App-V 5 over https for non-domain clients

Similar Messages

• Windows Domain Controller certificate for non domain clients

  Hi,
  Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
  Regards

  Hi,
  Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
  Not sure that what you want to achieve here.
  However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
  meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
  Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• RDP using Smartcard fails with NLA for non-domain members

  We have to administer Windows 2008 R2 servers which are in domains we are not members of - typically domains that support a particular application. We have DoD smartcards (CAC) and we admin from our Windows 7 desktops. If we disable NLA, we can CAC-authenticate
  over RDP just fine. With NLA enabled, though, we get "The remote computer you are trying to connect to requires NLA but your Windows domain controller cannot be contacted to perform NLA".
  My assumption would be that the Win7 desktops would never know where the particular ADCs are, since we're not domain members, but that they actually need to verify the DoD root cert that signed our CAC. Said root cert has been installed on our desktops and
  on the servers in the domains.
  What is necessary to get NLA with smart cards working for non-domain members?
  Edit: With NLA enabled I *can* connect over RDP from one of the domain members to another, so this really seems specific to the non-member desktop settings and how it performs NLA

  Hi,
  Thank you for posting in Windows Server Forum.
  If you use the credential SSP on Windows Vista or Windows 7 to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel
  cannot be established without the root certification of the domain controller.
  You can use following command for adding certificate.
  certutil –addstore –enterprise NTAUTH <CertFile> 
  Where <CertFile> is the root certificate of the KDC certificate issuer.
  More information.
  Smart Card and Remote Desktop Services
  http://technet.microsoft.com/en-us/library/ff404286(WS.10).aspx
  Apart there is one Hotfix might resolve your case, go through beneath link once.
  RDS client computer cannot connect to the RDS server by using a remote desktop connection in Windows
  http://support.microsoft.com/kb/2752618
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Streaming APP-V Applications Over HTTPS

  Hello,
  Is there any documentation on streaming APP-V 5.0 over HTTPS? I've only found one articval online and its not that great. I setup my APP-V environment with https and none of the client machines will pull the packages and in event
  view it tells me the package is corrupt. I re-packaged the same application and published them and still unable to stream to any clients.
  I reverted my servers back to http and reset the clients are able to stream the application that are persented to them.
  All servers are on a domain.
  Any imput or documentation on streaming over https would be much appreciated.
  Peter B Hardy

  See Thamim's post:
  http://virtualvibes.co.uk/ssl-and-https-with-app-v-5-0/
  Regards, Michael - http://blog.notmyfault.ch -

• Exchange 2010 Autodiscocer for non-domain computers.

  Hello. I have problems with autodiscover for non -domain computers. Somebody can explain me in turn what i must do for configuration. 

  Hi,
  For your Non-domain joined clients, the Outlook would connect to Exchange mailbox from the Internet. We need to enable Outlook Anywhere for your external users:
  Enable-OutlookAnywhere -Server:Exch10 -ExternalHostname:mail.contoso.com
  -ClientAuthenticationMethod:Ntlm -SSLOffloading:$true
  For autodiscover service, when Outlook is started on a client that is not domain-connected, it first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Because the client is unable to contact Active
  Directory, it tries to locate the Autodiscover service by using Domain Name System (DNS). In this scenario, the client will determine the right side of the user’s email address, that is, contoso.com, and check DNS by using two predefined URLs. For example,
  if your email address is [email protected], Outlook will try the following two URLs to try to connect to the Autodiscover service:
  https://contoso.com/autodiscover/autodiscover.xml
  https://autodiscover.contoso.com/autodiscover/autodiscover.xml
  For more information about autodiscover service in Exchange 2010, please refer to:
  http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
  Therefore, you don’t need to change any configuration for Autodiscover. Just make sure your Exchange certificate which is assigned with IIS service has included aotodiscover.contoso.com name and the certificate is valid and trusted for external
  user using. If not, please create a new SRV record for your autodiscover service and pointed to
  mail.contoso.com. For more information about SRV record of autodiscover, please click:
  http://support.microsoft.com/kb/940881
  Regards,
  Winnie Liang
  TechNet Community Support

• RDS 2012 Disable HTTP transport - Enable only RPC over HTTP for both pre 8 and 8 RDP clients

  Hi,
  Is it possible to enable only RPC over HTTP for both pre 8 and 8 RDP clients?
  Thank you

  I would like to know this as well.

