Event ID 1065 — Terminal Services Authentication and Encryption
Applies To: Windows Server 2008
Transport Layer Security (TLS) 1.0 enhances the security of Terminal Services sessions by providing server authentication and by encrypting terminal server communications. The terminal server and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate a terminal server when SSL (TLS 1.0) is used to secure communication between a client and a terminal server during Remote Desktop Protocol (RDP) connections.
Event Details
Product: | Windows Operating System |
ID: | 1065 |
Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Version: | 6.0 |
Symbolic Name: | EVENT_TS_SSL_TEMPLATE_CERT_REPLACE_FAILED |
Message: | The template-based certificate that is being used by the terminal server for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption has expired and cannot be replaced by the terminal server. The following error occurred: %1. |
Resolve
Renew the certificate and then configure the terminal server to use the certificate for TLS 1.0 (SSL)
To resolve this issue, do the following:
- Use Terminal Services Configuration to determine which certificate needs to be renewed.
- Renew the certificate being used by the terminal server by doing one of the following:
- Renew a certificate with the same key. Doing this allows you maximum compatibility with past uses of the accompanying key pair, but does nothing to enhance the security of the certificate and key pair. Once renewed, the old certificate will be archived.
- Renew a certificate with a new key. Doing this allows you to continue using an existing certificate and its associated data, while enhancing the strength of the key associated with the certificate. Once renewed, the old certificate and key pair will be archived.
- Configure the terminal server to use the certificate for TLS 1.0 (SSL).
For information about keys, see "Key Archival and Recovery: Active Directory Certificate Services in Windows Server 2008" (https://go.microsoft.com/fwlink/?LinkId=102277).
If you are using a self-signed certificate that was automatically generated by the terminal server, note that the terminal server automatically renews the certificate 30 days before the certificate is set to expire.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Determine which certificate needs to be renewed
To determine which certificate needs to be renewed:
- Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
- In the details pane, under Connections, right-click the connection (for example, RDP-tcp), and then click Properties.
- On the General tab, click Select.
- In the Select Certificate dialog box, note the certificate that is selected, and then click View Certificate.
- In the Certificate dialog box, click General, and then check the expiration date. If the certificate is set to expire within a few days, follow the steps in "Renew a certificate with the same key" or "Renew a certificate with a new key."
- Click OK to close the Certificate dialog box.
- Click OK to close the Select Certificate dialog box.
- Click OK to close the Properties dialog box for the connection.
Renew a certificate with the same key
You can use this procedure to request certificates from an enterprise certification authority (CA) only.
To renew a certificate with the same key:
- On the terminal server, open the Certificates snap-in for a computer. If you have not already added the Certificates snap-in console, you can do so by doing the following:
- Click Start, click Run, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
- In the Certificates snap-in dialog box, click Computer account, and then click Next.
- In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
- In the Add or Remove snap-ins dialog box, click OK.
- Confirm that the certificates are displayed by logical certificate stores. To do this, on the View menu, click Options, and in the View Options dialog box, confirm that Logical certificate stores is selected.
- In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), select Personal, and click Certificates.
- In the details pane, click the certificate that you are renewing.
- On the Action menu, point to All Tasks, select Advanced Operations, and then click Renew this certificate with the same key to start the Certificate Renewal Wizard.
- If more than one certificate is listed in the Request Certificates window, select the certificate that you want to renew, and then do one of the following:
- Use the default values to renew the certificate.
- Click Details, and then click Properties to provide your own certificate renewal settings. You need to know the CA issuing the certificate.
- Click Enroll.
- After the Certificate Renewal Wizard has successfully finished, click Finish.
Renew a certificate with a new key
You can use this procedure to request certificates from an enterprise CA only.
To renew a certificate with a new key:
- On the terminal server, open the Certificates snap-in for a computer. If you have not already added the Certificates snap-in console, you can do so by doing the following:
- Click Start, click Run, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
- In the Certificates snap-in dialog box, click Computer account, and then click Next.
- In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
- In the Add or Remove snap-ins dialog box, click OK.
- Confirm that the certificates are displayed by logical certificate stores. To do this, on the View menu, click Options, and in the View Options dialog box, confirm that Logical certificate stores is selected.
- In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), select Personal, and then click Certificates.
- In the details pane, click the certificate that you are renewing.
- On the Action menu, point to All Tasks, and then click Renew Certificate with New Key to start the Certificate Renewal Wizard.
- In the Certificate Renewal Wizard, do one of the following:
- Use the default values to renew the certificate.
- To provide your own certificate renewal settings, click Details, and then click Properties. You will need to know the cryptographic service provider (CSP) and the CA that is issuing the certificate.
- Select the key length (measured in bits) of the public key associated with the certificate.
- You can also choose to enable strong private key protection. Enabling strong private key protection ensures that you are prompted for a password every time the private key is used. This is useful if you want to make sure that the private key is not used without your knowledge.
- When you are ready to request a certificate, click Enroll.
- After the Certificate Renewal Wizard has successfully finished, click Close.
Configure the terminal server to use the certificate for TLS 1.0 (SSL)
To configure the terminal server to use the certificate for TLS 1.0 (SSL):
- Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
- In the details pane, under Connections, right-click RDP-tcp, and then click Properties.
- On the General tab, click Select.
- In the Select Certificate dialog box, click the certificate that you want to use, and then click OK.
Verify
When Transport Layer Security (TLS) 1.0 is functioning as expected for server authentication and encryption of terminal server communications, clients can make connections to terminal servers by using TLS 1.0 (SSL).
To verify that the TLS 1.0 (SSL) settings are correctly configured and working properly on the terminal server to provide server authentication and encryption for connections, use Remote Desktop Connection from a client computer to connect to the terminal server. If you can connect to the terminal server and there is a lock symbol in the upper-left corner of the connection bar at the top of the window, TLS 1.0 (SSL) is being used for the connection.
Note: To ensure that the connection bar is displayed when you use Remote Desktop Connection to connect from a client computer, select full-screen mode when configuring Remote Desktop Connection settings.
To select full-screen mode in Remote Desktop Connection:
- Open Remote Desktop Connection. To open Remote Desktop Connection, click Start, click Accessories, and then click Remote Desktop Connection.
- Click Options to display the Remote Desktop Connection settings, and then click Display.
- Under Remote desktop size, drag the slider all the way to the right to ensure that the remote desktop that you plan to connect to is displayed in full-screen mode.