Remote desktop 'internal error' attepting connect after 'NSA' patches installed
Solution 1
The solution is basically here
https://blogs.technet.microsoft.com/askpfeplat/2017/02/01/removing-self-signed-rdp-certificates/
This helped too:
Assuming you have already verified that the certificate listed under Certificates > Remote Desktop > Certificates isn't valid ...
Note: I took this screenshot after I fixed everything - so this expiration date is the newly created cert that it did all by itself.
You basically then need to rename or delete this file - and then it will recreate it:
"C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a54b3870-f13c-44bb-98c7-d0511f3e1757"
This is a well-known filename beginning in f686aace
. Then restart the Remote Desktop Configuration
service and it should recreate it. (Note: it may actually not be necessary to restart the service - just wait to see if it is recreated with the same filename for a minute).
It may take some messing around with permissions and you may need to take ownership of the file and then in addition apply permissions. Note: Ownership doesn't imply permissions. You must add permissions after taking ownership.
As I said I don't have physical access to the server - if you do then the above should suffice.
I was fortunate to be able to connect remotely via another machine on the same local networkand change the registry.
I wanted to DISABLE authentication so I could connect and gain access remotely. The registry entries to do this are HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Set the existing keys SecurityLayer
and UserAuthentication
to 0
Create an RDP file (open mstsc and click Save after entering the servername) and in notepad add the line enablecredsspsupport:i:0
somewhere. This disables the expectation of security.
When you then run the RDP file it should allow you to UNSECURELY connect and gain access to your server.
As soon as you connect change these two registry entries back and then go ahead and delete the f686...
file...
Solution 2
These settings fixed my issue:
1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.
2.In Local Security Settings, expand Local Policies, and then click Security Options.
3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled. In my case it was disabled. So I just enabled it and issued the under listed command.
- Run gpupdate /force
Another option which will solve this problem:
The protocols were not enabled on the server. I used IIScrypto and enabled TLS1.2 and everything started working
Related videos on Youtube
Jerad Rose
Updated on September 18, 2022Comments
-
Jerad Rose over 1 year
I just installed the latest Windows update (NSA vulnerability patch tuesday) and now I cannot connect to remote desktop.
- The server is remotely hosted. I don't have physical access. Server 2012 R1.
- Fortunately all web sites are running ok after reboot.
- I have not yet tried a second reboot because I'm a little scared to.
- When I try to connect I immediately get this message:
- "Remote Desktop Connection : An internal error has occured"
- Have tried from multiple clients. They all fail - including an iOS app which in addition gives me a 0x00000904 error.
- If I run
telnet servername 3389
then it does initiate a connection, so I know the port is open. - I can connect just fine to other servers from my Win 10 (unpatched) machine.
- I cannot connect from my second laptop either, which is Win 10 Creators edition.
- Cannot find anything useful in Event Viewer.
- I've even tried wireshark which didn't show me anything useful.
- The best I have to diagnose is the ability to upload an ASPX page and run it.
I understand that the recent 'NSA edition' patch roundup had some RDP fixes - but I can't find anyone else who suddenly had issues hit week.
I want to have an idea what the problem is before I contact the hosting company, which is why I'm posting here.
Update:
While I still don't have physical server access I remembered I have a Windows 7 VM hosted on the server itself. I was able to get into this and open the server certificates snap-in by connecting to the 10.0.0.1 local IP.
This is showing that the RDP certificate is indeed expired - although I get no errors when connecting that suggest as such. I certainly have been connecting daily and since it expired 2 months ago my guess is that some kind of security update removed whatever other certificate was in the Remote Desktop store and it did not renew itself.
So trying to figure out a way to install a different cert here now.
Update 2
Finally found this in the event log under 'Administrative Events' (by connecting remotely via the VM) :
"The Terminal Server has failed to create a new self signed certificate to be used for Terminal Server authentication on SSL connections. The relevant status code was Object already exists."
This seems helpful, albeit a slightly different error. Can't reboot tonight though so will have to check again tomorrow.
-
Admin about 7 yearsIt would be good if you told us exactly which update or updates you installed instead of referring to it as the
NSA vulnerability patch tuesday
. Not everyone cares to play "Mystery Update Theater 3000". -
Admin about 7 yearsI would love to tell you - but I just ran windows update and then it rebooted - and now I can't get in. 'Latest updates' that win 2k wanted to update is unfortunately all I can reveal of the mystery. I've been playing Theater 3000 all day trying to think of a strategy. Chances are if I get the hosting company to reboot it will be fine, but that feels like I locked myself out of my home and I'm sending a locksmith while I won't even be there. Thank God I have remote access for SQL server / FTP and all websites are running ok. If there's a command to run to see the updates I can try that
-
Admin about 7 yearsYou might try looking at the Windows Update History and uninstalling updates one at a time (if they support uninstallation) until the problem resolves itself. Make note of which updates you're uninstalling so that you'll be able to identify which update is the suspect update.
-
Admin about 7 yearsbut I don't have access to the desktop to do that. that's the problem. I only have access to the command line via running a command through an ASPNET webpage. I'm trying to run systeminfo.exe to get the output now
-
Admin about 7 yearsRight. Forgot about that. My bad. Apologies.
-
Admin about 7 years@joeqwerty no worries ;-) I'm just trying to be overly cautious and make sure there isn't some known issue. I'd much rather be able to tell the hosting company 'hey this is the problem' rather than whining to them that 'I can' connect'. My instinct tells me I've got about a 25% chance of a reboot just fixing it but not counting on it!
-
Jerad Rose about 7 yearsI am using the self-signed cert and never actually explicitly created an RDP cert. If you find this same issue then the solution may be slightly different if you created a cert youself.
-
Jerad Rose about 7 yearsAppears to be coincidental to the latest patches - and I had a few months worth anyway!
-
Jerad Rose about 7 yearsPS. excuse my disorganized answer - this just wasted a whole weekend. OK I'm done
-
Jerad Rose over 5 yearsWeird suddenly getting upvotes on this. Is a new update causing this again?
-
Tobi o' Bobi over 3 yearsThe first link does not seem to exist anymore. I get redirected to techcommunity.microsoft.com/t5/core-infrastructure-and-security/…