Issue: Not able to remote desktop into a server.
Error: Internal error has occurred.
Investigation:
Event 1057 seen in the System Log.
Opened certificate snapin on a computer in the same network. Connected remotely to the problem server. Saw that certificate being used for remote desktop had expired. And it seems like the server was not able to renew it.
Connected remotely to the C Drive of the problem server to check if Network_Service had permissions on the folder \\SERVERNAME\c$\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Someone had changed permissions on the folder and Network_Service was missing. Added it back on the folder but it failed to apply permissions to some keys.
Resolution:
Using a custom certificate for remote desktop.
Used certificate snapin to connect remotely to the problem server.
Exported the server certificate seen in the Personal store in .cer format. I used Base-64 encoded.
Imported that into the Remote Desktop store.
Right click certificate and click open to look at the thumbprint.
Copy the thumbprint. It will be in a string of alphanumeric characters.
Run this powershell command to add this certificate to
registry after connecting using Enter-PsSession
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v 'SSLCertificateSHA1Hash' /t REG_BINARY /d '60935f20cc9a20d463a93158cb4df217a368e1afd'
The process is outlined on the link below. But it does not
give you the exact command like above.
Restart (Remote Desktop Services) Termservice
