locked
How can I reissue the Remote Desktop self-signed certificate for a standard Windows 7 client machine? RRS feed

  • Question

  • We have a strange issue going on with a couple of freshly imaged Windows 7 workstations over here.

    At first we were unable to remote in to them because of a message that the remote computer does not support NLA. Setting the option to Allow connections from computers running any version of Remote Desktop (less secure) works, but then RDP goes directly to the remote machine and authentications happens there, which would be the case with a XP (or other non-NLA-capable) machine.

    I tried troubleshooting the issue by opening the Certificates snap-in in mmc and deleting the Remote Desktop self-signed certificate but I seem to be unable to reissue/recreate it again...

    I have read that i need to restart the Remote Desktop Configuration service in order for the certificate to recreate itself, but whenever I try to do this, Event Viewer logs the following error:

    Log Name: System

    Source: TerminalServices-RemoteConnectionManager 

    Event ID: 1057

    The Terminal Server has failed to create a new self signed certificate to be used for Terminal Server authentication on SSL connections. The relevant status code was An internal error occurred.
    .

    Any help or ideas on that would be greatly appreciated!


    MCTS ConfigMgr 2012 | Twitter: @SergeiBiliarski | LinkedIn: Sergei Biliarski

    Tuesday, June 11, 2013 9:04 PM

Answers

All replies

  • Hi,

    Please check if this post can help:

    http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/8df42746-465f-4902-95a6-121ef1f0fd68

    Meanwhile, you can try the following:

    Check the MachineKeys directory.

    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\XXX

    Copy the keys to a different directory by taking a backup and go into the file system and also delete the files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\.

    After deletion log off and log in to see how it works.

    If this cannot help, I recommend to post in Server Forum to get more insights.

    http://social.technet.microsoft.com/Forums/en-US/winserverTS/threads


    Tracy Cai
    TechNet Community Support

    • Marked as answer by tracycai Tuesday, June 18, 2013 9:08 AM
    Wednesday, June 12, 2013 8:21 AM
  • Hey Sergei,

    I'm running into this same issue.  Did Tracy's proposed fix of deleting keys from the Crypto directory fix things?  I'm hoping to fix a user's machine and didn't want to break it more.  Since I don't have a strong understanding of the Windows certificate system I figured I'd ask first.

    Anyone else have any tips on how to re-create the self-signed cert that Remote Desktop is looking for?

    -Henry

    Thursday, June 13, 2013 8:07 PM
  • Hi Sergei,

    Any update?


    Tracy Cai
    TechNet Community Support

    Monday, June 17, 2013 1:37 AM
  • Hey, Tracy!

    Sorry for the late reply on this, only now I got the chance to try out the fix you proposed on the client machine.

    I moved the whole contents of the MachineKeys folder to a different location, logged off and on and VOILA, the Remote Desktop certificate got reissued and mstsc is now giving me the normal certificate prompt when I try to access the machine remotely!

    The System log now shows the desired thing:

    Source: TerminalServices-RemoteConnectionManager

    Event ID: 1056

    A new self signed certificate to be used for Terminal Server authentication on SSL connections was generated. The name on this certificate is %computername%.%domain%.com. The SHA1 hash of the certificate is in the event data.

    Many thanks!


    MCTS ConfigMgr 2012 | Twitter: @SergeiBiliarski | LinkedIn: Sergei Biliarski

    Wednesday, June 19, 2013 6:26 PM
  • Hi Sergei,

    self-signed certificates are OK for testing, but maybe you would want to consider CA-issued certificates in the future to avoid this. After all the whole thing behind certificates relies on trust and if you just trust a certificate without any way of verifying its authenticity, security may be at stake. It's actually possible to configure a certificate template for Remote Desktop Authentication of the computer with autoenrollment and then using Group Policy to tell the Remote Desktop service to automatically pick the certificate and use it for authentication. Unfortunately, to really get the "padlock" on the title bar stating that identity was verified using a certificate, you must enter the address of the computer as name.domain.com. Otherwise, you get the standard prompt that the identity of the remote computer cannot be verified.

    But anyway, this is another story, I'm glad you solved your problem. :)

    Monday, July 29, 2013 10:20 PM
  • I needed to rename the MachineKeys directory as I did not have permissions to do anything with the keys in the folder itself. And that was the issue. Once I had renamed the directory and logged off and back on, and I had connected from a remote machine the key that was created had read permission for Administrators.

    Now it works.

    Note that as soon as I renamed the MachineKeys directory Windows Explorer proceeded to rapidly create new windows which only stopped when I hit Ctrl-Alt-Delete and chose to sign off.


    regards Rob Goodridge

    Tuesday, April 15, 2014 2:19 AM
  • Tracy Cai's fix was a good one. I had the same problem and was able to resolve remotely
    Thursday, January 11, 2018 3:00 PM
  • Just wanted to say, this helped me also.

    I could log into the server using the old version of Remote Desktop for Mac (with NLA disabled on the server) but couldn't get in using the new version, NLA on or off. Renamed the folder as easier than deleting, turned on NLA and rebooted, new cert created and RDP working fine.

    Thanks a lot!

    Saturday, July 21, 2018 12:16 PM