• Sharing Primary Site and Secondary Site's SUP WSUS for non-SCCM client use

  I was wondering if the WSUS deployed for the SCCM's SUP can also be (re)used for non-SCCM clients.
  Our SCCM infrastructure are mainly used to manage Workstations whereas our back-end servers are not deployed with SCCM agents due to overlapping SLAs and responsibilities. However, we would like to take advantage of WSUS's centralized update repository without
  each back-end servers initiating connection to the Internet to get their updates.
  Is this possible?

  No. WSUS servers that are used for SUPs are controlled by ConfigMgr and cannot be used outside ConfigMgr.
  Torsten Meringer | http://www.mssccmfaq.de

• RemoteApp file associations for non-domain computers

  I have a customer with a simple AD domain, and some joined and some workgroup computers, all windows 8.1 pro. I want to connect them to my remote app service. We want to create a "default connection" for this remote app service, specifically for
  the file type associations. We tried using the default connection group policy, but credentials are a problem. The remote app service has its own domain. So the "default connection" created by the group policy is trying to use the local logon credentials.
  Is there a way to specify what default credentials are to be used for the remoteapp "default connection" using credential manager? Or is there a better way to accomplish remote app file type associations all together using non-domain joined Windows
  8.1 and 2012R2 remote app on a different domain?

  Hi,
  For your case, you can try the following way. You can create the RDP file as what you want and then publish that RDP file as RemoteApp with default user credentials. When non-domain joined system will get access to RD Web they will launch the RemoteApp as they
  are using the other apps, the RDP file App will first get connect to the RDS Farm server name which is displayed and try to resolve that name through gateway or any other method which is configured. Once got resolve it will use the default user credentials
  to connect to that user and then the user can use that RDP file to connect to the respective Server.
  Apart for file type association you can go through the detailed article for more information.
  Windows Server 2012 RemoteApp and Desktop Connections: Default Connections and File Type Associations
  http://blogs.msdn.com/b/rds/archive/2013/05/21/windows-server-2012-remoteapp-and-desktop-connections-default-connections-and-file-type-associations.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Direct Access for Non Domain Machines

  Hi,
  In My IT-infra, there is multiple machines that is out my Office network & Domain..
  Can we join these machines in domain via Direct Access implementation ? or for implementing Direct Access we required to join those non domain & out of office network machine to Domain first ?
  secondly, can we implement the Direct access without any public certificate purchase, and without any IPV6 configuring in internal network,machines and in servers .currently i am using IPv4  IP on all Machines & Servers.
  I have gone through the Direct Access Technet guide but i feel very complex document there ...can you please brief me about direct access implementation in simpale way, i want to implement direct access to join the internet based client machines  to
  domain and manage via/for SCCM ...
  Shailendra Dev

  Correct, DirectAccess clients must be domain joined. Also, only Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise clients are able to be DirectAccess connected, so that may also make a difference to your situation. I see many customers deploy
  DirectAccess for those Win7/Win8 domain-joined systems, and then make use of the traditional (RRAS) VPN on the same DirectAccess server for connecting any other operating systems or non-domain-joined machines. Those would just have to launch a manual VPN connection,
  where the DirectAccess connections are of course automatically connected.
  You don't "have" to use an SSL certificate that you purchased from a public CA, but you really should. It is definitely a best practice to use a trusted public certificate on your DirectAccess server. Further, if you have Windows 8 client computers,
  you don't even need to distribute the machine certificates inside your network, but it is also a best practice that you do this anyway, to strengthen the authentication process.
  No, you do not need IPv6 inside your network at all for DirectAccess to work.
  Sounds like you might be interested in some additional reading on DA, here are the two books available on the subject:
  https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting
  https://www.packtpub.com/networking-and-servers/windows-server-2012-unified-remote-access-planning-and-deployment

