According to your post, this issue occurs on the program of RemoteApp when you try to access. If I misunderstand it, please correct me.
As far as I know, when you access the program of RemoteApp, the process is the following:
RD web Access->RD session host->RemoteApp Manager
In this case, I think your certificate is misconfigure on the RD session host server. By default, the system will use the “Auto generated” certificate which is created by local server. I’d like to perform the following steps to check the certificate if is installed correctly.
You need to install and choose the same certificate on several places including RD session host server, RD Web Access, RD Gateway server, RemoteApp Manager.
1. Start by importing the SSL certificate into the Computer Account. MMC (Add/Remove Snapins - Certificates -Computer Account). I imported the cert into the Pesonal and Remote Desktop stores.
2. Import the SSL certificate into IIS. Run IIS Manager, select the ServerName (left side Connections), under the IIS section, open Server Certificates, import the SSL certificate here. Select the Web site (left side Connections), open Bindings (on the right side Actions) and associate/bind the wildcard cert with the appropriate https,host,port(443).
3. TS RemoteApp Manager, Overview Section, Digital Signature Settings, Change, Digital Signature, Sign with a digital certificate checked Change, select the SSL certificate.
4. TS Gateway Manager, select ServerName, Properties, SSL Certifcate tab, select an existing certificate for SSL encryption (recommended), Browse Certificates, select the SSL certificate.
5. Terminal Services Configuration, Connections area, select appropriate connection, Properties, General tab, Select, select the SSL certificate.
Meanwhile, the certificates for RD Gateway must meet these requirements:
· The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the RD Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. Multiple CNs are not supported. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.
· The certificate is a computer certificate.
· The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
· The certificate has a corresponding private key.
· The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
· A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an OID of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE,CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.
· The certificate must be trusted on clients. That is, the public certificate of the CA that signed the RD Gateway server certificate must be located in the client's Trusted Root Certification Authorities store on the client computer.
Hope this helps.
