OS -: Windows 2012 R2 Standard
Recently came across a server that was throwing this error, "An internal error has occurred" ,when an RDP session was attempted.
I could get in to the server
1) First thing I did was to restart"Remote Desktop Services" service. Service was restarted, but no luck with RDP sessions yet.
2) Checked was event logs for any errors during RDM restart
Bingo! there's one
"The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was Access is denied."
3) Lets check Certs
Start -> Run -> type MMC and Enter
in MMC
File -> Add/Remote Snap-ins
Select Certificates and
Select Computer account and next
Leave selection as Local Computer and Finish
Press OK to complete.
Expand Certificates and under Remote Desktop there was self-signed cert and it was expired.
4) So I decided to issue a new cert and decided to go with Enterprise CA.
5) Submitted a new cert by going to
First Folder "Personal"
Right click -> All Tasks -> "Request a new certificate"
Complete this using your organization's cert template.
You can also generate a new self-signed cert and export it to Personal store. Please note it needs to be there for the next command to work,
6) Once you have the new cert (CA or Self-Signed) sitting in personal store, we need to copy it's Thumbprint.
For this double click and open the cert inside MMC
Go to details tab
Scroll all the way down and last item will be Thumbprint.
Click that and you can see the Thumbprint listed below. Select and copy the whole value to a notepad file.
After that remove the blank spaces between characters. Mine looks like below
3c7a7a78ac6699b79182dff11329834117a183b3
7) open a command prompt as administrator and run below command, by replacing the Thumbprint with your
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="3c7a7a78ac6699b79182dff11329834117a183b3"
once successfully completed, it will look like this
Should be all good once you restart "Remote Desktop" service once again.
=========================================================================
If that was not applicable (Cert is still valid) , then try below
Enable TLS 1.2 at the system (SCHANNEL) level:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
No comments:
Post a Comment