App-V 5 over https for non-domain clients
Hello, Is this scenario possible?
Hi,
here's how I have it set in my lab. Your mileage may vary, but hopefully this should give you all the different components of how I managed to get it to work, and allow you to try something similar.
Firstly, my publishing server is: HTTPS://CSC-APPV5.CSC.local:8016
I have an application published through the app-v console, with the package URL configured to be:
HTTPS://CSC-APPV5.CSC.local/APPVSHARE/Notepadplusplusx86/notepadplusplusx86.appv
This is published to the AD group CSC.local\notepadplusplus, of which the user CSC.local\appvuser is a member of.
On my Windows 8 non domain joined computer, Press Start, type "credential manager", and click on this option under settings.
Click on "Windows Credentials", then click "Add a Windows credential".
It will ask you for the Internet or network address. Based on the information I stated earlier, I entered the address: CSC-APPV5.CSC.local
for User name, I entered: CSC.local\appvuser
and lastly for password I entered the current valid credentials for this user.
To test this, I then browsed to the publishing server mentioned above, but found that it still prompted me for a password (but remembered the user ID I had specified), and that the app-v client would not sync through powershell.
I then added http://csc-appv5.csc.local into this devices local intranet zone (im sure you can avoid this step by adjusting a various number of settings, this was just the first quick test I performed).
Browsing to the publishingserver address now no longer prompted for a username/pw - correctly showing the application published to this user. I then performed a restart (unlikely to be required, but I just wanted to have a clean run from a user perspective),
and straight away, there was my shortcut to the appv application, and running it resulted in the normal streaming you would expect.
The one thing I will add is I was very particular around fully quilifying everything, to eliminate this as a potential issue, and would be one of the first places I would start if you are attempting to troubleshoot why you were not able to get this to work.
Similar Messages
-
Windows Domain Controller certificate for non domain clients
Hi,
Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
RegardsHi,
Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
Not sure that what you want to achieve here.
However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
RDP using Smartcard fails with NLA for non-domain members
We have to administer Windows 2008 R2 servers which are in domains we are not members of - typically domains that support a particular application. We have DoD smartcards (CAC) and we admin from our Windows 7 desktops. If we disable NLA, we can CAC-authenticate
over RDP just fine. With NLA enabled, though, we get "The remote computer you are trying to connect to requires NLA but your Windows domain controller cannot be contacted to perform NLA".
My assumption would be that the Win7 desktops would never know where the particular ADCs are, since we're not domain members, but that they actually need to verify the DoD root cert that signed our CAC. Said root cert has been installed on our desktops and
on the servers in the domains.
What is necessary to get NLA with smart cards working for non-domain members?
Edit: With NLA enabled I *can* connect over RDP from one of the domain members to another, so this really seems specific to the non-member desktop settings and how it performs NLAHi,
Thank you for posting in Windows Server Forum.
If you use the credential SSP on Windows Vista or Windows 7 to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel
cannot be established without the root certification of the domain controller.
You can use following command for adding certificate.
certutil –addstore –enterprise NTAUTH <CertFile>
Where <CertFile> is the root certificate of the KDC certificate issuer.
More information.
Smart Card and Remote Desktop Services
http://technet.microsoft.com/en-us/library/ff404286(WS.10).aspx
Apart there is one Hotfix might resolve your case, go through beneath link once.
RDS client computer cannot connect to the RDS server by using a remote desktop connection in Windows
http://support.microsoft.com/kb/2752618
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Streaming APP-V Applications Over HTTPS
Hello,
Is there any documentation on streaming APP-V 5.0 over HTTPS? I've only found one articval online and its not that great. I setup my APP-V environment with https and none of the client machines will pull the packages and in event
view it tells me the package is corrupt. I re-packaged the same application and published them and still unable to stream to any clients.
I reverted my servers back to http and reset the clients are able to stream the application that are persented to them.
All servers are on a domain.
Any imput or documentation on streaming over https would be much appreciated.
Peter B HardySee Thamim's post:
http://virtualvibes.co.uk/ssl-and-https-with-app-v-5-0/
Regards, Michael - http://blog.notmyfault.ch - -
Exchange 2010 Autodiscocer for non-domain computers.
Hello. I have problems with autodiscover for non -domain computers. Somebody can explain me in turn what i must do for configuration.
