This error is received when a certification authority (CA) has issued a certificate for the terminal server based on a certificate template that is specified in Group Policy, and one of the following conditions has occurred:
The correct certificate template name is not specified in Group Policy.
The permissions on the certificate template do not allow the terminal server to enroll for this type of certificate.
The certificate is not valid for the requested usage.
The certificate template does not exist.
The certificates that are based on the certificate template are not being issued to computers.
The Server Authentication Certificate Template Group Policy setting allows you to enter the name of the certificate template that is used to determine which certificate is used to authenticate the terminal server when using SSL or TLS 1.0 encryption. Entering the name of a certificate template allows automatic certificate selection to occur. After a certificate template name has been entered, certificates that were created by using that template are considered, and one of the eligible certificates is automatically selected for use.
For information about certificate templates, see "Implementing and Administering Certificate Templates in Windows Server 2008" ( http://go.microsoft.com/fwlink/?LinkID=92522).
The correct certificate template name is not specified in Group Policy
To check whether the correct certificate template name is specified in Group Policy, use the Group Policy Management Console (GPMC).
To perform this procedure, you must have membership in the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate authority.
Note: To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation.
To check whether the correct certificate template name is specified in Group Policy:
Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
In the left pane, locate the organizational unit (OU) that you want to edit.
To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
In the right pane, click the Settings tab.
In the left pane, under Computer Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, expand Terminal Server, and then click Security.
In the right pane, in the settings list, right-click Server Authentication Certificate Template, and then click Properties.
On the Settings tab, check whether Enabled is selected and whether the name specified in Certificate Template Name is correct, and then click OK.
If Enabled is not selected or the correct name is not specified for the certificate template, see the section below titled "Specify the correct certificate template in Group Policy."
The permissions on the certificate template do not allow the terminal server to enroll for this type of certificate
A terminal server computer account must have Enroll permissions to read the appropriate certificate template.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check the permissions that are granted to the terminal server on the certificate template:
On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
In the console tree, click Certificate Templates.
In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
On the Security tab, under Group or user names, check whether the terminal server (or a security group that contains the terminal server) appears in the list, and then click it. With the terminal server (or the security group that contains the terminal server) selected, under Permissions, check whether the check box to allow Enroll permissions is selected, and then click OK.
If the check box to allow Enroll permissions is not selected, see the section below titled "Grant Enroll permissions for the certificate template to the terminal server."
The certificate is not valid for the requested usage
The certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers must have an Enhanced Key Usage (EKU) of Server Authentication.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check whether the Server Authentication Key Usage extension is specified in the certificate template:
On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
In the console tree, click Certificate Templates.
In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
On the Extensions tab, under Extensions included in this template, click Key Usage, and then click Edit.
Check whether the Server Authentication key usage extension is selected, and then click OK to close the Properties dialog box for the certificate template.
If the Server Authentication Key Usage extension is not selected, see the section below titled "Add the Server Authentication EKU to the certificate template."
The certificate template does not exist
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check whether the certificate template exists:
On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
In the console tree, click Certificate Templates.
In the results pane, in the list of certificate templates, locate the certificate template that is used as the basis for the certificates that are enrolled to terminal servers.
If the certificate template does not appear, see the section below titled "Create a new certificate template."
The certificates that are based on the certificate template are not being issued to computers
For a CA to issue certificates based on the certificate template, the certificate template must be added to the Certificate Templates container in the Certification Authority snap-in.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check whether the certificate template has been added to the Certificate Templates container in the Certification Authority snap-in:
On a computer where AD CS is installed, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certification Authority, click Add, and then click OK.
Select the CA that you want to manage, and then click Finish.
Expand Certificate Templates, and then check whether the appropriate certificate template appears in the list. The name of the certificate should match the name that is specified in the Server Authentication Certificate Template Group Policy setting. For more information, see "To check whether the correct certificate is specified in Group Policy" earlier in this topic.
If the appropriate certificate template does not appear in the list, see the section below titled "Add the certificate template to the Certificate Templates container."
Specify the correct certificate template in Group Policy
To resolve this issue, specify the correct certificate template in Group Policy.
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.
Note: To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation.
To specify the certificate template name in Group Policy:
Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
In the left pane, locate the OU that you want to edit.
To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
In the right pane, click the Settings tab.
In the left pane, under Computer Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, expand Terminal Server, and then click Security.
