Remote desktop 'internal error' attepting connect after 'NSA' patches installed

rdp windows-terminal-services

The solution is basically here

https://blogs.technet.microsoft.com/askpfeplat/2017/02/01/removing-self-signed-rdp-certificates/

This helped too:

https://social.technet.microsoft.com/Forums/ie/en-US/a9c734c1-4e68-4f45-be46-8cae44c95257/unable-to-remote-desktop-to-windows-server-2012-due-to-failed-to-create-self-signed-certificate?forum=winserverTS

Assuming you have already verified that the certificate listed under Certificates > Remote Desktop > Certificates isn't valid ...

enter image description here

Note: I took this screenshot after I fixed everything - so this expiration date is the newly created cert that it did all by itself.

You basically then need to rename or delete this file - and then it will recreate it:

"C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a54b3870-f13c-44bb-98c7-d0511f3e1757"

This is a well-known filename beginning in f686aace. Then restart the Remote Desktop Configuration service and it should recreate it. (Note: it may actually not be necessary to restart the service - just wait to see if it is recreated with the same filename for a minute).

It may take some messing around with permissions and you may need to take ownership of the file and then in addition apply permissions. Note: Ownership doesn't imply permissions. You must add permissions after taking ownership.

As I said I don't have physical access to the server - if you do then the above should suffice.

I was fortunate to be able to connect remotely via another machine on the same local networkand change the registry.

I wanted to DISABLE authentication so I could connect and gain access remotely. The registry entries to do this are HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Set the existing keys SecurityLayer and UserAuthentication to 0

Create an RDP file (open mstsc and click Save after entering the servername) and in notepad add the line enablecredsspsupport:i:0 somewhere. This disables the expectation of security.

When you then run the RDP file it should allow you to UNSECURELY connect and gain access to your server.

As soon as you connect change these two registry entries back and then go ahead and delete the f686... file...


These settings fixed my issue:

1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

2.In Local Security Settings, expand Local Policies, and then click Security Options.

3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled. In my case it was disabled. So I just enabled it and issued the under listed command.

  1. Run gpupdate /force

Another option which will solve this problem:

The protocols were not enabled on the server. I used IIScrypto and enabled TLS1.2 and everything started working

Related

HP Proliant DL380 Gen9 Got Wet during Hurricane Irma, Hard Drive still good, can I just plug to a new identical server
NGINX vs. GCE Kubernetes ingress classes
Single server, nginx as a reverse proxy, multiple domains/websites
Why bash alias doesn't work in scripts? [duplicate]
Why data and stack segments are executable?
className only changing every other class
Creating multiple variables [duplicate]
Excel Formula for Inventory
Find n primes after a given prime number, without using any function that checks for primality
Java ball object doesn't bounce off of drawn rectangles like it's supposed to.
Get-ChildItem.Length is Wrong
Powershell color formatting with format operator