Remote Desktop with CA cert giving "an internal error"

Question

Having set up Remote Desktop services (installed roles) on Server 2016 VM in Azure, needed to swap out the certificate for a trusted one from a CA. On selecting that via Server Manager > configure deployment, remote desktop returns an error messagebox "an internal error has occurred" and I have to use the ResetRDPCert script on the Azure Portal to be able to get back onto the system.

I've tried removing Remote Desktop roles and reinstalling, then adding the CA cert - same result.

CA certificate is for "Server Authentication", wildcard domain name, ECC, P521.

Issue with the certificate, or with how it's being deployed?

Many thanks, Craig

Answer 1

I believe the processes of replacing a certificate has not changed.

https://kx.cloudingenium.com/microsoft/servers/windows-servers/replacing-self-signed-remote-desktop-services-certificate-windows/

What version of windows are you running? 

Answer 2

Hi Micah

It's Server 2016, so have added the CA certificate via the Server Manager > Remote Desktop > configure deployment (so pretty much as per that article. All RD services are running on the one machine (which is also a domain controller - not ideal, but this is a v small deployment), so updated the certificate for all. That seems to work OK - everything marked as 'Success'ful. However, after a reboot I just get the "an internal error has occurred" when trying to connect via Remote Desktop - either in an admin or non-admin session.

Any further input very gratefully received!

Thanks, Craig

Answer 3

Thanks Craig. Not 100% what would be missing here. 

Try checking out the following links to see if they help: 

http://www.azure365pro.com/install-and-configure-certificate-authority-in-windows-server-2016/
http://blog.itsysintegration.net/installation-certificate-authority-windows-server-2016-dc-guide/

If not, let me know and we can get you in touch with a support engineer who can work over a screen share with you to get it sorted out :) 

Answer 4

Hello my opinion is the internal server error has nothing to do with the certificate you just updated. 

Please change this setting via group policy and try to RDP again : 

Local computer policy ->Administrative templates ->Windows components -> Remote desktop services -> Remote desktop session host-> Security -> Require use of specific layer of security for remote desktop connections . 

Click on enable and select SSL . 

Answer 5

Hi Micah, Elias

We did work with a Microsoft support engineer, but they didn't seem to be able to resolve the issue. In the end our certificate supplier provided an RSA certificate to try (vs the original ECC one) and that appeared to do the trick. I'm still waiting for confirmation from Microsoft on this, but as far as we can tell:

RSA certificate works ok for Remote Desktop services (+RDWeb) on Server 2016, ECC (Elliptical Curve) does not.

There may be more to it (ECC key length, etc), but until I get any further detail from Microsoft I couldn't say.

Many thanks for your input!

Craig

Answer 6

Thanks for the update Craig! If you find out any more information please let us know. We could always use it to create better documentation so others who experience this issue will have something to reference :)