Hi,
For your Non-domain joined clients, the Outlook would connect to Exchange mailbox from the Internet. We need to enable Outlook Anywhere for your external users:
Enable-OutlookAnywhere -Server:Exch10 -ExternalHostname:mail.contoso.com
-ClientAuthenticationMethod:Ntlm -SSLOffloading:$true
For autodiscover service, when Outlook is started on a client that is not domain-connected, it first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Because the client is unable to contact Active
Directory, it tries to locate the Autodiscover service by using Domain Name System (DNS). In this scenario, the client will determine the right side of the user’s email address, that is, contoso.com, and check DNS by using two predefined URLs. For example,
if your email address is [email protected], Outlook will try the following two URLs to try to connect to the Autodiscover service:
https://contoso.com/autodiscover/autodiscover.xml
https://autodiscover.contoso.com/autodiscover/autodiscover.xml
For more information about autodiscover service in Exchange 2010, please refer to:
http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
Therefore, you don’t need to change any configuration for Autodiscover. Just make sure your Exchange certificate which is assigned with IIS service has included aotodiscover.contoso.com name and the certificate is valid and trusted for external
user using. If not, please create a new SRV record for your autodiscover service and pointed to
mail.contoso.com. For more information about SRV record of autodiscover, please click:
http://support.microsoft.com/kb/940881
Regards,
Winnie Liang
TechNet Community Support -
RDS 2012 Disable HTTP transport - Enable only RPC over HTTP for both pre 8 and 8 RDP clients
Hi,
Is it possible to enable only RPC over HTTP for both pre 8 and 8 RDP clients?
Thank youI would like to know this as well.
-
Sharing Primary Site and Secondary Site's SUP WSUS for non-SCCM client use
I was wondering if the WSUS deployed for the SCCM's SUP can also be (re)used for non-SCCM clients.
Our SCCM infrastructure are mainly used to manage Workstations whereas our back-end servers are not deployed with SCCM agents due to overlapping SLAs and responsibilities. However, we would like to take advantage of WSUS's centralized update repository without
each back-end servers initiating connection to the Internet to get their updates.
Is this possible?No. WSUS servers that are used for SUPs are controlled by ConfigMgr and cannot be used outside ConfigMgr.
Torsten Meringer | http://www.mssccmfaq.de -
RemoteApp file associations for non-domain computers
I have a customer with a simple AD domain, and some joined and some workgroup computers, all windows 8.1 pro. I want to connect them to my remote app service. We want to create a "default connection" for this remote app service, specifically for
the file type associations. We tried using the default connection group policy, but credentials are a problem. The remote app service has its own domain. So the "default connection" created by the group policy is trying to use the local logon credentials.
Is there a way to specify what default credentials are to be used for the remoteapp "default connection" using credential manager? Or is there a better way to accomplish remote app file type associations all together using non-domain joined Windows
8.1 and 2012R2 remote app on a different domain?Hi,
For your case, you can try the following way. You can create the RDP file as what you want and then publish that RDP file as RemoteApp with default user credentials. When non-domain joined system will get access to RD Web they will launch the RemoteApp as they
are using the other apps, the RDP file App will first get connect to the RDS Farm server name which is displayed and try to resolve that name through gateway or any other method which is configured. Once got resolve it will use the default user credentials
to connect to that user and then the user can use that RDP file to connect to the respective Server.
Apart for file type association you can go through the detailed article for more information.
Windows Server 2012 RemoteApp and Desktop Connections: Default Connections and File Type Associations
http://blogs.msdn.com/b/rds/archive/2013/05/21/windows-server-2012-remoteapp-and-desktop-connections-default-connections-and-file-type-associations.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Direct Access for Non Domain Machines
Hi,
In My IT-infra, there is multiple machines that is out my Office network & Domain..
Can we join these machines in domain via Direct Access implementation ? or for implementing Direct Access we required to join those non domain & out of office network machine to Domain first ?
secondly, can we implement the Direct access without any public certificate purchase, and without any IPV6 configuring in internal network,machines and in servers .currently i am using IPv4 IP on all Machines & Servers.
I have gone through the Direct Access Technet guide but i feel very complex document there ...can you please brief me about direct access implementation in simpale way, i want to implement direct access to join the internet based client machines to
domain and manage via/for SCCM ...
Shailendra DevCorrect, DirectAccess clients must be domain joined. Also, only Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise clients are able to be DirectAccess connected, so that may also make a difference to your situation. I see many customers deploy
DirectAccess for those Win7/Win8 domain-joined systems, and then make use of the traditional (RRAS) VPN on the same DirectAccess server for connecting any other operating systems or non-domain-joined machines. Those would just have to launch a manual VPN connection,
where the DirectAccess connections are of course automatically connected.
