How to fix RDP on windows server 2012?

Question

Here is a snapshot of the RDP status. Looks good:

When I go to connect from a remote machine I get an error:

"This computer can't connect to the remote computer. 
Try connecting again. If the problem continues..."

I've tested the port 3389 remotely, it is open. I've tested it with netstat.

TCP    0.0.0.0:3389           hostname:0                LISTENING

• No Windows firewall
• No Network Firewall
• Brand-new self-signed certificate
• Machine was recently rebooted, worked before that
• Terminal Services is running
• When I inspect the SSL cert, it shows all the details, looks good, expires in 2014
• hklm:\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections is 0
• C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys administrator has all privleges

Update:

Now I'm finding this in the event log under Administrative Events:

"A fatal error occurred when attempting to access the SSL server credential 
private key. The error code returned from the cryptographic module is 0x8009030D. 
The internal error state is 10001." 

I'm not sure how to resolve the above error. I'm not certain it's my imported RD cert, either, though I do know it happens when I try to RDP from my machine.

Update II:

I've tried using powershell to generate certs with private keys. No luck. Used techniques here and here with no luck. Each time I have added the cert to trusted roots and personal for the system user in MMC Certificate snap-in.

Update III:

So Annoying

This Forum indicates that windows may have updated during the reboot, causing an unrecoverable error in installing the Remote Desktop Connection Broker role (needed, apparently, to generate a private key pfx file to import into MMC). The bug is with hotfix June 2013 KB2821895. This might be remidied with this? http://support.microsoft.com/kb/2871777

So I ran the latest windows update and tried to install the Remote Desktop Connection Broker so that I can generate the pfx file. No luck. It says one or more parent features are not installed-- even though Hyper-V etc. Are. And it does not say what other roles to add...

Update Summary Question!

So, all said and done, theoretically, would getting the RD Connection Broker to install (in order to generate a private key) likely solve my encryption error?

Answer 1

You may encounter this error when connecting after importing an SSL certificate (and associated private key) into Windows Server 2012:

This computer can't connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator. 

In addition, in the Windows event logs, you see:

"A fatal error occurred when attempting to access the SSL server credential 
private key. The error code returned from the cryptographic module is 0x8009030D. 
The internal error state is 10001." 

Solution:

Quote from Microsoft KB2001849:

"The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS (referenced by the certificate named in the SSLCertificateSHA1Hash registry value) to include NETWORK SERVICE with "Read" permissions. To modify the permissions follow the steps below:

Open the Certificates snap-in for the local computer:

1. Click Start, click Run, type mmc, and click OK.

2. On the File menu, click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.

4. In the Certificates snap-in dialog box, click Computer account, and click Next.

5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and click Finish.

6. In the Add or Remove Snap-ins dialog box, click OK.

7. In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.

8. Right-click the certificate, select All Tasks, and select Manage Private Keys.

9. In the Permissions dialog box, click Add, type NETWORK SERVICE, click OK, select Read under the Allow checkbox, then click OK."

Source: https://support.microsoft.com/en-us/kb/2001849

Answer 2

I disabled the gateway services. I ended up running MMC and deleting the RD certificate altogether. Then I disabled and re-enabled allow remote connections. This generated a new, good certificate and I was able to login on the machine domain!

Answer 3

Am I right assuming you imported the Self-Signed certificate? If this is the case you most likely marked the certificate non-exportable which then would explain the error... Have a look at http://blogs.msdn.com/b/kaushal/archive/2012/10/07/error-hresult-0x80070520-when-adding-ssl-binding-in-iis.aspx for further details. If I'm right you need to delete and reimport the certificate with the "Allow export" flag set.

Answer 4

Have a solution for you:

Download makecert.exe and generate new cert for RDP

makecert -r -pe -n "CN=server FQDN" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr LocalMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"

Change server FQDN with real value.

Go to computer certificates and under remote desktop delete current certificate. Then from personal store move the newly created cert to Remote Desktop. Open the cert and copy Thumbprint.

Open regedit and go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations

Update SelfSignedCertificate key with new cert tumbprint.

Restart Remote Desktop Services service

Answer 5

I had the same issue, with error appearing as soon as I clicked connect.

To resolve for me I changed the Remote Desktop Services service so it was running as Local System Account instead of NETWORK SERVICE. Restarted the service and everything worked as normal.

EDIT: I've just found out that this will cause Access is denied message and must be set as NETWORK SERVICE. But changing this to Local System Account and back to NETWORK SERVICE did resolve my issue completely.

Answer 6

This is finally what fixed this same issue for me (big props to this TechNet post about how to track down which private key is the offender)

1. Download and run Procmon (from the Sysinternals Suite)
2. Monitor the MachineKeys folder for activity (most likely: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) by listening to any activity in that path
3. Attempt to RDP to the offending machine and you should then see Procmon note the access denied error, along with the file that was denying access
4. Delete the offending file (you may have to make yourself an owner of it first, then give yourself full control)
5. Restart the computer and it should regenerate your missing key with the correct permissions applied

Answer 7

I'm late to the party, but this is what helped me.

• Generate a new PFX certificate. Self-signed will work:

    Install-Module SharePointPnPPowerShellOnline
    $password = ConvertTo-SecureString  "P@ssword" -Force -AsPlainText
    New-PnPAzureCertificate -CommonName RDS_CertName -ValidYears 30 -OutPfx "RDS_CertName .pfx"  -CertificatePassword $password

• Capture a thumbprint in the output window

• Install generated PFX certificate to the My computer > Personal store

• Run the following command using the thumbprint that you've captured in the steps above:

  wmic /namespace:\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMB_PRINT"