Solved

can't log into remote desktop. SSL error.

Posted on 2016-09-07
1
46 Views
Last Modified: 2016-09-07
We did a windows update over the weekend and one of our servers now won't allow us to rdp into it.  It's the domain controller in a Win 2012 environment.  We run a number of servers and a RD connection broker to allow remote clients to use our software.  That part of the infrastructure works fine.   I've checked the 3rd party created certificate for the farm (issued in the last couple of months) and it appears to be fine.
What we can't do is get onto the domain controller remotely for admin purposes.

The server logs show an error.
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.


This is most likely the problem.  A look on the internet says that the problem is with the private key for the certificate. However what I don't know is where the certificate for RDP resides for a single server and how to repair the problem.  The certificate we use for the farm does not name this server explicitly since it doesn't directly participate in the farm login process.  So it must have an internally generated certificate.  I'm just not sure where and how to go about creating and storing a new one.
0
Comment
Question by:geekdad1
1 Comment
 
LVL 1

Accepted Solution

by:
geekdad1 earned 0 total points
ID: 41788839
Solved the issue.  Here are the steps:

Log onto the server using the vm console.
Run the mmc console.
Go to file/ add remove snap-in
Select certificates
Select computer account
Select local computer
Click on finish
Click on OK
Expand Certificates / Personal / Certificates
Look for the intended purpose being Client Authentication
Copy that certificate
Expand Remote Desktop / Certificates
Paste the certificate into here.
Open that certificate and copy the thumbprint.
Paste it into notepad and remove all of the spaces
Copy the new thumbprint

Open powershell as administrator
Cd \certificates

(at this point I've created a ps1 script that looks like:
$hash = read-host "Enter Certificate thumbprint: "
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="$hash"
)

.\tscert.ps1
Paste the copied thumbprint here

That should resolve the problem.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now