Windows Server 2012 – Remote desktop cant connect

rdpremote desktopwindows-server-2012

I'm having a few problems with a Hyper-V Host that I'm unable to remote desktop to a few days after a reboot.

I get the following error when trying to RDP.

Remote Desktop cannot verify the identity of the remote computer
because there is a time or date difference between your computer and
the remote computer. Make sure your computer's clock is set to the
correct time, then try connecting again. If the problem occurs again,
contact your network administrator or the owner of the remote
computer.

I've checked the following.

I can RDP to the Hosts VM's without issue
Checked the system time & time zone against my laptop, and against the domain controller
It's using the correct DNS servers
I cant connect using the hostname or the fully qualified domain name [FQDN], but I can connect directly via it's IP address
The automated backups on the server are showing RPC call failures to the host VM's when trying to backup specific directories
I cannot connect from the Host through Hyper-V directly to the VM's running on the server
I've reset the computer account through Active Directory Users and Computers. No change.

When attempting to run the powershell command "Test-ComputerSecureChannel – Repair"

Test-ComputerSecureChannel : Cannot reset the secure channel password for the computer account in the domain.
Operation failed with the following exception: The server is not operational.

The server responds for a few days following a reboot. But after that then it fails to connect with the same symptoms. It's a production server, so rebooting it every day is not an option.

Does anyone have any ideas as to what might be causing such an issue?

Best Answer

So after a bit of fighting with this the error being shown by the RDP window is nothing to do with time & date being wrong on either the target or host.

Digging a little deeper it appears that a Domains Certificate Authority (CA) had an expired certificate, and as such needed to be renewed. This resulted in the trust relationship between this server (and only this server for some reason) to fail.

As a result of this, all I needed to do was to "Reset" the computer account in Active Directory Users and Computers on the primary domain controller. Then renew the trust relationship (following a reboot) between the server and the DC.

Warning: Anyone trying this for themselves, verify you have a local administrator login for the machine you are resetting this on. When you renew the relationship you'll get this error when trying to log back in using AD credentials.

The trust relationship between this workstation and the primary domain failed

Logging on locally as an administrator, I ran up Powershell and used the following command

Reset-ComputerMachinePassword -Server <Name of Domain Controller> -Credential <Domain Admin Account>

This then prompted me for domain admin username / password. Then rebooted the server and all is working well again.

I'm now able to remote to the VM's on the host machine, and I'm able to RDP to the FQDN of the server.

Thanks for all those that tried to help with this one.

Related Solutions

How to allow active directory users to remote desktop in

Start → Run → secpol.msc

Security Settings\Local Policies\User Rights Assignment

Right pane → double-click on Allow log on through Remote Desktop Services → Add Users or Group → enter Remote Desktop Users
Start → Run → services.msc

Look for Remote Desktop Services and make sure the Log on account is Network Service, not Local System.
Check your event logs.

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

UPDATE: Here's a generalized Powershell solution that grabs and sets the thumbprint of the first SSL cert in the computer's personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct cert. I've left my original answer intact below this for reference.

# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

In order to get the thumbprint value

Open the properties dialog for your certificate and select the Details tab
Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
Remove all the spaces from the string. You'll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It's not visible in Notepad.
This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or if PowerShell is your thing, you can use this instead:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Note: the certificate must be in the 'Personal' Certificate Store for the Computer account.

Best Answer

Related Solutions

How to allow active directory users to remote desktop in

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

Related Topic