locked
Unable to remote desktop to windows server 2012 due to failed to create self signed certificate RRS feed

  • Question

  • My Windows server 2012 standard has been enabled with Remote Desktop.

    It has been working until recent but now my remote desktop client always gives me this error: 'This computer can't connect to the remote computer'.

    When i check the event viewer from my 2012 server after trying to remote desktop to it, i see this:

    event id: 1057

    Severity: Error

    Source:: Microsoft-Windows-TerminalServices-RemoteConnectionManager

    Log: System

    Message detail:

    The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was Object already exists.

    I've tried to follow the instructions from the another technet post: removing the existing self signed certificate (by using mmc), then restarting the Remote Desktop Configuration service to re-generate the certifiacte, then configure in RD Session Host Configuration (tsconfig.msc)

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df42746-465f-4902-95a6-121ef1f0fd68/the-terminal-server-has-failed-to-create-a-new-self-signed-certificate-to-be-used-for-terminal

    It did not work for me. No new self signed certificate has been re-generated. I also could not find RD Session Host Configuration from my server.

    Thursday, December 19, 2013 12:16 AM

Answers

All replies

  • Hi Richard,

    The error which you are facing might cause due to not having enough available memory. To resolve you can try to increase the available memory. You can check the below article for more information on Event ID 1057.

    Event ID 1057 — Terminal Services Authentication and Encryption (As there is no official document for server 2012, you can take for your reference.)
    http://technet.microsoft.com/en-us/library/cc775192(v=ws.10).aspx

    In addition, you can try the following method. 

    Check the MachineKeys directory.
    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\XXX
    Copy the keys to a different directory by taking a backup and go into the file system and also delete the files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\.

    After deletion log off and log in to see how it works.

    Refer below threads for additional details.
    1.  How can I reissue the Remote Desktop self-signed certificate for a standard Windows 7 client machine?
    2.  Remote Desktop management not working

    Hope it helps!
    Thanks.

    Thursday, December 19, 2013 9:14 AM
  • Hi Richard,

    How is everything going? Could you please tell us the present situation? If you need any further assistance, please let us know.

    Thanks.
    Sunday, December 22, 2013 5:02 AM
  • Finding this blog in my research, I made a directory and moved all keys to it from the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys directory. After rebooting the server, I was successfully able to RDP to my Windows Server 2012 R2 machine. This server hosts MS System Center Configuration Manager and WSUS. However, I have also tested this with a Windows Server 2012 R2 File Server and it worked flawlessly...thank you Richard.

    Rick Ankrom

    Friday, August 29, 2014 6:31 PM
  • This worked for me to resolve the same issue! 

    Thank you very much!

    Thursday, May 7, 2015 3:59 PM
  • Same problem encountered with my 2012 R2 Lync Edge server.

    Followed this fix and it work like a charm.

    All I did was rename the folder and restart the "Remote Desktop Configuration" service and the new cert was generated.

    Thanks very much.

    Jason.

    Monday, October 31, 2016 2:27 PM
  • Caution/Warning:

    "also delete the files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\."

    Do not do this, it will cause whatever applications to stop working.

    Once you give the "System account the correct permissions", it will replace/regenerate the key as needed.

    Also, this is also incorrect:

    "After deletion log off and log in to see how it works."

    It's a machine level key, thus you need to reboot.

    Thx.


    Yong Rhee [MSFT]

    Thursday, March 2, 2017 1:14 AM
  • I'm experiencing same issues and have removed the files in the MachineKeys folder to another folder, restarted the desktopservices services only to continue to receive the following error when trying to RDP to my windows 2012 r2 server:

    • Proposed as answer by nerd01 Friday, March 31, 2017 7:20 PM
    • Unproposed as answer by nerd01 Friday, March 31, 2017 7:20 PM
    Saturday, March 4, 2017 2:17 PM
  • I also had this issue and was unable to Remote into my server.

    The issue is that one of the machine keys had invalid permissions on it which was preventing RDP from renewing or creating a new RDP cert.

    This solution does not require rebooting and only deletes the key that RDP uses. To resolve this I did the following...

    Step 1. Remove the expired RDP cert
    Open Certificates (Local Computer)
    Expand Remote Desktop --> Certificates
    Delete the expired certificate
    If there is no cert listed, that is fine.

    Step 2. Fix the owner on the corrupt file.
    Browse to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
    Locate the file starting with f686aace
    Right click and select properties --> Security --> Advanced
    Change the owner to "Administrators"  or "SYSTEM"
    Click OK
    Backup the file (optional)
    Delete the file starting with f686aace

    Step 3: Fix the permissions on the MachineKeys folder
    In my case someone added "NETWORKSERVICE"
    Browse to C:\ProgramData\Microsoft\Crypto\RSA
    Right click and select properties --> Security --> Advanced
    Make sure only "Everyone" and "Administrators" are listed and remove everything else
       NOTE, DO NOT REPLACE ALL CHILD PERMISSION ENTRIES!
    Click OK



    Step 4: Restart the RDP services

    Open services
    Restart "Remote Desktop Service"
      Select yes to restart "Remote Desktop Services UserMode Port Redirector"
    This should automatically create a new RDP cert
    I also restarted "Remote Desktop Configuration", but I am not sure if that is necessary.

    At this point you should be able to log in using RD.

    Good luck!


    • Edited by nerd01 Friday, March 31, 2017 7:51 PM Fix spelling
    • Proposed as answer by Eponymous1 Saturday, May 19, 2018 1:39 PM
    Friday, March 31, 2017 7:49 PM
  • I solved this by adding the SYSTEM account with Full permissions to the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys and then restarting the Remote Desktop Configuration service. I then noticed one of the Machinekeys got a last modification equal to the time of the service restart.

    After that RDP worked again.

    • Proposed as answer by Eponymous1 Saturday, May 19, 2018 1:39 PM
    Wednesday, July 5, 2017 7:22 AM
  • I'm going to chime in first to say thank you and secondly to acknowledge that your post as well as that of nerd01 solved this issue for me. Moreover, I am writing in the hope that the search engines will find this as a solution to both the "An internal error has occurred" problem with RDP as well as various Windows Store problems and the particularly vexing "INET_E_RESOURCE_NOT_FOUND" problem with Microsoft Edge.  I had tried just about everything for the latter problem and when I applied the RDP fix, Windows Store and Edge began to behave again.  During an update, it seems that Windows can lose some of these important permissions and I am very glad to know this information now.
    Saturday, May 19, 2018 1:44 PM
  • That's the trick that did it for me.
    Saturday, September 8, 2018 12:45 PM
  • Its worked...

    thank you so much..

    Saturday, November 30, 2019 9:20 AM
  • Thanks Michel. This solution work for me!
    Wednesday, July 15, 2020 6:14 AM