Event ID 1057 – The Terminal Server has failed to create a new self signed certificate


If you receive Event ID 1057 – "The Terminal Server has failed to create a new self signed certificate to be used for Terminal Server authentication on SSL connections. The relevant status code was Key not valid for use in specified state" from source TerminalServices-RemoteConnectionManager in the System event log, you may have an issue with a lot of strange advice. For me, none of which worked. I finally figured out the problem.

The conditions you'll probably also notice is that you can't remote desktop into the server until you remove the "Allow connection only from computers running Remote Desktop with Network Level Authentication" checkbox in the Remote Desktop Session Host Configuration's RDP-Tcp properties General Tab or from the System settings under the Remote tab by changing the radio button back to "Allow connections from computers running any version of Remote Desktop (less secure)".

In my case I had already tried a lot of the advice like deleting the self-signed certificate and rebooting (MMC/Certificates/Local Computer/Remote Desktop) And deleting these keys and restarting:
“HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM”  > Certificate “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM” > CertificateOld “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations” > SelfSignedCertificate

I also deleted the Host Configuration's RDP-Tcp connection object all together and restarted the Remote Desktop Services service.

What did finally work, I noticed that we had a bunch of crypto keys that looked like this:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_XXXXXXXX

I moved them all to a subfolder so there were none left in the MachineKeys folder. I then opened the MachineKeys and re-applied the full-control permission to the local server administrators group. (Security/Advanced/Change Permissions/Replace all child object permissions) and applied this.

I then restarted the Remote Desktop Services service and this time I didn't get the error about the certificate. I changed the security setting for RDP back to secure and was able to log on through Remote Desktop.


Comments (24)

  1. BigDaddy9z says:

    Glad it worked out!

  2. Juan says:

    Did the RSAMachineKeys as you said and was able to have the certificate working.
    In my case it failed after the rename of the sever. having still the old name in the certificate.
    Thanks 🙂

  3. I had the same problem and tried your method and it fixed the problem. Question, the permissions of the Administrators group was all blank before I followed your fix, and now of course it is all full control. Do I need to change it back? Thanks.

  4. FlupkeDev says:

    Your solutions works! I couldn’t move the files, they looked in use, I just renamed the folder, that worked. WIndow creates a new folder. This was the first time I was experiencing this. It actually happened on a VM that was duplicated and renamed. Maybe
    that was the reason.

  5. Mike V. says:

    The above folder change is what did it for me. I couldn’t move the files as a local account had them ownership and I couldn’t take ownership of them.

  6. Anthony says:

    Renaming the folder did the trick for me as well. In my case, the event log relevant status code was Access is denied. Gracias!

  7. UD says:

    Thanks a lot , save my lot of time

  8. Vitaliy Kalashnikov says:

    Thanks.

  9. Pierrot Robert says:

    Worked for me !

  10. rajesh says:

    superb workaround!

  11. kmoreta says:

    superb, it worked!! thanks dude

  12. aritra says:

    Great!! it worked like a charm!!

  13. John Britto M says:

    Thanks Chris. Its a great article, Its worked for me.

  14. Andy Blooman says:

    Great Article – Same solution worked for me. Good thing too. It was our PDC haha!

  15. jforhan says:

    WOW! This is great info! Been pulling my hair out. You are a star!!!

    Although in my case I had to migrate the server to new HDD array and new memory after a power hit.

  16. Jens Kirk says:

    Thank you 🙂 Thank you 🙂 Thank you 🙂 Thank you 🙂 Thank you 🙂 Thank you 🙂

    Renaming the C:ProgramDataMicrosoftCryptoRSAMachineKeys folder and restarting the "Remote Desktop Services" service did the trick 😀

    I spent 2 days reading articles that did not fix it 🙂 This did 🙂 Happy happy happy 😀

  17. Jose Ramalho says:

    Nice post! Saved my day! You’re the men.

  18. Jose Ramalho says:

    Nice post! Saved my day! You’re the men.

  19. Troy Street says:

    Worked like a charm, very helpful! Thanks!

  20. Mark F says:

    Thanks mucho much….. This worked. Thanks for sharing!!!!

  21. pradeep says:

    Awesome buddy, it worked

  22. Andras says:

    Worked perfectly, schannel 36888 (The following fatal alert was generated: 51. The internal error state is 602.)

    alerts went gone, RDP is fully functional, Thanks! 🙂

  23. Ganesh Shetty says:

    Working Bro… Thanks

  24. Ajaya says:

    Wow!! It worked for me. Thanks a lot

Skip to main content