Process to Fix Remote Desktop issue due to Expired Certificate.
To check the certificate is expired or not follow the below steps.
Go to RUN prompt and Type MMC that will open the Microsoft Management Console.
From MMC we need to add the Certificates Snap in to check the Local System Certificate store.
Below Snap Show the Current Certificate available on the server and its Expiry details under the Remote Desktop Certificate store.
As it’s expired we need to generate a new Self signed certificate.
To create a new Certificate we need IIS Manager
Open the IIS manager and go to the Server root
After opening the root, we will see the features available, we need to select the Server Certificate Feature and have to open it.
Once we open the Server Certificates feature, it will show if any certificates are already available in the store, if not empty store will be shown as shown below.
To Create a new Certificate we need to click on Create Self-Signed Certificate.
As shown below need to Provide a Friendly Identification name for the certificate and select the Personal Option below.
Once we click on OK, it should be able to generate a new self signed certificate, but sometime we get a Access denied error, this we will get because of permission issues on the Machine Key Folder.
To fix the Access denied Error, we need to go to the folder location of “MachineKeys” “C:\ProgramData\Microsoft\Crypto\RSA”
Select the Machine Keys folder and go to Properties> Security Tab & select the Administrators group and provide full permissions to the group
After Providing the rights, apply the rights.
After Providing right go back to server Certicates & create the Selfsigned certificate.
Provide the Details and click on ok as shown below, now it should be able to create a new certificate.
Once the Certificate is generate, it will be available in the Server Certificates store as shown below.
Now we need to Export the same from the store & save that locally.
As shown below provide the location, where the certificate should be saved & also provide any password to access that cert.
Here in this case, we have saved the cert on the desktop.
Double click on RDP cert which will take us to import wizard.
Select the Local Machine and click on next & then next.
Provide Password the same one which was given while exporting the cert.
In the next step we need to select the Remote Desktop Store, where this certificate should be imported.
Click on Finish, which will import the certificate.
Cross check the new certificate, should be available in the Certificate MMC & check the properties. Which should be as shown below.
Go to Details Tab as shown below.
Select the Thumbprint and copy the Thumb print value. & paste the Thumb print value in the command line, because that Thumbprint value will have some ASCII characters hidden in it.
Copy the thumb print value in command prompt and remove all the gaps and question mark as below.
After removing the spaces, please copy the hash value and keep it.
Now we need to use that new cert hash value and replace the same in the WMI Name space using the below command, because as the old certificate value will be there in the name space, that should be replaced with the new value, so that server will start using the new cert hash value and get authenticated. If we don’t perform this step, server will keep on using the old has value, so we will not be able to use the new cert, even if this cert is available in the store. So to replace the old has value we need to use the below command.
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGener
alSetting Set SSLCertificateSHA1Hash="NEW-CERT-Hash-Value"
alSetting Set SSLCertificateSHA1Hash="NEW-CERT-Hash-Value"
By following the above steps, certificate issue will get fixed. If you have any queries or doubts on the same let me know.
No comments:
Post a Comment