Certificate Requirements for Using RemoteApp and Desktop Connection on Windows 7

When a user sets up and accesses RemoteApp and Desktop Connection on a computer that is running Windows 7, the computer communicates with the Remote Desktop Web Access (RD Web Access) server. An RD Web Access server that is running Windows Server 2008 R2 is automatically configured to use Secure Sockets Layer (SSL). Therefore, the computer that is running Windows 7 must be configured to trust the certificate used by the RD Web Access server.


An RD Web Access server that is running Windows Server 2008 R2 is automatically configured to use a self-signed certificate. By default, the self-signed certificate is not trusted by Windows 7. Self-signed certificates are recommended only for testing and evaluation purposes.

To allow the Windows 7 computer to communicate with the RD Web Access server, we recommend that you configure the RD Web Access server to use a trusted certificate, such as a certificate issued by a trusted public certification authority (CA). For information about third-party commercial CAs that are trusted by Microsoft, see article 931125 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=59547). After you have obtained a trusted certificate for the RD Web Access server, you must import the certificate onto the RD Web Access server, and then use the Internet Information Services (IIS) Manager tool to associate the certificate with the RD Web Access Web site.

For more information about RD Web Access security, see http://go.microsoft.com/fwlink/?LinkId=142242.

Single sign-on for RemoteApp and Desktop Connection

You can configure single sign-on for RemoteApp programs when users access RemoteApp and Desktop Connection from the Start menu on a computer that is running Windows 7 or by using the Web site provided by RD Web Access. After the user has provided the appropriate credentials when prompted by Windows 7 or has logged on to the RD Web Access Web site, the user can run RemoteApp programs without having to provide credentials again within the same RemoteApp and Desktop Connection session.

The following are important considerations when configuring single sign-on for RemoteApp and Desktop Connection:

  • You must sign the .rdp files for the RemoteApp programs with a digital certificate by using the RemoteApp Manager tool. For more information, see the RemoteApp Manager Help in Windows Server 2008 R2.

  • Single sign-on can only be configured for RemoteApp programs. Single sign-on cannot be configured for users accessing remote desktops through RemoteApp and Desktop Connection.

  • To use single sign-on, you must use Remote Desktop Connection (RDC) 7.0, which supports Remote Desktop Protocol (RDP) 7.0. RDC 7.0 is available in Windows 7.

  • All Remote Desktop Session Host (RD Session Host) servers should sign their .rdp files for their RemoteApp programs with the same certificate.

  • The Remote Desktop Connection Broker (RD Connection Broker) server should be configured to use the same certificate that is used by the RD Session Host servers.

For more information about RemoteApp and Desktop Connection security, see http://go.microsoft.com/fwlink/?LinkId=143454

Additional references