Remote Desktop expired certificate

Answered by:

Self-Signed Certificate for Remote Desktop Expired

Archived Forums

Remote Desktop Services (Terminal Services)

• Question

• 0

  Sign in to vote

  One of our Helpdesk personnel got the following error when making an RDP connection from Windows XP SP3 to a Windows Server 2008 R2 server, "Remote Desktop cannot connect to the remote computer because the authentication certificate received from the remote computer is expired or invalid. In some cases, this error might also be caused by a large time discrepency between the client and server computers." It's purley for administration purposes. We aren't using TS Gateway or anything like that. I have double checked & the date, time, & time zone on both the server & client & they are all correct.

  On the server if I open the certificate store in an MMC & browse to Remote Desktop\Certificates I see that the self-signed certificate expired on 5/3/2011. If I look at the same store in other 2008 R2 & 2008 SP2 servers they all have a self-signed certificate as well but the date it still valid. IT appears as though this certificate should be renewing itself automatically every 6 months but for some reason on the one server it is not. Has onyone else seen this issue before? What is the mechanism that is supposed to renew this certificate?

  Thank you in advanced for any advise.

  ---

  Patrick Hoban
  http://patrickhoban.wordpress.com
  

  Friday, May 13, 2011 6:16 PM

Answers

• 5

  Sign in to vote

  Turns out restarting the Remote Desktop Configuration service will renew the certificate if it is expired. I did not have to delete it first however I did test on another server by deleting it then restarting the service.It still properly created the certificate. Doing so generates an event log message:

  Log Name: System
  Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
  Date: 5/26/2011 12:14:31 PM
  Event ID: 1056
  Task Category: None
  Level: Information
  Keywords: Classic
  User: N/A
  Computer: servername.domain.com
  Description:
  A new self signed certificate to be used for Terminal Server authentication on SSL connections was generated. The name on this certificate is servername.domain.com
  . The SHA1 hash of the certificate is in the event data.

  Thank you to all of youwho chimed in & got me going down the right path.

  ---

  Patrick Hoban
  http://patrickhoban.wordpress.com
  • Marked as answer by Patrick Hoban Thursday, May 26, 2011 5:33 PM

  Thursday, May 26, 2011 5:33 PM

All replies

• 1

  Sign in to vote

  Hi,

  Have you configured the Certificate on the RDS host server?

  Please check: RD session host configuration -> RDP-Tcp -> please make sure you have not selected the “Certificate” for logon.

  In case, on the server computer, please change the follwong RDP settings:

  1. Click start, type sysdm.cpl in start search, and press Enter.

  2. Under Remote tab, choose "Allow connections from computers running any versions of Remote Desktop"

  3. Click OK.

  4. Then, please try again.

  Meanwhile, can you connect to other computers via RDP?

  Thanks.

  ===========================================

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

  Monday, May 16, 2011 8:34 AM

• 0

  Sign in to vote

  Yes, I have it set to "Allow connections from computers running any versions of Remote Desktop".

  No, I have not configured RDP to use any other certificate. Looking at the RDP-tcp properties Certificate is still set to Auto generated. Clicking on Auto generated gives me a message that says, "This certificate is managed by the Remote Desktop Session Host server and you cannot view the certificate details. It is recommended that you procure a certificate from a Certificate Authority."

  Again, it appears that the self-signed certificate in Remote Desktop\Certificates is supposed to auto-renew but is not.

  ---

  Patrick Hoban
  http://patrickhoban.wordpress.com

  Monday, May 16, 2011 6:18 PM

• 0

  Sign in to vote

  Hi,

  If you do not configure the certificate on the RDS host server, the client should be able to connect to the RDS server even though they do not trust the server’s certificate. (you will get the warning message “the certificate is not from a trusted certifying authority” when do connect to the RDS server)

  Can you manually renew this self-signed certificate via mmc-computer account?

  Also, have you got any event log when this issue on both server and client sides?

  Thanks.

  Tuesday, May 17, 2011 2:38 AM

• 0

  Sign in to vote

  I believe the error they get is due to the certificate being expired not becuase it is not issued by a trusted source. The certificate epired on 5/3/2011 & that's when they started getting the error.

  I am not aware of a way to renew the certificate in the certificates MMC.

  I do not see any errors in the Event Log around the time of the certificate expiring.

  I still can't figure out why the certificate is not renewing itself since that's what appears to be happening on every other server I have.

  ---

  Patrick Hoban
  http://patrickhoban.wordpress.com

  Tuesday, May 17, 2011 4:30 AM

• 0

  Sign in to vote

  Hi,

  I made some searches, the self-signed certificate can not renew by itself when it is expired.