• DNS working intermittently for non-domain joined machines

  I have a small single Server 2012 based network, with about 90% windows clients.  DNS is running on the Windows Server 2008 machine, but DHCP is provided via a unix based firewall machine.  Within the DNS configuration I have all of my windows
  clients (mostly Windows 8.x clients, but there are a few Windows 7 ones as well) and a few *nix ones as well.  All of the Windows clients are domain joined, except for one machine which is currently running Windows 10 preview, though it was a Windows
  7 machine originally.  In the DNS configuration I have a number of statically entered A records, used to give my *nix machines a name on the local network.
  When trying to access systems by name (via ping or by other services), there is a very consistent behavior - my domain joined machines are able to resolve all names 100% of the time without any issues.  However, the non-domain joined machines, both
  Windows and not, are consistently inconsistent.  To be more precise, when I try to resolve a name it will randomly work and randomly not.  IP setup and configuration looks correct, meaning they have  valid IP, DNS is set to my Windows Server,
  default gateway, etc. are all correct.  Pinging external machines (ie google.com, etc.) works 100% of the time, but trying to ping any internal machine is a total crap shoot.  The only exception to this is the Windows Server 2012 machine itself,
  which always works.
  From past experience I know that the moment I join a machine to the domain all of the DNS issues goes away, which is fine for the Windows boxes but not so much for the rest.  I also have visitors occasionally come by, who I cannot expect to join my
  domain just to make things work normally.
  This network originally started life out as Windows Server 2003 domain, but was upgraded to 2012 about two months ago.  I have been seeing this problem for years, but have always assumed it to be a Server 2003 issue and figured it would go away when
  I upgraded.  Nope...
  Any ideas as to the cause of this and what I can do about it?
  Thanks,
  peter

  Its really weird - I can ping an address and not have it work, then do a NSLookup of the same address against my DNS server and it resolves just fine.  Take a look at this screen copy below:
  C:\Users\Peter>ping apollo.bakonet.local
  Ping request could not find host apollo.bakonet.local. Please check the name and try again.
  C:\Users\Peter>nslookup apollo.bakonet.local 192.168.124.9
  Server:  orac.bakonet.local
  Address:  192.168.124.9
  Name:    apollo.bakonet.local
  Address:  192.168.124.27
  C:\Users\Peter>ping apollo.bakonet.local
  Ping request could not find host apollo.bakonet.local. Please check the name and try again.
  C:\Users\Peter>ipconfig /all |more
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : Win10
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : bakonet.local
  Ethernet adapter Ethernet:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
     Physical Address. . . . . . . . . : 00-21-CC-65-1B-8F
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Local Area Connection* 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
     Physical Address. . . . . . . . . : A0-88-B4-A2-41-81
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix  . : bakonet.local
     Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
     Physical Address. . . . . . . . . : A0-88-B4-A2-41-80
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::fc47:8a91:6b25:bd0e%2(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.124.64(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Monday, January 5, 2015 7:34:47 PM
     Lease Expires . . . . . . . . . . : Tuesday, February 3, 2015 7:15:20 PM
     Default Gateway . . . . . . . . . : 192.168.124.1
     DHCP Server . . . . . . . . . . . : 192.168.124.1
     DHCPv6 IAID . . . . . . . . . . . : 60852404
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C6-18-82-00-21-CC-65-1B-8F
     DNS Servers . . . . . . . . . . . : 192.168.124.9
                                         24.229.54.212
                                         216.144.187.199
     Primary WINS Server . . . . . . . : 192.168.124.9
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : EC-55-F9-F5-14-76
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Does this actually make sense?  Obviously the DNS server is online, it works and when a lookup is requested directly it works, and the DNS server is listed as first in the IP configuration.  So why would it not work?!

