Thoughts from the EPS Windows Server Performance Team
Hello AskPerf readers! My name is Don Geddes, and I am a Support Escalation Engineer on the Performance team. Over the last couple of months, we’ve been getting quite a few calls on a new popup dialog box that occurs when connecting to a web site that hosts Terminal Services connections or Terminal Server RemoteApps. Today, we’re going to talk about what exactly this dialog box means – a quick overview, if you will, that is more user-focused. In my next post, I’ll go into more technical depth – a more administrator-focused piece. I know some of you are wondering why I’m not putting everything into one post – the simple answer is that there’s a lot of information and it might get confusing – especially for end-users who might read these posts. So without further ado …
Otherwise known as the “Unknown Publisher prompt” or the “Redirection Warning”, this dialog will start to appear after you have updated your Windows XP computer to Service Pack 3 or the RDC 6.1 client was installed. There are 2 different prompts that you might see, depending on if you are opening a Terminal Services connection or running a RemoteApp. Here are some screenshots:
Remote Desktop Connection:
Here is what the dialog looks like if you are starting a RemoteApp:
These new dialogs have caused confusion among users and IT staff alike, as they are new prompts that were not seen with the older version of the RDP client that was included with Windows XP. The first question that I am asked is usually “What is this prompt? It looks scary and makes me think I clicked on something I shouldn’t have!” Don’t worry, you didn’t do anything wrong, this new prompt is a security feature that is in the latest RDP clients, and once you understand what exactly is going on, it is not all that scary. To translate what this dialog is really trying to tell you, I could put it like this: “The Remote Desktop client cannot verify that the computer you are connecting to is really who it claims to be. Don’t connect unless you trust the website that you visited.” If you arrived at this web page because you were given the link by someone you trust (for example, your company web administrator) then it is normally safe to go ahead and click the Connect button. If you do not trust the website you visited and did not click on a link that generated this dialog, then don’t click the Connect button. See, I told you it wasn’t really that scary!
The second question that I am usually asked is something like this: “How do I get rid of this thing? It’s annoying and I don’t like it.” The short answer is that you can’t get rid of it, not without a little help from the web server administrator. The prompt will always show because the Remote Desktop Client always assumes the server that you are connecting to is unsafe unless it can verify its identity. That is where your IT or Web administrator comes in.
If your system administrator upgrades the server to Windows Server 2008 and uses certificates, you will see a different prompt that allows you to hide the dialog box on subsequent connections to the server. You will know your administrator has done this because the prompt no longer says “Unknown publisher” and has a check box titled “Don’t ask me again for remote connections from this publisher”. This basically means that the server has verified its identity and is now trusted, so if you don’t want to be see this prompt anymore, check the box and it will not display again.
With that, we’ve reached the end of this post. I hope this clears up the confusion surrounding these new security prompts. IT Administrators, stay tuned for my next post about the technical details of signing RDP files and how to make sure users never see this dialog.
- Don Geddes
Are you seriously telling us that the only way to get the option to switch off these stupid prompts is to upgrade servers to 2008? I hope your next post gives us another way of achieving this. This has got to be one of the more stupid decisions MS has made. It doesn't improve security one jot and seriously pisses people off.
Good post. When you do the post for the IT Admins could you please CC it to the dev team responsible for SBS 2003 Remote Web Workplace so they can release a hotfix?
Since Windows Server 2003 does not send an RDP file to the client when making a connection, it is not possible to hide the prompt when using that operating system. With Windows Server 2008, the TS Web Access page will send an RDP file to the client, and you sign that RDP file with a digital certificate. This is what generates the last prompt in my post and allows the user to hide the dialog.
The only way to never see the dialog at all is to sign the RDP and also be running Vista SP1 as the client OS. You can then use a policy that recognizes the thumbprint in the certificate, causing the dialog to never appear. If you don't control the client connecting to the website though this is not practical.
The details of this are complex, so I'll be writing another blog soon to explain what you CAN do based on what operating system you are using, but there is currently no way to hide the dialog if the server is Windows Server 2003 and running the Remote Desktop Web Connection.
I generally think Microsoft keeps a good balance between IT and end user experiences and needs, and I have to say this is one of the worst things I have seen Microsoft do in a while.
Everything about the new version of TSC has been a bad experience and a poor improvement, especially for IT. Considering the high likelihood of IT involvement in any Terminal Server scenario, I find this very, very disappointing.
Try coming up with a reasonable explanation for why Microsoft is forcing an infrastructure upgrade on Enterprises just so the end user can have a good experience. Or try explaining to Alan Cooper the sense of a dialog box that will always be answered the same way.
"The short answer is that you can’t get rid of it, not without a little help from the web server administrator." - So how is it done?
Please see the second part of this discussion where I talk about signing your RDP files and hiding the dialog: