[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

can't log into remote desktop. SSL error.

We did a windows update over the weekend and one of our servers now won't allow us to rdp into it.  It's the domain controller in a Win 2012 environment.  We run a number of servers and a RD connection broker to allow remote clients to use our software.  That part of the infrastructure works fine.   I've checked the 3rd party created certificate for the farm (issued in the last couple of months) and it appears to be fine.
What we can't do is get onto the domain controller remotely for admin purposes.

The server logs show an error.
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.


This is most likely the problem.  A look on the internet says that the problem is with the private key for the certificate. However what I don't know is where the certificate for RDP resides for a single server and how to repair the problem.  The certificate we use for the farm does not name this server explicitly since it doesn't directly participate in the farm login process.  So it must have an internally generated certificate.  I'm just not sure where and how to go about creating and storing a new one.
0
geekdad1
Asked:
geekdad1
1 Solution
 
geekdad1Author Commented:
Solved the issue.  Here are the steps:

Log onto the server using the vm console.
Run the mmc console.
Go to file/ add remove snap-in
Select certificates
Select computer account
Select local computer
Click on finish
Click on OK
Expand Certificates / Personal / Certificates
Look for the intended purpose being Client Authentication
Copy that certificate
Expand Remote Desktop / Certificates
Paste the certificate into here.
Open that certificate and copy the thumbprint.
Paste it into notepad and remove all of the spaces
Copy the new thumbprint

Open powershell as administrator
Cd \certificates

(at this point I've created a ps1 script that looks like:
$hash = read-host "Enter Certificate thumbprint: "
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="$hash"
)

.\tscert.ps1
Paste the copied thumbprint here

That should resolve the problem.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now