  Thanks.

  • Marked as answer by Alan Zhu Tuesday, May 24, 2011 2:41 AM
  • Unmarked as answer by Patrick Hoban Tuesday, May 24, 2011 2:44 AM

  Friday, May 20, 2011 1:15 AM

• 0

  Sign in to vote

  Anyone elseseen this behavior before?

  ---

  Patrick Hoban
  http://patrickhoban.wordpress.com

  Tuesday, May 24, 2011 2:51 AM

• 0

  Sign in to vote

  Hi,

  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

  Thank you for your understanding and support.

  Tuesday, May 24, 2011 3:22 AM

• 1

  Sign in to vote

  Please confirm that this server does not have any RDS roles installed and is just using Remote Desktop for Administration.

  Go to Start -> Administrative Tools -> remote Desktop Services -> Remote Desktop session host Configuration

  Check the "Remote Desktop Licensing mode"

  Since you indicated this server uses RDP just for Administration and does not have RDS role installed, this should show "Remote Desktop for Administration", if its not let us know.

  Now go to the properties of RDP-TCP and check the Certificate option, it sshould show:

  Certificate: Autogenerated

  If its not whats it set to?

  You can select Default here to use Autogenerated Certificate, then test the connection again.

  You can also delete the expired certificate from the certificate store.

  ---

  Sumesh P - Microsoft Online Community Support
  • Proposed as answer by Sumesh P Thursday, May 26, 2011 4:20 AM
  • Marked as answer by Patrick Hoban Thursday, May 26, 2011 5:34 PM
  • Unmarked as answer by Patrick Hoban Thursday, May 26, 2011 5:43 PM
  • Unproposed as answer by Sumesh P Friday, May 27, 2011 7:26 AM

  Tuesday, May 24, 2011 6:10 AM

• 1

  Sign in to vote

  Hi Patrick,

  If you delete the certificate a new one should be auto-generated the next time you attempt to connect.

  I do not use self-signed certificates, however, I checked a couple of different servers and noticed that the self-signed cert in the Remote Desktop store has renewed itself. Not sure when this renewal occurs since again, I do not have the self-signed cert assigned to the RDP-Tcp listener, unlike in your case.

  Keep in mind that unless you import each server's self-signed cert into the local client PC's trusted root store you are still subject to MITM attack, which defeats the purpose of using SSL for your Security Layer.

  -TP

  • Marked as answer by Patrick Hoban Thursday, May 26, 2011 5:34 PM
  • Unmarked as answer by Patrick Hoban Thursday, May 26, 2011 5:43 PM

  Tuesday, May 24, 2011 6:41 AM

• 5

  Sign in to vote

  Turns out restarting the Remote Desktop Configuration service will renew the certificate if it is expired. I did not have to delete it first however I did test on another server by deleting it then restarting the service.It still properly created the certificate. Doing so generates an event log message:

  Log Name: System
  Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
  Date: 5/26/2011 12:14:31 PM
  Event ID: 1056
  Task Category: None
  Level: Information
  Keywords: Classic
  User: N/A
  Computer: servername.domain.com
  Description:
  A new self signed certificate to be used for Terminal Server authentication on SSL connections was generated. The name on this certificate is servername.domain.com
  . The SHA1 hash of the certificate is in the event data.

  Thank you to all of youwho chimed in & got me going down the right path.

  ---

  Patrick Hoban
  http://patrickhoban.wordpress.com
  • Marked as answer by Patrick Hoban Thursday, May 26, 2011 5:33 PM

  Thursday, May 26, 2011 5:33 PM

• 1

  Sign in to vote

  hi

  I am Also Facing the Same Problem while Connecting the Remote Server 2008

  pls use the following step :

  >Open the Server Manager

  >Open the RDP TCP Properties

  >Goto Secuirty Option >change In RDP-Security Layer>

  Encryption Layer: Client Comptible

  then Ok

  Now Try to Connect ,

  I Think Its Working........

  • Proposed as answer by Peter Feige Tuesday, September 2, 2014 8:38 AM

  Monday, October 22, 2012 12:20 PM

• 1

  Sign in to vote

  I had the same problem. The solution for me was straight forward.

  My Remote Desktop Configuration service was disabled.

  I enabled it, rebooted and the cert was renewed.

  Thursday, October 3, 2013 5:17 PM

• 0

  Sign in to vote

  Thank you very much SChalice, your solution works like a charm!

  Thursday, March 27, 2014 12:01 PM

• 0

  Sign in to vote

  THANK YOU! This fixed it for me and my company!
  

  Wednesday, October 8, 2014 12:10 AM