• Content Search Web Part over HTTPS for a Host Named Site Collection

  Hello
  I have a host named site collection http://media.contoso.com which is a media portal that stores videos and pictures. On my parent site collection http://site.contoso.com homepage I have a Content Search Web Part that displays videos from the media portal.
  Both sites work over https.
  When I edit the content search web part and enter the URL http://media.contoso.com in the 'Change Query' box, search returns the results as expected but when I enter the URL as
  https://media.contoso.com no results are returned.
  I have removed the binding in IIS to point to http://media.contoso.com.
  I need it to be https so that I don't see "HTTPS security is compromised by http://media.contoso.com" on my site collection homepage.
  Any idea why this is happening?
  Thanks
  Yoshi

  http://technet.microsoft.com/en-us/library/ee792873%28v=office.15%29.aspx
  In the Search SSL Settings dialog box, do one of the following:
  If you do not want the crawler to crawl a site when there is an SSL certificate warning, make sure that the
  Ignore SSL certificate name warnings check box is cleared. For security reasons, the check box is cleared by default.
  If you want the crawler to crawl a site even if there is an SSL certificate warning, make sure that the
  Ignore SSL certificate name warnings check box is selected.
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://freeit-support.com/

• WMI filtering / GPO for non domain members

  Hi all,
  Our customer make use of a Windows Server 2008 R2 RDS. We use some thin clients and win7 workstations to connect with it inside our domain.
  We had a policy for automatic screen lock and secure with password, but they doesnt want to use it anymore for the users who's working internally. So i disabled this policy.
  What they want is a policy for all homeworkers or users connecting from an internet cafe or something. So if they are not connecting from a specific subnet or domain, the screens have to lock automatically after a few minutes.
  Does anyone know how i can do this? Do i have to create a WMI filter for computers which are not domain members or do i have to do this for a specific subnet?
  Thanks!
  Kind regards, Raymond

  I thought I should clarify this based on your question:
  You say you want filtering based on "non-domain users".  Are you saying you have users connecting in that are not using AD accounts?  How are you doing this?  Are they using local accounts on the server?
  How are you allowing non-domain accounts to connect? Where are the accounts defined?
  Maybe you really are asking qabout domain users connecting from the WAN and not from the LAN.  Is that what you are trying to ask?
  ¯\_(ツ)_/¯

• Create a certificate for non domain-joined PCs

  We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
  PCs look to the CA to get their trusted certificate from.
  This is the issue I am encountering:
  Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
  However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
  "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
  "DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!

  It sounds like the question you are really asking is :
  How do I designate the internal root CA as a trusted root CA
  Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
  This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
  Run Certutil -addstore CA IssuingCA.crt 
  Brian

• Apps not working over 3G for iphone 5 (iOS 7)

  I have i5 & recently updated to iOS7. Very frequently, my apps don't work over the 3G network, however, they do so over Wi-fi. Fb, emails, whatsapp and many more apps dont work over 3G. Safari works. Have tried resetting network settings and hard reset, but no solution. The trend for apps not working is very random, sometimes they do work, sometimes they don't. Its very irritating. Anybody with a solution.

  i dont know whether this is going to resolve the problem, but worth a try
  under settings>cellular
  when you scroll down
  you can choose which apps can use cellular data
  may be you can recycle the switch for the suspect apps

• Licensing for non domain joined machines

  Good Day
  would additional licensing be required to manage non domain joined machines or would this be covered by the current EA. can someone explain how licensing for the management of non domain machines would work?
  thanks
  daniel

  Hi,
  There is no difference if you don't want to license them differently and if that is possibly in you agreement, so you should contact you MS License reseller.
  You could buy a System Center Configuration Manager CAL if you want to manage it, that will only cover ConfigMgr and not Endpoint protection for instance. So you should really contact your reseller and see what is the most optimal solution for you company/organisation.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec