none
Win2008R2 RDP Connection Issues RRS feed

  • Question

  • We have a server running the connection broker service and following a restart will no longer accept RDP connections.

    We also experienced the same issue on another connection broker and domain controller in the same domain. After a restart we saw the following event in the system logs.. Schannel Event 36870 (A fatal error occurred when attempting to access the SSL server credential private key)

    We were able to resolve this with the following fix detailed here:

    https://blogs.technet.microsoft.com/askperf/2014/10/22/rdp-fails-with-event-id-1058-event-36870-with-remote-desktop-session-host-certificate-ssl-communication/

    We saw that the network service no longer had access to keys in the MachineKeys folder or on the certificate in the personal store. The read access was reapplied as suggested and worked.

    However on our secondary connection broker the same symptoms presented and the same fix was applied. However RDP will still not work and now records the following event:

    Schannel The internal error state is 10 ( Event ID:36888 )

    We have a snapshot of the server which works with RDP up till the moment we restart the server. 




    Friday, December 23, 2016 9:57 AM

All replies

  • Hi,

    However on our secondary connection broker the same symptoms presented and the same fix was applied. However RDP will still not work and now records the following event:

    Schannel The internal error state is 10 ( Event ID:36888 )

    We have a snapshot of the server which works with RDP up till the moment we restart the server. 

    >>>Is the event “The following fatal alert was generated: 10. The internal error state is 1203” or “The following fatal alert was generated: 10. The internal error state is 10”?

    Here are articles below may be helpful to you.

    Schannel error, Event ID 36888? - IS there a way to Identify what causes Schannel to log error?

    https://social.technet.microsoft.com/Forums/office/en-US/4c5430f5-43f6-41b4-97d3-03cfb3efa70b/schannel-error-event-id-36888-is-there-a-way-to-identify-what-causes-schannel-to-log-error?forum=winserverDS

    Event 36888, source: Schannel

    http://www.eventid.net/display-eventid-36888-source-Schannel-eventno-10545-phase-1.htm

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 26, 2016 4:57 AM
    Moderator
  • Hi,

    Thanks for the reply. The exact event log details are as follows:

    "The following fatal alert was generated:10 The internal error state is 1203"

    If i attempt an RDP connection using Remote Desktop Connection Manager I see a log created in the TerminalServices-RemoteConnectionManager Operational log - "Listener RDP-Tcp received a connection"

    A corresponding schannel error is also created in the System event logs.

    My Remote Desktop Connection Manager eventually displays the following message "The server denied the connection"

    We have enrolled a new certificate in the Local Computer Personal Store and also recreated the certificate in the remote desktop certificates store. We did this by deleting the certificate and restating the Remote Desktop Services service.

    The server is also configured in Remote Settings>Remote Desktop as follows:

    Allow connections only from computers running remote desktop with Network Level Authentication (more secure)

    Any further assistance appreciated 

    Wednesday, January 4, 2017 11:30 AM
  • Just to add I also tried making a connection after enabling the "Allow connections from computers running any version of Remote desktop (less secure)" and the same schannel error occurred. 
    Wednesday, January 4, 2017 11:56 AM
  • We made a little more progress today after moving the server into an OU which has no group policies applied. Following a GP update we were able to establish and RDP connection again. After moving the server back into its original OU and reapplying the policies again the problem returned.

    At least this helps narrow down the search although we are still unsure why this appears to have happened out of the blue and only affecting certain servers. 


    Wednesday, January 4, 2017 4:31 PM
  • We found today that if we change the RDP-Tcp security layer setting to 'RDP Security Layer' or 'Negotiate' instead of 'SSL (TLS 1.0)' the ability to make an RDP connection is restored. This is useful to know. 

    However on our other connection broker (which first experienced the problem and was fixed by the advice given in the blog of my original comment) the security layer setting is still set to SSL TLS 1.0 and RDP works.

    Thursday, January 5, 2017 11:38 AM