unsigned code to execute which I doubt you want to do…), add the code signer cert to all client machines that will trust code signed by the code signer, and either use the PowerShell script as a logon script (2008 R2 schema) or create a VB logon script that will in turn call the PowerShell script.

Here are all the steps to do this:

1.       Get a code signing cert from your CA for a user that will sign scripts. Talk to your CA admin person about this, or get one from a public CA.

2.       Once you have the signing certificate, make sure it is installed in the personal store on the computer that the code signer will log into to sign code. To check this, or to add the code signer’s cert, have the user login, then open an MMC (type MMC in the search box or Run box) then click File > Add/Remove Snapins, click certificates (user certificates), click Add, click OK. Then open the user Certificates Snapin, and navigate to Personal à Certificates.  You should see the code signer’s cert here.  If not then add it by right clicking on the Personal Certificates Folder and choosing Import (or request) depending on what you need to do (import an existing cert or request one).

3.       Have the code signing user open PowerShel and sign the PowerShel script like this:

$cert=Get-ChildItem -Path cert:\CurrentUser\my -CodeSigningCert
set-authenticodeSignature PATH-TO-FILE-HERE\Install-RADCConnection.ps1 -certificate $cert

4.       Next you will need to get a copy of the code signer cert to place in the trusted publishers folder on each computer that will trust code signed by this user. You will do this via GPO in the next step.
If you don’t already have this certificate handy, on the PKI server, open Certificate Authority, and under the server, find the certificate in question in the Issued Certificates folder, double click it, navigate to the Details tab and click copy to file…

5.       Next add the code signer cert to the Trusted Publishers folder in Cert Management on each PC that will run scripts signed by that user.
Do this by creating a Computer GPO and placing it on the computer OU. The Computer policy should be:

Computer Configuration | Policies | windows Settings | Security Settings | Public Key Polcies | Trusted Publishers |

Right click this folder, choose Import, and point to the certificate you saved in the prior step

6.       Configure the PowerShell Execution Policy for the computers in your domain that you want to be able to run signed scripts. 

Computer Policy | Admin templates | Windows Components | Windows PowerShell | Turn On Script Execution
Set this to “Enable” and “Allow only signed Scripts”.


7.       For 2008 R2 DC’s: Create a User GPO, add the PowerShell script as a logon script:
·         User Configuration | Policies |Windows Settings |Scripts (Logon/Logoff)
·         Double click Logon, then click Add…then click the Browse button
·         Locate the PowerShell script
·         In the Parameters box, add: \\servername\sharename\scripts\name-of-feed.wcx


8.     Create a VB logon script to call the logon PowerShell Script:

Set objShell = CreateObject("Wscript.Shell")

a.       Create user Logon GPO to launch the VB script that will in turn call the PowerShell script:
·         User Configuration | Policies |Windows Settings |Scripts (Logon/Logoff)
·         Double click Logon, then click Add…then click the Browse button
·         Locate the VB script made in step 5.

9.       Have a regular user login to their Windows 7 machine and test.

Hope this helps you!