Compilenix's Blog - RDP: An internal error has occured

RSS Feed | Find Stuff

RDP Stops working after you re-join a windows computer to a domain

- During a windows rdp client connect you get the error message: "An internal error has occured."
- During a xfreerdp client connect you get something like this:

[12:03:22:170] [9681:9682] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:03:22:170] [9681:9682] [ERROR][com.freerdp.core.nego] - Protocol Security Negotiation Failure
[12:03:22:170] [9681:9682] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_SECURITY_NEGO_CONNECT_FAILED [0x0002000C]
[12:03:22:170] [9681:9682] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure

- On the remote you find an error in the windows event log:
Log Name:      System
Source:        Schannel
Date:          22.03.2018 10:28:28
Event ID:      36870
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      x.example.com
Description:
A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36870</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-03-22T09:28:28.200269700Z" />
    <EventRecordID>5650</EventRecordID>
    <Correlation ActivityID="{83D525D6-C14E-0002-D725-D5834EC1D301}" />
    <Execution ProcessID="920" ThreadID="3772" />
    <Channel>System</Channel>
    <Computer>x.example.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Type">server</Data>
    <Data Name="ErrorCode">0x8009030d</Data>
    <Data Name="ErrorStatus">10001</Data>
  </EventData>
</Event>

Here is what worked for me.
- Look for an existing valid computer account certificate and / or create a new valid certificate using a PKI, which is trusted by the domain controller/s.
- Set the thumbprint of that valid certificate to be used by the terminal server service

Get info about the current certificates installed:

Get-ChildItem -Path cert:/LocalMachine/My
And the current certificates dedicated for Terminal Services:
Get-ChildItem -Path "cert:/LocalMachine/Remote Desktop"

Set a new certificate to be used by the Terminal Server Service:

$TSpath = (Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path Set-WmiInstance -Path $TSpath -Argument @{SSLCertificateSHA1Hash="2B27D3B9C14AF0FBBADFACC271AFE0DDE21B7B74"}