Event Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Event ID: | 1057 (0xC0000421) |
Event log: | System |
Event type: | |
Event text (English): | The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was %1. |
Event text (German): | Error creating a new self-signed certificate to be used for Remote Desktop session host server authentication for SSL connections. Associated status code: %1. |
Author: Uwe Gradenegger
Details of the event with ID 1056 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Event ID: | 1056 (0xC0000420) |
Event log: | System |
Event type: | Information |
Event text (English): | A new self signed certificate to be used for RD Session Host Server authentication on SSL connections was generated. The name on this certificate is %1. The SHA1 hash of the certificate is in the event data. |
Event text (German): | A new self-signed certificate has been generated for Remote Desktop session host server authentication for SSL connections. The name on this certificate is "%1". The SHA1 hash of the certificate can be found in the event data. |
Details of the event with ID 1055 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Event ID: | 1055 (0xC000041F) |
Event log: | System |
Event type: | |
Event text (English): | The RD Session Host Server is configured to use a certificate but is unable to access the private key associated with this certificate. %1 The SHA1 hash of the certificate is in the event data. The default certificate will be used for RD Session Host Server authentication from now on. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Event text (German): | The Remote Desktop session host server is configured to use a certificate, but it cannot access the private key associated with that certificate. %1 The SHA1 hash of the certificate can be found in the event data. From now on, Remote Desktop session host server authentication uses the default certificate. Verify the security settings by using the Remote Desktop Session Host Configuration utility in the Administrative Tools folder. |
Details of the event with ID 1054 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Event ID: | 1054 (0xC000041E) |
Event log: | System |
Event type: | |
Event text (English): | The RD Session Host Server is configured to use a certificate that does not contain an Extended Key Usage attribute of Server Authentication. %1 The SHA1 hash of the certificate is in the event data. The default certificate will be used for RD Session Host Server authentication from now on. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Event text (German): | The Remote Desktop session host server is configured to use a certificate that does not contain an Extended Key Usage attribute of Server Authentication. %1 The SHA1 hash of the certificate can be found in the event data. From now on, Remote Desktop session host server authentication uses the default certificate. Verify the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Details of the event with ID 1053 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Event ID: | 1053 (0xC000041D) |
Event log: | System |
Event type: | |
Event text (English): | The RD Session Host Server is configured to use a certificate that is expired. %1 The SHA1 hash of the certificate is in the event data. The default certificate will be used for RD Session Host Server authentication from now on. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Event text (German): | The Remote Desktop session host server is configured to use a certificate that has expired. %1 The SHA1 hash of the certificate can be found in the event data. From now on, Remote Desktop session host server authentication uses the default certificate. Verify the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Details of the event with ID 1052 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Event ID: | 1052 (0xC000041C) |
Event log: | System |
Event type: | |
Event text (English): | The RD Session Host Server is configured to use a certificate that will expire in %2 days. %1 The SHA1 hash of the certificate is in the event data. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Event text (German): | The Remote Desktop session host server is configured to use a certificate that expires in %2 days. %1 The SHA1 hash of the certificate can be found in the event data. Verify the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Details of the event with ID 1051 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Event ID: | 1051 (0xC000041B) |
Event log: | System |
Event type: | Error |
Event text (English): | The RD Session Host Server is configured to use SSL with user selected certificate, however, no usable certificate was found on the server. The default certificate will be used for RD Session Host Server authentication from now on. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Event text (German): | The Remote Desktop session host server is configured to use SSL with a user-selected certificate, but no usable certificate was found on the server. From now on, the default certificate is used for Remote Desktop session host server authentication. Verify the security settings using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder. |
Basics: Replacing (Superseding) Certificate Templates
With the introduction of version 2 certificate templates along with Windows XP and Windows Server 2003, the option was introduced for a certificate template to replace one or more others.
This makes it possible to replace issued certificates with those of another certificate template, or to consolidate multiple certificate templates into a single one.
Continue reading „Grundlagen: Ersetzen (Superseding) von Zertifikatvorlagen“Basics: Cryptographic Service Provider (CSP) and Key Storage Provider (KSP)
Since Windows NT 4.0, the Cryptographic Service Provider (CSP) has been part of the CryptoAPI.
The purpose is that an application does not have to worry about the concrete implementation of key management, but can leave this to generic operating system interfaces. It is also intended to prevent cryptographic keys from being loaded into memory in the security context of the user/application being used (a fatal security incident based precisely on this problem was the Heartbleed incident).
For example, it makes no technical difference to the certification authority software how its private key is protected - whether in software or with a hardware security module (HSM), for example. The call of the private key is always identical for the certification authority.
With Windows Vista and the introduction of Cryptography Next Generation (CNG) as a replacement for CryptoAPI, Key Storage Providers (KSP) were introduced.
Continue reading „Grundlagen: Cryptographic Service Provider (CSP) und Key Storage Provider (KSP)“Remote desktop certificate request fails with error message "The permissions on the certificate template do not allow the current user to enroll for this type of certificate."
Assume the following scenario:
- Machines are configured by group policy to request certificates for the remote desktop session host.
- However, the certificates are not applied for.
- In the event log of the affected system, the Event with ID 1064 of source Terminalservices-RemoteConnectionManager logged:
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.Continue reading „Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The permissions on the certificate template do not allow the current user to enroll for this type of certificate.““
Remote desktop certificate request fails with error message "The requested certificate template is not supported by this CA."
Assume the following scenario:
- Machines are configured by group policy to request certificates for the remote desktop session host.
- However, the certificates are not applied for or existing certificates expire without renewal.
- In the event log of the affected system, the event with ID 1064 of the source Terminalservices-RemoteConnectionManager is logged:
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.Continue reading „Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA.““
The local certificate store for trusted root certificate authorities is not synchronized from Active Directory
Assume the following scenario:
- A certification authority hierarchy is established in the network and the root certification authority is mapped in the configuration partition of the Active Directory forest.
- Domain members are configured to run the autoenrollment process to update trusted root certificate authorities from the Configuration partition.
- However, this process does not work for some clients. The root CA certificates are not automatically downloaded and entered into the local trust store.
- As a consequence certificate requests can failbecause, for example, the certification authority hierarchy is not trusted.
Certificate requests for the online responder (OCSP) fail sporadically with error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)"
Assume the following scenario:
- An online responder (OCSP) is set up in the network.
- The certification authorities report at irregular intervals that certificate requests for the OCSP password signing certificates fail with the following error message:
The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).Continue reading „Zertifikatanforderungen für den Onlineresponder (OCSP) schlagen sporadisch fehl mit Fehlermeldung „The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)““
Programmatically trigger the autoenrollment process for the logged-in user
Assume the following scenario:
- You write a script or an application that should trigger the autoenrollment process for the currently logged in user.
- You will find out that the scheduled task cannot be executed.
- The error message reads:
The user account does not have permissions to run this task.Continue reading „Den Autoenrollment Prozess für den angemeldeten Benutzer programmatisch auslösen“
Enable logging for automatic certificate request (autoenrollment)
The following is an overview of the Windows Event Viewer events generated for Windows certificate clients, their activation, and their identification.
Continue reading „Protokollierung für die automatische Zertifikatbeantragung (Autoenrollment) aktivieren“