You don't "have" to use an SSL certificate that you purchased from a public CA, but you really should. It is definitely a best practice to use a trusted public certificate on your DirectAccess server. Further, if you have Windows 8 client computers,
you don't even need to distribute the machine certificates inside your network, but it is also a best practice that you do this anyway, to strengthen the authentication process.
No, you do not need IPv6 inside your network at all for DirectAccess to work.
Sounds like you might be interested in some additional reading on DA, here are the two books available on the subject:
https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting
https://www.packtpub.com/networking-and-servers/windows-server-2012-unified-remote-access-planning-and-deployment -
DNS working intermittently for non-domain joined machines
I have a small single Server 2012 based network, with about 90% windows clients. DNS is running on the Windows Server 2008 machine, but DHCP is provided via a unix based firewall machine. Within the DNS configuration I have all of my windows
clients (mostly Windows 8.x clients, but there are a few Windows 7 ones as well) and a few *nix ones as well. All of the Windows clients are domain joined, except for one machine which is currently running Windows 10 preview, though it was a Windows
7 machine originally. In the DNS configuration I have a number of statically entered A records, used to give my *nix machines a name on the local network.
When trying to access systems by name (via ping or by other services), there is a very consistent behavior - my domain joined machines are able to resolve all names 100% of the time without any issues. However, the non-domain joined machines, both
Windows and not, are consistently inconsistent. To be more precise, when I try to resolve a name it will randomly work and randomly not. IP setup and configuration looks correct, meaning they have valid IP, DNS is set to my Windows Server,
default gateway, etc. are all correct. Pinging external machines (ie google.com, etc.) works 100% of the time, but trying to ping any internal machine is a total crap shoot. The only exception to this is the Windows Server 2012 machine itself,
which always works.
From past experience I know that the moment I join a machine to the domain all of the DNS issues goes away, which is fine for the Windows boxes but not so much for the rest. I also have visitors occasionally come by, who I cannot expect to join my
domain just to make things work normally.
This network originally started life out as Windows Server 2003 domain, but was upgraded to 2012 about two months ago. I have been seeing this problem for years, but have always assumed it to be a Server 2003 issue and figured it would go away when
I upgraded. Nope...
Any ideas as to the cause of this and what I can do about it?
Thanks,
peterIts really weird - I can ping an address and not have it work, then do a NSLookup of the same address against my DNS server and it resolves just fine. Take a look at this screen copy below:
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>nslookup apollo.bakonet.local 192.168.124.9
Server: orac.bakonet.local
Address: 192.168.124.9
Name: apollo.bakonet.local
Address: 192.168.124.27
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>ipconfig /all |more
Windows IP Configuration
Host Name . . . . . . . . . . . . : Win10
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bakonet.local
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-21-CC-65-1B-8F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : A0-88-B4-A2-41-81
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : bakonet.local
Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
Physical Address. . . . . . . . . : A0-88-B4-A2-41-80
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fc47:8a91:6b25:bd0e%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.124.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, January 5, 2015 7:34:47 PM
Lease Expires . . . . . . . . . . : Tuesday, February 3, 2015 7:15:20 PM
Default Gateway . . . . . . . . . : 192.168.124.1
DHCP Server . . . . . . . . . . . : 192.168.124.1
DHCPv6 IAID . . . . . . . . . . . : 60852404
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C6-18-82-00-21-CC-65-1B-8F
DNS Servers . . . . . . . . . . . : 192.168.124.9
24.229.54.212
216.144.187.199
Primary WINS Server . . . . . . . : 192.168.124.9
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : EC-55-F9-F5-14-76
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Does this actually make sense? Obviously the DNS server is online, it works and when a lookup is requested directly it works, and the DNS server is listed as first in the IP configuration. So why would it not work?! -
Content Search Web Part over HTTPS for a Host Named Site Collection
Hello
I have a host named site collection http://media.contoso.com which is a media portal that stores videos and pictures. On my parent site collection http://site.contoso.com homepage I have a Content Search Web Part that displays videos from the media portal.
Both sites work over https.
When I edit the content search web part and enter the URL http://media.contoso.com in the 'Change Query' box, search returns the results as expected but when I enter the URL as
https://media.contoso.com no results are returned.
I have removed the binding in IIS to point to http://media.contoso.com.
