RDP Connection Failures: Expired Self-Signed Certificate
Issue
Remote Desktop (RDP) connections begin to fail with no apparent cause.
Symptoms
- Cannot RDP to the server - A return code of 50331673 "The Remote Desktop Gateway server administrator has ended the connection" is received
- Event ID 36870 is found in the System Logs each time an RDP connection is attempted
Cause
- RDP self-signed certificate is expired or missing (Windows usually recreates the self-signed certificate upon expiration)
- Permissions issues to the following path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_" and the parent folder did not allow for the OS to delete the existing key. This needs to be done prior to recreating the self-signed certificate.
Resolution
- Delete the expired certificate from the Centralized Certificate Store (CCS) on the server using the Certificates snap-in within Microsoft Management Console (MMC). The path to the certificate is Certificates > Remote Desktop > Certificates.
- Stop the RDP (Remote Desktop Services) service
- At the path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys", take ownership of the f686 key file referenced above and give owner user account Full Control permissions to this file. You may also need to change the Administrators group permissions for the MachineKeys folder to apply to "This folder, subfolders and files" as it is defaulted to "This folder onaly".
- Delete file f686aace6942fb7f7ceb231212eef4a4_
- Start the Remote Desktop Services service
- Verify that a new certificate has been generated via Certificates snap-in in MMC
- Verify RDP access to the server
This article describes a possible Microsoft® Remote Desktop Protocol (RDP)
connection issue and the resolution.
Issue: Connection failures
RDP connections begin to fail with no apparent cause.
Symptoms
This issue might have the following symptoms:
- The client can't connect to the server by using RDP. Connection attempts return
code 50331673: The Remote Desktop Gateway server administrator has ended the connection. - The system logs register Event ID 36870 for every RPD connection attempt.
Cause
The following events could cause this issue:
- The RDP self-signed certificate has expired or is missing (Windows® usually
recreates the self-signed certificate upon expiration. - Permissions issues on the following path:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4.
The parent folder did not allow the OS to delete the existing key, which needs to happen
before self-signed certificate recreation.
Resolution
Use the following steps to resolve this issue:
-
Delete the expired certificate from the Centralized Certificate Store (CCS) on
the server by using the Certificates snap-in in the Microsoft Management Console (MMC).
Select Certificates > Remote Desktop > Certificates. -
Stop the RDP service.
-
Go to path C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, take ownership of the
f686 key file, referenced previously, and give the owner of the fileFull Control
permission. -
Change the Administrators group permission for the MachineKeys folder to
apply to "This folder, subfolders and files
. -
Delete file: f686aace6942fb7f7ceb231212eef4a4.
-
Start the Remote Desktop Services service.
-
Verify that the system generated a new certificate by using the Certificates
snap-in in MMC. -
Verify RDP access to the server.
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.
Updated 11 months ago