Use custom certificate for remote desktop.

 

Issue: Not able to remote desktop into a server.

Error: Internal error has occurred.

Investigation:

Event 1057 seen in the System Log.

Opened certificate snapin on a computer in the same network. Connected remotely to the problem server. Saw that certificate being used for remote desktop had expired. And it seems like the server was not able to renew it.

Connected remotely to the C Drive of the problem server to check if Network_Service had permissions on the folder \\SERVERNAME\c$\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Someone had changed permissions on the folder and Network_Service was missing. Added it back on the folder but it failed to apply permissions to some keys.

 

Resolution:

Using a custom certificate for remote desktop.

Used certificate snapin to connect remotely to the problem server.

Exported the server certificate seen in the Personal store in .cer format. I used Base-64 encoded.

Imported that into the Remote Desktop store.

Right click certificate and click open to look at the thumbprint.

Copy the thumbprint. It will be in a string of alphanumeric characters.

Run this powershell command to add this certificate to registry after connecting using Enter-PsSession

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v 'SSLCertificateSHA1Hash' /t REG_BINARY /d '60935f20cc9a20d463a93158cb4df217a368e1afd'  

 

The process is outlined on the link below. But it does not give you the exact command like above.

https://learn.microsoft.com/en-US/troubleshoot/windows-server/remote/custom-server-authentication-certificate-for-tls

Restart (Remote Desktop Services) Termservice

 

 

Not able to RDP to Azure VM

 The Azure VM on startup may get a 169.254 IP and this causes the vm to lose any rdp connections it may have. 

The VM's also do not respond to ping or get DNS addresses assigned.

Solution is to add this registry key.

Find this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Click Edit > New, and click DWORD Value. Enter ArpRetryCount.
Right-click the ArpRetryCount registry entry and click Modify. In the Value box, type 0 and click OK.

Since you wont have access to the server you will have to use Bastion in Azure to login. 

Or you can use the Azure serial console to connect and add the registry key via command prompt.

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v ArpRetryCount /t REG_DWORD /d 0

Useful Remote desktop setting registry keys

 

 Collection of registry settings to apply if you are having RDP issues. Use them at your own discretion after looking up the help for those.

REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'SecurityLayer' /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'MinEncryptionLevel' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'fQueryUserConfigFromLocalMachine' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'KeepAliveTimeout' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v 'KeepAliveEnable' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v 'KeepAliveInterval' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'fInheritReconnectSame' /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'fReconnectSame' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v 'fDisableAutoReconnect' /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'fInheritMaxSessionTime' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'fInheritMaxDisconnectionTime' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'MaxConnectionTime' /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'fInheritMaxIdleTime' /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'MaxIdleTime' /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'MaxInstanceCount' /t REG_DWORD /d 4294967295 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\control\Terminal Server\Winstations\RDP-Tcp" /v 'MaxDisconnectionTime' /t REG_DWORD /d 0 /f

RDP issues

Turn of NLA:

https://fixingitpro.com/2011/07/06/disabling-rdp-network-level-authentication-nla-remotely-via-the-registry/

Give network service account read permissions to the Keys folder.

https://serverfault.com/questions/541364/how-to-fix-rdp-on-windows-server-2012

https://support.microsoft.com/en-us/help/2001849/how-to-force-remote-desktop-services-on-windows-7-to-use-a-custom-serv

Make sure Remote Desktop Services(TermService) service is running under network service.