In the right pane, in the settings list, right-click Server Authentication Certificate Template, and then click Properties.
On the Settings tab, click Enabled (if this Group Policy setting is not already enabled), and in Certificate Template Name, type the name of the correct certificate template.
Click OK.
For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help ( http://go.microsoft.com/fwlink/?LinkId=101633) or the GPMC Help ( http://go.microsoft.com/fwlink/?LinkId=101634) in the Windows Server 2008 Technical Library.
Grant Enroll permissions for the certificate template to the terminal server
To resolve this issue, you must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers. The certificate template must be modified to grant Enroll permissions to the terminal server computer account.
For information about certificate templates, see "Implementing and Administering Certificate Templates in Windows Server 2008" ( http://go.microsoft.com/fwlink/?LinkID=92522).
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To grant Enroll permissions for the certificate template to the terminal server:
On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
In the console tree, click Certificate Templates.
In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
On the Security tab, under Group or user names, ensure that the terminal server (or a security group that contains the terminal server) appears in the list, and then click it. If it does not appear, add it.
With the terminal server (or security group that contains the terminal server) selected, under Permissions, select the check box to allow Enroll permissions.
Click OK to close the Properties dialog box for the certificate template.
Add the Server Authentication EKU to the certificate templateTo resolve this issue, you must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers. The certificate template must be modified to have an Enhanced Key Usage (EKU) of Server Authentication.
For information about certificate templates, see "Implementing and Administering Certificate Templates in Windows Server 2008" ( http://go.microsoft.com/fwlink/?LinkID=92522).
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To add the Server Authentication Key Usage extension to the certificate template:
On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
In the console tree, click Certificate Templates.
In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
On the Extensions tab, under Extensions included in this template, click Key Usage, and then click Edit.
Add the Server Authentication EKU, and then close the dialog box.
Click OK to close the Properties dialog box for the certificate template.
Create a new certificate template
To resolve this issue, do the following:
Create a new certificate template. Active Directory Certificate Services (AD CS) will use this template as the basis for server certificates enrolled to terminal servers.
Add the certificate template to the Certificate Templates container in the Certification Authority (CA) snap-in. Doing this enables the server certificate to be issued to terminal servers.
Create a new certificate template
You can create a certificate template by duplicating an existing template and using the existing template's properties as the default for the new template. Different applications and types of CAs support different certificate templates. For example, some certificate templates can only be issued and managed by enterprise CAs running Windows Server 2003, and some may require that the CA be running Windows Server 2008. Review the list of default certificate templates, and examine their properties to identify the existing certificate template that most closely meets your needs. This will minimize the amount of configuration work that you need to do.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To create a certificate template:
On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
In the console tree, click Certificate Templates.
In the list of templates, right-click the template to copy from, and then click Duplicate Template.
Choose the minimum version of the CA that you want to support.
Type a new name for this certificate template.
Configure additional settings as needed, and then click OK.
Add the certificate template to the Certificate Templates container in the Certification Authority snap-in
For a CA to issue certificates based on the certificate template, you need to add the certificate template to the Certificate Templates container in the Certification Authority snap-in. To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To add the certificate template to the Certificate Templates container:
On a computer where AD CS is installed, open the Certification Authority snap-in. To open the Certification Authority snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certification Authority, click Add, and then click OK.
Select the CA that you want to manage, and then click Finish.
Right-click the Certificate Templates container, click New, and then click Certificate Template to Issue.
Select the certificate template that you want, and then click OK.
Add the certificate template to the Certificate Templates container
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To add the certificate template to the Certificate Templates container in the Certification Authority snap-in:
On a computer where AD CS is installed, open the Certification Authority snap-in. To open the Certification Authority snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certification Authority, click Add, and then click OK.
Select the CA that you want to manage, and then click Finish.
Right-click the Certificate Templates container, click New, and then click Certificate Template to Issue.
Select the certificate template that you want, and then click OK.
| Target | Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TerminalServer | ||
| Category | EventCollection | ||
| Enabled | True | ||
| Event_ID | 1064 | ||
| Event Source | Microsoft-Windows-TerminalServices-RemoteConnectionManager | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | System |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
Home
ENU <Rule ID="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TerminalServer.EventCollection.1064" Enabled="onStandardMonitoring" Target="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TerminalServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1064</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-TerminalServices-RemoteConnectionManager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TerminalServer.EventCollection.1064.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>