Event ID 1062 — Terminal Services Authentication and Encryption
Applies To: Windows Server 2008
Transport Layer Security (TLS) 1.0 enhances the security of Terminal Services sessions by providing server authentication and by encrypting terminal server communications. The terminal server and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate a terminal server when SSL (TLS 1.0) is used to secure communication between a client and a terminal server during Remote Desktop Protocol (RDP) connections.
Event Details
Product: | Windows Operating System |
ID: | 1062 |
Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Version: | 6.0 |
Symbolic Name: | EVENT_TS_SSL_WRONG_SUBJECT_NAME |
Message: | The terminal server is configured to use a template-based certificate for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption, but the subject name on the certificate is invalid. %1 The SHA1 hash of the certificate is in the event data. Therefore, the default certificate will be used by the terminal server for authentication. To resolve this issue, make sure that template used to create this certificate is configured to use DNS name as subject name. |
Resolve
Configure the certificate template Subject name to match the DNS name of the terminal server
To resolve this issue, you must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers. The certificate template must be modified so that the alternate subject name for the certificate matches the DNS name of the terminal server.
For information about certificate templates, see "Implementing and Administering Certificate Templates in Windows Server 2008" (https://go.microsoft.com/fwlink/?LinkID=92522).
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To configure the alternate subject name of the certificate to match the DNS name of the terminal server:
- On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
- On the File menu, click Add/Remove snap-in.
- In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
- In the console tree, click Certificate Templates.
- In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
- On the Subject Name tab, ensure that Build from this Active Directory information is selected.
- Under Subject name format, click Fully distinguished name.
- Under Include this information in alternate subject name, select the DNS name check box.
- Click OK to close the Properties dialog box for the certificate template.
- Restart the Terminal Services Configuration service on the terminal server. To restart the Terminal Services Configuration service, click Start, click Run, type services.msc, and then press ENTER. In the Name column of the Services snap-in, right click Terminal Services Configuration, and then click Restart.
- If the attempt to restart only the service fails, restart the computer. This forces all related and dependent services to restart.
Verify
When Transport Layer Security (TLS) 1.0 is functioning as expected for server authentication and encryption of terminal server communications, clients can make connections to terminal servers by using TLS 1.0 (SSL).
To verify that the TLS 1.0 (SSL) settings are correctly configured and working properly on the terminal server to provide server authentication and encryption for connections, use Remote Desktop Connection from a client computer to connect to the terminal server. If you can connect to the terminal server and there is a lock symbol in the upper-left corner of the connection bar at the top of the window, TLS 1.0 (SSL) is being used for the connection.
Note: To ensure that the connection bar is displayed when you use Remote Desktop Connection to connect from a client computer, select full-screen mode when configuring Remote Desktop Connection settings.
To select full-screen mode in Remote Desktop Connection:
- Open Remote Desktop Connection. To open Remote Desktop Connection, click Start, click Accessories, and then click Remote Desktop Connection.
- Click Options to display the Remote Desktop Connection settings, and then click Display.
- Under Remote desktop size, drag the slider all the way to the right to ensure that the remote desktop that you plan to connect to is displayed in full-screen mode.