Event ID 1057 - The Terminal Server has failed to create a new self signed certificate

  • Articolo

If you receive Event ID 1057 - "The Terminal Server has failed to create a new self signed certificate to be used for Terminal Server authentication on SSL connections. The relevant status code was Key not valid for use in specified state" from source TerminalServices-RemoteConnectionManager in the System event log, you may have an issue with a lot of strange advice. For me, none of which worked. I finally figured out the problem.

The conditions you'll probably also notice is that you can't remote desktop into the server until you remove the "Allow connection only from computers running Remote Desktop with Network Level Authentication" checkbox in the Remote Desktop Session Host Configuration's RDP-Tcp properties General Tab or from the System settings under the Remote tab by changing the radio button back to "Allow connections from computers running any version of Remote Desktop (less secure)".

In my case I had already tried a lot of the advice like deleting the self-signed certificate and rebooting (MMC/Certificates/Local Computer/Remote Desktop) And deleting these keys and restarting:
“HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM” > Certificate “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM” > CertificateOld “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations” > SelfSignedCertificate

I also deleted the Host Configuration's RDP-Tcp connection object all together and restarted the Remote Desktop Services service.

What did finally work, I noticed that we had a bunch of crypto keys that looked like this:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_XXXXXXXX

I moved them all to a subfolder so there were none left in the MachineKeys folder. I then opened the MachineKeys and re-applied the full-control permission to the local server administrators group. (Security/Advanced/Change Permissions/Replace all child object permissions) and applied this.

I then restarted the Remote Desktop Services service and this time I didn't get the error about the certificate. I changed the security setting for RDP back to secure and was able to log on through Remote Desktop.

Comments

  • Anonymous
    January 01, 2003
    Glad it worked out!
  • Anonymous
    March 10, 2014
    Did the RSAMachineKeys as you said and was able to have the certificate working.
    In my case it failed after the rename of the sever. having still the old name in the certificate.
    Thanks :)
  • Anonymous
    May 25, 2014
    I had the same problem and tried your method and it fixed the problem. Question, the permissions of the Administrators group was all blank before I followed your fix, and now of course it is all full control. Do I need to change it back? Thanks.
  • Anonymous
    July 07, 2014
    Your solutions works! I couldn't move the files, they looked in use, I just renamed the folder, that worked. WIndow creates a new folder. This was the first time I was experiencing this. It actually happened on a VM that was duplicated and renamed. Maybe that was the reason.
  • Anonymous
    July 09, 2014
    The above folder change is what did it for me. I couldn't move the files as a local account had them ownership and I couldn't take ownership of them.

  • Anonymous
    August 26, 2014
    Renaming the folder did the trick for me as well. In my case, the event log relevant status code was Access is denied. Gracias!
  • Anonymous
    September 29, 2014
    Thanks a lot , save my lot of time
  • Anonymous
    November 11, 2014
    Thanks.
  • Anonymous
    January 15, 2015
    Worked for me !
  • Anonymous
    February 26, 2015
    superb workaround!
  • Anonymous
    June 03, 2015
    superb, it worked!! thanks dude
  • Anonymous
    July 09, 2015
    Great!! it worked like a charm!!
  • Anonymous
    July 13, 2015
    Thanks Chris. Its a great article, Its worked for me.
  • Anonymous
    July 30, 2015
    Great Article - Same solution worked for me. Good thing too. It was our PDC haha!
  • Anonymous
    August 18, 2015
    WOW! This is great info! Been pulling my hair out. You are a star!!!

    Although in my case I had to migrate the server to new HDD array and new memory after a power hit.
  • Anonymous
    September 08, 2015
    Thank you :-) Thank you :-) Thank you :-) Thank you :-) Thank you :-) Thank you :-)

    Renaming the C:ProgramDataMicrosoftCryptoRSAMachineKeys folder and restarting the "Remote Desktop Services" service did the trick :-D

    I spent 2 days reading articles that did not fix it :-) This did :-) Happy happy happy :-D
  • Anonymous
    September 30, 2015
    Nice post! Saved my day! You're the men.
  • Anonymous
    September 30, 2015
    Nice post! Saved my day! You're the men.
  • Anonymous
    October 06, 2015
    Worked like a charm, very helpful! Thanks!
  • Anonymous
    October 15, 2015
    Thanks mucho much..... This worked. Thanks for sharing!!!!
  • Anonymous
    January 18, 2016
    Awesome buddy, it worked
  • Anonymous
    February 16, 2016
    Worked perfectly, schannel 36888 (The following fatal alert was generated: 51. The internal error state is 602.)
    alerts went gone, RDP is fully functional, Thanks! :)
  • Anonymous
    March 06, 2016
    Working Bro... Thanks
  • Anonymous
    March 16, 2016
    Wow!! It worked for me. Thanks a lot