Without a unique, publicly-resolvable Active Directory domain (i.e. using foo.local vs. corp.foo.com), is it possible to achieve RDP certificate/SSO Nirvana? i.e. end-to-end, zero nag, RDP sessions (RemoteApp + Remote Desktop) without requiring client-side certificate installation.
I want to keep this high-level: I can work through the planning/configuration process (and ask additional questions as required), but before I go down this road (vs. looking at alternatives like Citrix), I want to know if this is possible.
Without installing certificates on your clients? Then the answer is simply no. No. No.
However, it's possible iff you distribute the root certificate used for the RDP sessions to every client who will be making those RDP connections.
If I have a domain called INamedMyDomainPoorly.local, no globally-trusted certificate authority such as Godaddy or Cybertrust is going to issue a certificate for that. But I can easily stand up my own internal certificate authority, ca.INamedMyDomainPoorly.local, have it issue a certificate for rdsessionhost.INamedMyDomainPoorly.local, and then add the root CA's cert (and chain if applicable) to the Trusted Root CA store on all my clients.
I could distribute this certificate with Group Policy if all my clients are joined to an Active Directory domain.
The certificate would need to accurately reflect the hostname of the RD session your clients are connecting to, your clients need DNS resolution for INamedMyDomainPoorly.local, and it needs to include a CDP (CRL Distribution Point(s)) that is accessible by your clients.