Cannot connect to RDP

We have run into the strangest thing on our production machines, which are Windows Server 2012. The symptom is that you try to connect to the remote desktop, and immediately get a generic error, without asking for credentials.

rdperror

Fortunately, we still could connect to the remote computer’s Event Log and registry. We found that the Terminal Service fails with the following error in the System events log:

TerminalServices-RemoteConnectionManager, Event ID 1057

The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was Object already exists.

People on the Internet suggested that cleaning Machine Certificates directory (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) would resolve the issue, but it did not.

We had to turn off RDP security by remotely setting this registry value to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer. I believe this prevents RDP traffic from being encrypted, but I may be wrong.

We suspect that this was a result of some Windows update, or some other similar action, since the problems started happening on all machines at the same time. The investigation is ongoing.

8 Comments


  1. You can conveniently examine the cert repository and remove the certs in PowerShell, i.e. “dir cert:\”. It’s a combination of the private keys in the filesystem and public keys and metadata in the registry.

    Reply

    1. Thanks! This is good to know. To be honest, I am not sure if it’s really a certs problem, despite the error message, since it started simultaneously on so many machines. But the certs repository is indeed worth exploring. I hope our admins will tell us what the problem was once they fix it.

      Reply

  2. having the same issue and only securitylayer -> 0 will work but i don’t think it’s really solving the problem…

    Reply

  3. hi,
    do you have an update on this issue?
    thanks.

    Reply

    1. Not really. I guess we set security to 0 and left it at that. I don’t work at that place anymore, so I can’t even check the status.

      Reply


  4. Thanks. Above article helped to resolve issue quickly. RDP is working fine.

    Reply

  5. Wow, finally… One of my internal servers had a similar issue ( I noticed this error only today after restarting terminal services), and I was using VMWare console for more than a year. It is okay for me to remove the encryption since it an internal server for me.

    Thanks a lot.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *