This object monitors Remote Desktop Services authentication and encryption.
Transport Layer Security (TLS) 1.0 enhances the security of sessions by providing server authentication and by encrypting RD Session Host server communications. The RD Session Host and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server during Remote Desktop Protocol (RDP) connections.
To resolve this issue, check the event ID, and then view the troubleshooting information for that event in the sections below.
Resolution steps for the following event ID:1054
To resolve this issue, do the following:
Confirm that the certificate that the RD Session Host server is configured to use for TLS 1.0 (SSL) does not have the correct Enhanced Key Usage (EKU) value. The certificate must have an EKU of Server Authentication (1.3.6.1.5.5.7.3.1) or no EKU.
If the certificate does not meet these requirements, install an alternate certificate on the RD Session Host server that does meet these requirements, and then configure the RD Session Host server to use this certificate for TLS 1.0 (SSL).
For information about certificate requirements, see the section "Certificate requirements" later in this topic.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Confirm that the certificate that the RD Session Host server is configured to use for TLS 1.0 (SSL) does not have the correct EKU value
To confirm that the certificate does not have the correct EKU value:
1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. In the details pane, under Connections, right-click the connection (for example, RDP-tcp), and then click Properties.
3. On the General tab, click Select.
4. In the Select Certificate dialog box, note the certificate that is selected, and then click View Certificate.
5. In the Certificate dialog box, click Details, and then check the EKU value. The certificate must have an EKU of Server Authentication (1.3.6.1.5.5.7.3.1) or no EKU. If the certificate does not have one of these values, you must specify an alternate certificate for the RD Session Host server, as described in "To import a valid certificate onto the RD Session Host server" and "Configure the RD Session Host server to use a certificate for TLS 1.0 (SSL)."
6. Click OK to close the Certificate dialog box.
7. Click OK to close the Select Certificate dialog box.
8. Click OK to close the Properties dialog box for the connection.
Install a certificate on the RD Session Host server
Important: You should only install certificates obtained from trusted sources. Installing an altered or unreliable certificate could compromise the security of any system component that uses the installed certificate.
To install a certificate on the RD Session Host server:
1. Locate and then double-click the certificate that you want to install. The certificate might exist on the RD Session Host server or be located on a share.
2. If prompted to confirm whether you want to open the certificate file, click Open.
3. In the Certificate Properties dialog box, on the General tab, click Install Certificate.
4. In the Certificate Import Wizard, on the Welcome page, click Next.
5. On the Certificate Store page, do one of the following:
6. If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate.
7. If you want to specify where the certificate is stored, select Place all certificates in the following store, and then click Browse. In Select Certificate Store, click the certificate store to use, and then click OK.
8. On the Certificate Store page, click Next.
9. On the Completing the Certificate Import Wizard page, click Finish.
After you install a certificate, you must specify that it be used by the RD Session Host server, as described in the following procedure.
Configure the RD Session Host server to use a certificate for TLS 1.0 (SSL)
We recommend that you use the Remote Desktop Session Host Configuration snap-in to specify the certificate that is used by the RD Session Host server for server authentication and encryption. If you use Remote Desktop Session Host Configuration to attempt to install a certificate that does not meet the requirements specified in "Certificate requirements" later in this topic, the certificate will not be installed.
To configure the RD Session Host server to use a certificate for TLS 1.0 (SSL):
1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. In the details pane, under Connections, right-click the connection (for example, RDP-tcp), and then click Properties.
3. On the General tab, click Select.
4. In the Select Certificate dialog box, click the certificate that you want to use, and then click OK.
Certificate requirements
A certificate that is used by the RD Session Host server for server authentication and encryption must meet the following requirements:
The certificate must be a computer certificate.
The certificate must have a corresponding private key. The container for the key must be accessible by the NT AUTHORITY\Network Service account.
The certificate must have an Enhanced Key Usage (EKU) of Server Authentication (1.3.6.1.5.5.7.3.1) or no EKU.
The following key usage value must be set for the certificate: CERT_KEY_ENCIPHERMENT_KEY_USAGE.
The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
Resolution steps for the following event IDs: 1055, 1051
To resolve this issue, do the following:
Install a certificate onto the RD Session Host server that meets the requirements for an RD Session Host server certificate. For information about certificate requirements, see the section "Certificate requirements" later in this topic.
Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL).
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Install a certificate on the RD Session Host server
Important: You should only install certificates obtained from trusted sources. Installing an altered or unreliable certificate could compromise the security of any system component that uses the installed certificate.
To install a certificate on the RD Session Host server:
1. On the RD Session Host server, locate and then double-click the certificate that you want to install. The certificate might exist on the RD Session Host server, or be located on a share.
2. If prompted to confirm whether you want to open the certificate file, click Open.
3. In the Certificate properties dialog box, on the General tab, click Install Certificate.
4. In the Certificate Import Wizard, on the Welcome page, click Next.
5. On the Certificate Store page, do one of the following:
6. If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate.
7. If you want to specify where the certificate is stored, select Place all certificates in the following store, and then click Browse. In Select Certificate Store, click the certificate store to use, and then click OK.
8. On the Certificate Store page, click Next.
9. On the Completing the Certificate Import Wizard page, click Finish.
After you install a certificate, you must specify that it be used by the RD Session Host server, as described in the following procedure.
Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL)
We recommend that you use the Remote Desktop Session Host Configuration snap-in to specify the certificate that is used by the RD Session Host server for server authentication and encryption. If you use Remote Desktop Session Host Configuration to attempt to install a certificate that does not meet the certificate requirements, the certificate will not be installed.
To configure the RD Session Host server to use the certificate for TLS 1.0 (SSL):
1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. In the details pane, under Connections, right-click the connection (for example RDP-tcp), and then click Properties.
3. On the General tab, click Select.
4. In Select Certificate, click the certificate that you want to use, and then click OK.
Certificate requirements
A certificate that is used by the RD Session Host server for server authentication and encryption must meet the following requirements:
The certificate must be a computer certificate.
The certificate must have a corresponding private key. The container for the key must be accessible by the NT AUTHORITY\Network Service account.
The certificate must have an Enhanced Key Usage (EKU) of Server Authentication (1.3.6.1.5.5.7.3.1) or no EKU.
The following key usage value must be set for the certificate: CERT_KEY_ENCIPHERMENT_KEY_USAGE.
The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
Resolution steps for the following event ID: 1133
To resolve this issue, you should delete the certificate from the RD Session Host server and then restart the Remote Desktop Services service.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Remove a certificate on the RD Session Host server
To remove a certificate on the RD Session Host server:
1. On the RD Session Host server, open the Certificates snap-in. To open the Certificates snap-in, click Start, click Run, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
4. Select the Computer account option, and then click Next.
5. Click Finish, and then click OK.
6. Expand Certificates, and then expand the certificate store that contains the certificate to be removed.
7. Right-click the certificate, and then click Delete.
8. Click Yes to confirm that you want to delete the certificate.
After you remove the certificate, you must restart the Remote Desktop Services service on the RD Session Host server, as described in the following procedure.
Restart the Remote Desktop Services service
To restart the Remote Desktop Services service:
1. On the RD Session Host server, open the Services snap-in. To open the Services snap-in, click Start, point to Administrative Tools, and then click Services.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
3. In the Services pane, right-click Remote Desktop Services, and then click Restart.
4. If you are prompted about restarting other services, click Yes.
5. Confirm that the Status column for the Remote Desktop Services service displays Started.
Resolution steps for the following event IDs: 1058, 1057
To resolve this issue, increase available memory. If this condition persists, contact Microsoft Customer Service and Support. For information about how to contact CSS, see Support Options from Microsoft Services ( http://go.microsoft.com/fwlink/?LinkId=52267).
One way to increase the amount of available memory is to determine if there are any programs or processes running on the RD Session Host server that can be closed. Use Task Manager to determine which processes are using the most memory, and to end those processes.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To free up memory on the RD Session Host server by using Task Manager:
1. On the RD Session Host server, right-click an empty area of the taskbar, and then click Start Task Manager.
2. Click the Processes tab.
3. Make sure that the User Name and Memory (Private Working Set) columns appear. If they do not appear, on the View menu, click Select Columns, select the User Name and the Memory (Private Working Set) check boxes, and then click OK.
4. At the bottom of the tab, select the Show processes from all users check box.
5. To sort the processes by memory usage, click the Memory (Private Working Set) column header.
6. Determine if you can end any of the memory-intensive processes.
7. To end a process, click the process name, and then click End Process.
8. Click End Process to confirm that you want to end the process.
If you cannot free up memory by using Task Manager, or if this issue still occurs after you try to free up memory, restart the RD Session Host server.
Resolution steps for the following event ID: 1062
To resolve this issue, you must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to RD Session Host servers. The certificate template must be modified so that the alternate subject name for the certificate matches the DNS name of the RD Session Host server.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To configure the alternate subject name of the certificate to match the DNS name of the RD Session Host server:
1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
4. In the console tree, click Certificate Templates.
5. In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to RD Session Host servers, and then click Properties.
6. On the Subject Name tab, ensure that Build from this Active Directory information is selected.
7. Under Subject name format, click Fully distinguished name.
8. Under Include this information in alternate subject name, select the DNS name check box.
9. Click OK to close the Properties dialog box for the certificate template.
10. Restart the Remote Desktop Configuration service on the RD Session Host server. To restart the Remote Desktop Configuration service, click Start, click Run, type services.msc, and then press ENTER. In the Name column of the Services snap-in, right-click Remote Desktop Configuration, and then click Restart.
11. If the attempt to restart only the service fails, restart the computer. This forces all related and dependent services to restart.
Resolution steps for the following event ID: 1064
This error is received when a certification authority (CA) has issued a certificate for the RD Session Host server based on a certificate template that is specified in Group Policy, and one of the following conditions has occurred:
The correct certificate template name is not specified in Group Policy.
The permissions on the certificate template do not allow the RD Session Host server to enroll for this type of certificate.
The certificate is not valid for the requested usage.
The certificate template does not exist.
The certificates that are based on the certificate template are not being issued to computers.
The Server Authentication Certificate Template Group Policy setting allows you to enter the name of the certificate template that is used to determine which certificate is used to authenticate the RD Session Host server when using SSL or TLS 1.0 encryption. Entering the name of a certificate template allows automatic certificate selection to occur. After a certificate template name has been entered, certificates that were created by using that template are considered, and one of the eligible certificates is automatically selected for use.
The correct certificate template name is not specified in Group Policy
To check whether the correct certificate template name is specified in Group Policy, use the Group Policy Management Console (GPMC).
To perform this procedure, you must have membership in the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate authority.
Note: To manage Group Policy on a Windows Server-based domain controller, you must first add the Group Policy Management Console (GPMC) feature.
To check whether the correct certificate template name is specified in Group Policy:
1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the left pane, locate the organizational unit (OU) that you want to edit.
3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
4. In the right pane, click the Settings tab.
5. In the left pane, under Computer Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, expand Remote Desktop Session Host, and then click Security.
6. In the right pane, in the settings list, right-click Server Authentication Certificate Template, and then click Properties.
7. On the Settings tab, check whether Enabled is selected and whether the name specified in Certificate Template Name is correct, and then click OK.
8. If the Enabled option is not selected, see the section titled "Specify the correct certificate template in Group Policy."
The permissions on the certificate template do not allow the RD Session Host server to enroll for this type of certificate
An RD Session Host server computer account must have Enroll permissions to read the appropriate certificate template.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check the permissions that are granted to the RD Session Host server on the certificate template:
1. On a computer where Active Directory Certificate Services (AD CS) is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
4. In the console tree, click Certificate Templates.
5. In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to RD Session Host servers, and then click Properties.
6. On the Security tab, under Group or user names, check whether the RD Session Host server (or a security group that contains the RD Session Host server) appears in the list, and then click it. With the RD Session Host server (or the security group that contains the RD Session Host server) selected, under Permissions, check whether the check box to allow Enroll permissions is selected, and then click OK.
7. If the check box to allow Enroll permissions is not selected, see the section titled "Grant Enroll permissions for the certificate template to the RD Session Host server".
The certificate is not valid for the requested usage
The certificate template that AD CS uses as the basis for server certificates enrolled to RD Session Host servers must have an Enhanced Key Usage (EKU) of Server Authentication.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check whether the Server Authentication Key Usage extension is specified in the certificate template:
1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
4. In the console tree, click Certificate Templates.
5. In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to RD Session Host servers, and then click Properties.
6. On the Extensions tab, under Extensions included in this template, click Key Usage, and then click Edit.
7. Check whether the Server Authentication Key Usage extension is selected, and then click OK to close the Properties dialog box for the certificate template.
8. If the Server Authentication Key Usage extension is not selected, see the section titled "Add the Server Authentication EKU to the certificate template."
The certificate template does not exist
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check whether the certificate template exists:
1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
4. In the console tree, click Certificate Templates.
5. In the results pane, in the list of certificate templates, locate the certificate template that is used as the basis for the certificates that are enrolled to RD Session Host servers.
6. If the certificate template does not appear, see the section titled "Create a new certificate template."
The certificates that are based on the certificate template are not being issued to computers
For a CA to issue certificates based on the certificate template, the certificate template must be added to the Certificate Templates container in the Certification Authority snap-in.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check whether the certificate template has been added to the Certificate Templates container in the Certification Authority snap-in:
1. On a computer where AD CS is installed, click Start, click Run, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certification Authority, click Add, and then click OK.
4. Select the CA that you want to manage, and then click Finish.
5. Expand Certificate Templates, and then check whether the appropriate certificate template appears in the list. The name of the certificate should match the name that is specified in the Server Authentication Certificate Template Group Policy setting. For more information, see "To check whether the correct certificate is specified in Group Policy" earlier in this topic.
6. If the appropriate certificate template does not appear in the list, see the section titled "Add the certificate template to the Certificate Templates container."
Resolution steps for the following event ID: 1059
To resolve this issue, do the following:
Check the certificate store for the certificate that the RD Session Host server is configured to use for TLS 1.0 (SSL).
Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL).
For information about certificate requirements, see the section "Certificate requirements" later in this topic.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Check the certificate store for the certificate that the RD Session Host server is configured to use for TLS 1.0 (SSL)
To check the certificate store:
1. On the RD Session Host server, open the Certificates snap-in for a computer. If you have not already added the Certificates snap-in console, you can do so by doing the following:
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
5. In the Certificates snap-in dialog box, click Computer account, and then click Next.
6. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
7. In the Add or Remove snap-ins dialog box, click OK.
8. Confirm that the certificates are displayed by logical certificate stores. To do this, on the View menu, click Options, and in the View Options dialog box, confirm that Logical certificate stores is selected.
9. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), select Personal, and click Certificates.
10. In the details pane, check that the certificate that is being used by the RD Session Host server for server authentication and encryption appears in the list of certificates.
11. Do one of the following:
If the certificate appears in the list, complete the steps in "Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL)" later in this topic.
If the certificate does not appear in the list, complete the steps in "Install a certificate on the RD Session Host server."
Install a certificate on the RD Session Host server
Important: You should only install certificates obtained from trusted sources. Installing an altered or unreliable certificate could compromise the security of any system component that uses the installed certificate.
To install a certificate on the RD Session Host server:
1. On the RD Session Host server, locate and then double-click the certificate that you want to install. The certificate might exist on the RD Session Host server or be located on a share.
2. If prompted to confirm whether you want to open the certificate file, click Open.
3. In the Certificate Properties dialog box, on the General tab, click Install Certificate.
4. In the Certificate Import Wizard, on the Welcome page, click Next.
5. On the Certificate Store page, do one of the following:
6. If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate.
7. If you want to specify where the certificate is stored, select Place all certificates in the following store, and then click Browse. In Select Certificate Store, click the certificate store to use, and then click OK.
8. On the Certificate Store page, click Next.
9. On the Completing the Certificate Import Wizard page, click Finish.
After you install a certificate, you must specify that it be used by the RD Session Host server, as described in the following procedure.
Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL)
We recommend that you use the Remote Desktop Session Host Configuration snap-in to specify the certificate that is used by the RD Session Host server for server authentication and encryption. If you use Remote Desktop Session Host Configuration to attempt to install a certificate that does not meet the certificate requirements, the certificate will not be installed.
To configure the RD Session Host server:
1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. In the details pane, under Connections, right-click the connection (for example, RDP-tcp) and then click Properties.
3. On the General tab, click Select.
4. In the Select Certificate dialog box, click the certificate that you want to use, and then click OK.
Certificate requirements
A certificate that is used by the RD Session Host server for server authentication and encryption must meet the following requirements:
The certificate must be a computer certificate.
The certificate must have a corresponding private key. The container for the key must be accessible by the NT AUTHORITY\Network Service account.
The certificate must have an Enhanced Key Usage (EKU) of Server Authentication (1.3.6.1.5.5.7.3.1) or no EKU.
The following key usage value must be set for the certificate: CERT_KEY_ENCIPHERMENT_KEY_USAGE.
The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.
Resolution steps for the following event ID: 1050
To resolve this issue, check the encryption and authentication settings on the RD Session Host server to ensure that they are compatible, and that they are appropriate for your security requirements and the level of security that your client computers can support.
Note: Remote Desktop Connection 5.2 supports 128 bits of encryption.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Configure server authentication and encryption settings for a connection by using Remote Desktop Session Host Configuration
Keep in mind that certain authentication and encryption settings are not compatible. For example, if you select SSL (TLS 1.0) for the security layer and an encryption level of Low, you will receive an error message if you attempt to apply these settings. The error message will state that the encryption level is set too low for the security layer used.
To configure server authentication and encryption settings for a connection by using Remote Desktop Session Host Configuration:
1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. Under Connections, right-click the connection (for example, RDP-tcp), and then click Properties.
3. In the Properties dialog box for the connection, click the General tab.
4. Select the server authentication and encryption settings that are appropriate for your environment, based on your security requirements and the level of security that your client computers can support.
5. If you select SSL (TLS 1.0), either select a certificate that is installed on the RD Session Host server or click Default to generate a self-signed certificate. To select a certificate that is installed on the RD Session Host server, click Select, and in the Select Certificate dialog box, select the certificate that you want to use, and then click OK.
6. If you are using a self-signed certificate, the name of the certificate will display as Auto generated.
7. Click OK.
Configure server authentication and encryption settings for a connection by using Group Policy
You can also configure server authentication and encryption settings by applying the following Group Policy settings:
Set client connection encryption level
Require use of specific security layer for remote (RDP) connections
Server Authentication Certificate Template
Require user authentication for remote connections by using Network Level Authentication
These Group Policy settings are located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that these Group Policy settings will take precedence over the settings configured in Remote Desktop Session Host Configuration, with the exception of the Server Authentication Certificate Template Group Policy setting.
You can configure the RD Session Host server to use the FIPS-compliant encryption level by applying the System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing Group Policy setting. This Group Policy setting is located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that this Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration and takes precedence over the Set client connection encryption level Group Policy setting.
For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help ( http://go.microsoft.com/fwlink/?LinkId=143317) or the GPMC Help ( http://go.microsoft.com/fwlink/?LinkId=143867) in the Windows Server Technical Library.
Resolution steps for the following event IDs: 1052, 1065, 1053
To resolve this issue, do the following:
Use Remote Desktop Session Host Configuration to determine which certificate needs to be renewed.
Renew the certificate being used by the RD Session Host server by doing one of the following:
Renew a certificate with the same key. Doing this allows you maximum compatibility with past uses of the accompanying key pair, but does nothing to enhance the security of the certificate and key pair. After the certificate is renewed, the old certificate will be archived.
Renew a certificate with a new key. Doing this allows you to continue using an existing certificate and its associated data, while enhancing the strength of the key associated with the certificate. After the certificate is renewed, the old certificate and key pair will be archived.
Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL).
If you are using a self-signed certificate that was automatically generated by the RD Session Host server, note that the RD Session Host server automatically renews the certificate 30 days before the certificate is set to expire.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Determine which certificate needs to be renewed
To determine which certificate needs to be renewed:
1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. In the details pane, under Connections, right-click the connection (for example, RDP-tcp), and then click Properties.
3. On the General tab, click Select.
4. In the Select Certificate dialog box, note the certificate that is selected, and then click View Certificate.
5. In the Certificate dialog box, click General, and then check the expiration date. If the certificate is set to expire within a few days, follow the steps in "Renew a certificate with the same key" or "Renew a certificate with a new key."
6. Click OK to close the Certificate dialog box.
7. Click OK to close the Select Certificate dialog box.
8. Click OK to close the Properties dialog box for the connection.
Renew a certificate with the same key
You can use this procedure to request certificates from an enterprise certification authority (CA) only.
To renew a certificate with the same key:
1. On the RD Session Host server, open the Certificates snap-in for a computer. If you have not already added the Certificates snap-in console, you can do so by doing the following:
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
5. In the Certificates snap-in dialog box, click Computer account, and then click Next.
6. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
7. In the Add or Remove snap-ins dialog box, click OK.
8. Confirm that the certificates are displayed by logical certificate stores. To do this, on the View menu, click Options, and in the View Options dialog box, confirm that Logical certificate stores is selected.
9. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), select Personal, and click Certificates.
10. In the details pane, click the certificate that you are renewing.
11. On the Action menu, point to All Tasks, select Advanced Operations, and then click Renew this certificate with the same key to start the Certificate Renewal Wizard.
12. If more than one certificate is listed in the Request Certificates window, select the certificate that you want to renew, and then do one of the following:
13. Use the default values to renew the certificate.
14. Click Details, and then click Properties to provide your own certificate renewal settings. You need to know the CA issuing the certificate.
15. Click Enroll.
16. After the Certificate Renewal Wizard has successfully finished, click Finish.
Renew a certificate with a new key
You can use this procedure to request certificates from an enterprise CA only.
To renew a certificate with a new key:
1. On the RD Session Host server, open the Certificates snap-in for a computer. If you have not already added the Certificates snap-in console, you can do so by doing the following:
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
5. In the Certificates snap-in dialog box, click Computer account, and then click Next.
6. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
7. In the Add or Remove snap-ins dialog box, click OK.
8. Confirm that the certificates are displayed by logical certificate stores. To do this, on the View menu, click Options, and in the View Options dialog box, confirm that Logical certificate stores is selected.
9. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), select Personal, and then click Certificates.
10. In the details pane, click the certificate that you are renewing.
11. On the Action menu, point to All Tasks, and then click Renew Certificate with New Key to start the Certificate Renewal Wizard.
12. In the Certificate Renewal Wizard, do one of the following:
13. Use the default values to renew the certificate.
14. To provide your own certificate renewal settings, click Details, and then click Properties. You will need to know the cryptographic service provider (CSP) and the CA that is issuing the certificate.
15. Select the key length (measured in bits) of the public key associated with the certificate.
16. You can also choose to enable strong private key protection. Enabling strong private key protection ensures that you are prompted for a password every time the private key is used. This is useful if you want to make sure that the private key is not used without your knowledge.
17. When you are ready to request a certificate, click Enroll.
18. After the Certificate Renewal Wizard has successfully finished, click Close.
Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL)
To configure the RD Session Host server to use the certificate for TLS 1.0 (SSL):
1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
2. In the details pane, under Connections, right-click RDP-tcp, and then click Properties.
3. On the General tab, click Select.
4. In the Select Certificate dialog box, click the certificate that you want to use, and then click OK.
| Target | Microsoft.Windows.Server.2012.R2.RemoteDesktopServicesRole.Service.RDSessionHost | ||
| Parent Monitor | System.Health.ConfigurationState | ||
| Category | Custom | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | MatchMonitorHealth | ||
| Alert Priority | High | ||
| Alert Auto Resolve | True | ||
| Monitor Type | Microsoft.Windows.2SingleEventLogManualReset3StateMonitorType | ||
| Remotable | True | ||
| Accessibility | Public | ||
| Alert Message |
| ||
| RunAs | Default |
Home<UnitMonitor ID="Microsoft.Windows.Server.RemoteDesktopServices.2012.R2.NewUnitMonitor_24" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.Server.2012.R2.RemoteDesktopServicesRole.Service.RDSessionHost" ParentMonitorID="SystemHealth!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLogManualReset3StateMonitorType" ConfirmDelivery="true">
<Category>Custom</Category>
<AlertSettings AlertMessage="Microsoft.Windows.Server.RemoteDesktopServices.2012.R2.NewUnitMonitor_24_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>High</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDisplayNumber$</AlertParameter1>
<AlertParameter2>$Data/Context/EventDescription$</AlertParameter2>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="UIGeneratedOpStateIdd0c61a4142e642039446fc7c84c549dd" MonitorTypeStateID="ManualResetEventRaised" HealthState="Success"/>
<OperationalState ID="UIGeneratedOpStateIdeeb0840ccaf44fcd9fa2dbf8e989cf8a" MonitorTypeStateID="SecondEventRaised" HealthState="Warning"/>
<OperationalState ID="UIGeneratedOpStateIdb3cc355873304e3e986746a779bdb7ff" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<FirstComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
<FirstLogName>System</FirstLogName>
<FirstExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-TerminalServices-RemoteConnectionManager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1133</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1053</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1051</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1055</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1054</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1059</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1057</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1058</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</FirstExpression>
<SecondComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
<SecondLogName>System</SecondLogName>
<SecondExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-TerminalServices-RemoteConnectionManager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1052</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1050</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1064</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1065</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1062</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</SecondExpression>
</Configuration>
</UnitMonitor>