Here is a snapshot of the RDP status. Looks good:
When I go to connect from a remote machine I get an error:
"This computer can't connect to the remote computer.
Try connecting again. If the problem continues..."
I've tested the port 3389 remotely, it is open. I've tested it with netstat.
TCP 0.0.0.0:3389 hostname:0 LISTENING
- No Windows firewall
- No Network Firewall
- Brand-new self-signed certificate
- Machine was recently rebooted, worked before that
- Terminal Services is running
- When I inspect the SSL cert, it shows all the details, looks good, expires in 2014
- hklm:\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections is 0
- C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys administrator has all privleges
Update:
Now I'm finding this in the event log under Administrative Events:
"A fatal error occurred when attempting to access the SSL server credential
private key. The error code returned from the cryptographic module is 0x8009030D.
The internal error state is 10001."
I'm not sure how to resolve the above error. I'm not certain it's my imported RD cert, either, though I do know it happens when I try to RDP from my machine.
Update II:
I've tried using powershell to generate certs with private keys. No luck.
Used techniques here and here with no luck. Each time I have added the cert to trusted roots and personal for the system user in MMC Certificate snap-in.
Update III:
So Annoying
This Forum indicates that windows may have updated during the reboot, causing an unrecoverable error in installing the Remote Desktop Connection Broker role (needed, apparently, to generate a private key pfx file to import into MMC). The bug is with hotfix June 2013 KB2821895. This might be remidied with this? http://support.microsoft.com/kb/2871777
So I ran the latest windows update and tried to install the Remote Desktop Connection Broker so that I can generate the pfx file. No luck. It says one or more parent features are not installed– even though Hyper-V etc. Are. And it does not say what other roles to add…
Update Summary Question!
So, all said and done, theoretically, would getting the RD Connection Broker to install (in order to generate a private key) likely solve my encryption error?
Best Answer
You may encounter this error when connecting after importing an SSL certificate (and associated private key) into Windows Server 2012:
In addition, in the Windows event logs, you see:
Solution:
Quote from Microsoft KB2001849:
"The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS (referenced by the certificate named in the SSLCertificateSHA1Hash registry value) to include NETWORK SERVICE with "Read" permissions. To modify the permissions follow the steps below:
Open the Certificates snap-in for the local computer:
Click Start, click Run, type mmc, and click OK.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.
In the Certificates snap-in dialog box, click Computer account, and click Next.
In the Select Computer dialog box, click Local computer: (the computer this console is running on), and click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.
Right-click the certificate, select All Tasks, and select Manage Private Keys.
In the Permissions dialog box, click Add, type NETWORK SERVICE, click OK, select Read under the Allow checkbox, then click OK."
Source: https://support.microsoft.com/en-us/kb/2001849