Solved

can't log into remote desktop. SSL error.

Posted on 2016-09-07
1
31 Views
Last Modified: 2016-09-07
We did a windows update over the weekend and one of our servers now won't allow us to rdp into it.  It's the domain controller in a Win 2012 environment.  We run a number of servers and a RD connection broker to allow remote clients to use our software.  That part of the infrastructure works fine.   I've checked the 3rd party created certificate for the farm (issued in the last couple of months) and it appears to be fine.
What we can't do is get onto the domain controller remotely for admin purposes.

The server logs show an error.
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.


This is most likely the problem.  A look on the internet says that the problem is with the private key for the certificate. However what I don't know is where the certificate for RDP resides for a single server and how to repair the problem.  The certificate we use for the farm does not name this server explicitly since it doesn't directly participate in the farm login process.  So it must have an internally generated certificate.  I'm just not sure where and how to go about creating and storing a new one.
0
Comment
Question by:geekdad1
1 Comment
 
LVL 1

Accepted Solution

by:
geekdad1 earned 0 total points
Comment Utility
Solved the issue.  Here are the steps:

Log onto the server using the vm console.
Run the mmc console.
Go to file/ add remove snap-in
Select certificates
Select computer account
Select local computer
Click on finish
Click on OK
Expand Certificates / Personal / Certificates
Look for the intended purpose being Client Authentication
Copy that certificate
Expand Remote Desktop / Certificates
Paste the certificate into here.
Open that certificate and copy the thumbprint.
Paste it into notepad and remove all of the spaces
Copy the new thumbprint

Open powershell as administrator
Cd \certificates

(at this point I've created a ps1 script that looks like:
$hash = read-host "Enter Certificate thumbprint: "
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="$hash"
)

.\tscert.ps1
Paste the copied thumbprint here

That should resolve the problem.
0

Featured Post

ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now