RDP Connection Failures: Expired Self-Signed Certificate
Last updated on: 2021-05-04
Authored by: Steven Mondragon-DeVoss
Remote Desktop (RDP) connections begin to fail with no apparent cause.
- Cannot RDP to the server - A return code of 50331673 “The Remote Desktop Gateway server administrator has ended the connection” is received
- Event ID 36870 is found in the System Logs each time an RDP connection is attempted
- RDP self-signed certificate is expired or missing (Windows usually recreates the self-signed certificate upon expiration)
- Permissions issues to the following path “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_” and the parent folder did not allow for the OS to delete the existing key. This needs to be done prior to recreating the self-signed certificate.
- Delete the expired certificate from the Centralized Certificate Store (CCS) on the server using the Certificates snap-in within Microsoft Management Console (MMC). The path to the certificate is Certificates > Remote Desktop > Certificates.
- Stop the RDP (Remote Desktop Services) service
- At the path “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”, take ownership of the f686 key file referenced above and give owner user account Full Control permissions to this file. You may also need to change the Administrators group permissions for the MachineKeys folder to apply to “This folder, subfolders and files” as it is defaulted to “This folder onaly”.
- Delete file f686aace6942fb7f7ceb231212eef4a4_
- Start the Remote Desktop Services service
- Verify that a new certificate has been generated via Certificates snap-in in MMC
- Verify RDP access to the server
This article describes a possible Microsoft® Remote Desktop Protocol (RDP) connection issue and the resolution.
Issue: Connection failures
RDP connections begin to fail with no apparent cause.
This issue might have the following symptoms:
- The client can’t connect to the server by using RDP. Connection attempts return code 50331673: The Remote Desktop Gateway server administrator has ended the connection.
- The system logs register Event ID 36870 for every RPD connection attempt.
The following events could cause this issue:
- The RDP self-signed certificate has expired or is missing (Windows® usually recreates the self-signed certificate upon expiration.
- Permissions issues on the following path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4. The parent folder did not allow the OS to delete the existing key, which needs to happen before self-signed certificate recreation.
Use the following steps to resolve this issue:
Delete the expired certificate from the Centralized Certificate Store (CCS) on the server by using the Certificates snap-in in the Microsoft Management Console (MMC). Select Certificates > Remote Desktop > Certificates.
Stop the RDP service.
Go to path C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, take ownership of the f686 key file, referenced previously, and give the owner of the file
Change the Administrators group permission for the MachineKeys folder to
apply to "This folder, subfolders and files.
Delete file: f686aace6942fb7f7ceb231212eef4a4.
Start the Remote Desktop Services service.
Verify that the system generated a new certificate by using the Certificates snap-in in MMC.
Verify RDP access to the server.
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.