I need it to be https so that I don't see "HTTPS security is compromised by http://media.contoso.com" on my site collection homepage.
Any idea why this is happening?
Thanks
Yoshihttp://technet.microsoft.com/en-us/library/ee792873%28v=office.15%29.aspx
In the Search SSL Settings dialog box, do one of the following:
If you do not want the crawler to crawl a site when there is an SSL certificate warning, make sure that the
Ignore SSL certificate name warnings check box is cleared. For security reasons, the check box is cleared by default.
If you want the crawler to crawl a site even if there is an SSL certificate warning, make sure that the
Ignore SSL certificate name warnings check box is selected.
If this helped you resolve your issue, please mark it Answered. You can reach me through http://freeit-support.com/ -
WMI filtering / GPO for non domain members
Hi all,
Our customer make use of a Windows Server 2008 R2 RDS. We use some thin clients and win7 workstations to connect with it inside our domain.
We had a policy for automatic screen lock and secure with password, but they doesnt want to use it anymore for the users who's working internally. So i disabled this policy.
What they want is a policy for all homeworkers or users connecting from an internet cafe or something. So if they are not connecting from a specific subnet or domain, the screens have to lock automatically after a few minutes.
Does anyone know how i can do this? Do i have to create a WMI filter for computers which are not domain members or do i have to do this for a specific subnet?
Thanks!
Kind regards, RaymondI thought I should clarify this based on your question:
You say you want filtering based on "non-domain users". Are you saying you have users connecting in that are not using AD accounts? How are you doing this? Are they using local accounts on the server?
How are you allowing non-domain accounts to connect? Where are the accounts defined?
Maybe you really are asking qabout domain users connecting from the WAN and not from the LAN. Is that what you are trying to ask?
¯\_(ツ)_/¯ -
Create a certificate for non domain-joined PCs
We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
PCs look to the CA to get their trusted certificate from.
This is the issue I am encountering:
Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
"DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
"DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!It sounds like the question you are really asking is :
How do I designate the internal root CA as a trusted root CA
Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
Run Certutil -addstore CA IssuingCA.crt
Brian -
Apps not working over 3G for iphone 5 (iOS 7)
I have i5 & recently updated to iOS7. Very frequently, my apps don't work over the 3G network, however, they do so over Wi-fi. Fb, emails, whatsapp and many more apps dont work over 3G. Safari works. Have tried resetting network settings and hard reset, but no solution. The trend for apps not working is very random, sometimes they do work, sometimes they don't. Its very irritating. Anybody with a solution.
i dont know whether this is going to resolve the problem, but worth a try
under settings>cellular
when you scroll down
you can choose which apps can use cellular data
may be you can recycle the switch for the suspect apps -
Licensing for non domain joined machines
Good Day
would additional licensing be required to manage non domain joined machines or would this be covered by the current EA. can someone explain how licensing for the management of non domain machines would work?
thanks
danielHi,
There is no difference if you don't want to license them differently and if that is possibly in you agreement, so you should contact you MS License reseller.
You could buy a System Center Configuration Manager CAL if you want to manage it, that will only cover ConfigMgr and not Endpoint protection for instance. So you should really contact your reseller and see what is the most optimal solution for you company/organisation.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec
Maybe you are looking for
-
Raw Files turn into 175kb preview files.
I have download my RAW files from my Canon 1DS into Photoshop CS2 using a Lexar card reader. They download as a full RAW file but when I go to open them in bridge the turn into a 175 kb preview file! The strange thing is I download 5 gbs from 5 diffe
-
10.5.2 Virtual Domains - 2 user questions
(NOTE: Generic host and domain names used in this mail, real ones are used for the actual machine) Clean 10.5.1 install, immediately hit software update multiple times till 10.5.2 and any other offered updates were installed. Went into WGM and create
-
Unable to select the operation mapping in Enhanced RD?
Hi Guys, I am unable to select the operation mapping in the Enhanced Receiver determination in PI 7.1. Looks like a bug in PI 7.1. Did anybody else faced the same problem and got any resolution. any help would be appreciated Thanks, Srini
-
Hi, is it possible to install Windows XP OEM without SP2, and after instalation upgrade it to SP2? I asking this because I have the 2002 version of XP. Thanks, Biga
-
Flexible real estate: contract between 2 companies
Hi, We have not yet flexible real estate and we are studying this module for deciding to use it or not. We have a lot of contracts where the landlord is one company of our group and the tenant is another company of our group. Both companies are in th