Event ID 1055 — Remote Desktop Services Authentication and Encryption

Event ID 1055 — Remote Desktop Services Authentication and Encryption

Published: January 8, 2010

Applies To: Windows Server 2008 R2

Transport Layer Security (TLS) 1.0 enhances the security of sessions by providing server authentication and by encrypting RD Session Host server communications. The RD Session Host and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server during Remote Desktop Protocol (RDP) connections.

Event Details

Product: Windows Operating System
ID: 1055
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Version: 6.1
Symbolic Name: EVENT_TS_SSL_INACCESSIBLE_CERT_KEYSET
Message: The Terminal Server is configured to use a certificate but is unable to access the private key associated with this certificate. %1 The SHA1 hash of the certificate is in the event data. The default certificate will be used for Terminal Server authentication from now on. Please check the security settings by using the Terminal Services Configuration tool in the Administrative Tools folder.

Resolve
Install a certificate on the RD Session Host server and configure the RD Session Host server to use the certificate for TLS 1.0 (SSL)

To resolve this issue, do the following:

  • Install a certificate onto the RD Session Host server that meets the requirements for an RD Session Host server certificate. For information about certificate requirements, see the section “Certificate requirements” later in this topic.
  • Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL).

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Install a certificate on the RD Session Host server

Important: You should only install certificates obtained from trusted sources. Installing an altered or unreliable certificate could compromise the security of any system component that uses the installed certificate.

To install a certificate on the RD Session Host server:

  1. On the RD Session Host server, locate and then double-click the certificate that you want to install. The certificate might exist on the RD Session Host server, or be located on a share.
  2. If prompted to confirm whether you want to open the certificate file, click Open.
  3. In the Certificate properties dialog box, on the General tab, click Install Certificate.
  4. In the Certificate Import Wizard, on the Welcome page, click Next.
  5. On the Certificate Store page, do one of the following:
    • If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate.
    • If you want to specify where the certificate is stored, select Place all certificates in the following store, and then click Browse. In Select Certificate Store, click the certificate store to use, and then click OK.
  6. On the Certificate Store page, click Next.
  7. On the Completing the Certificate Import Wizard page, click Finish.

After you install a certificate, you must specify that it be used by the RD Session Host server, as described in the following procedure.

Configure the RD Session Host server to use the certificate for TLS 1.0 (SSL)

We recommend that you use the Remote Desktop Session Host Configuration snap-in to specify the certificate that is used by the RD Session Host server for server authentication and encryption. If you use Remote Desktop Session Host Configuration to attempt to install a certificate that does not meet the certificate requirements, the certificate will not be installed.

To configure the RD Session Host server to use the certificate for TLS 1.0 (SSL):

  1. Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
  2. In the details pane, under Connections, right-click the connection (for example RDP-tcp), and then click Properties.
  3. On the General tab, click Select.
  4. In Select Certificate, click the certificate that you want to use, and then click OK.

Certificate requirements

A certificate that is used by the RD Session Host server for server authentication and encryption must meet the following requirements:

  • The certificate must be a computer certificate.
  • The certificate must have a corresponding private key. The container for the key must be accessible by the NT AUTHORITY\Network Service account.
  • The certificate must have an Enhanced Key Usage (EKU) of Server Authentication (1.3.6.1.5.5.7.3.1) or no EKU.
  • The following key usage value must be set for the certificate: CERT_KEY_ENCIPHERMENT_KEY_USAGE.
  • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.

Verify

When Transport Layer Security (TLS) 1.0 is functioning as expected for server authentication and encryption of RD Session Host server communications, clients can make connections to RD Session Host servers by using TLS 1.0 (SSL).

To verify that the TLS 1.0 (SSL) settings are correctly configured and working properly on the RD Session Host server to provide server authentication and encryption for connections, use Remote Desktop Connection from a client computer to connect to the RD Session Host server. If you can connect to the RD Session Host server and there is a lock symbol in the upper-left corner of the connection bar at the top of the window, TLS 1.0 (SSL) is being used for the connection.

Note: To ensure that the connection bar is displayed when you use Remote Desktop Connection to connect from a client computer, select full-screen mode when configuring Remote Desktop Connection settings.

To select full-screen mode in Remote Desktop Connection:

  1. Open Remote Desktop Connection. To open Remote Desktop Connection, click Start, click Accessories, and then click Remote Desktop Connection.
  2. Click Options to display the Remote Desktop Connection settings, and then click Display.
  3. Under Remote desktop size, drag the slider all the way to the right to ensure that the remote desktop that you plan to connect to is displayed in full-screen mode.

Related Management Information

Remote Desktop Services Authentication and Encryption

Remote Desktop Services

Related:

Event ID 1055 — Group Policy Preprocessing (Security)

Event ID 1055 — Group Policy Preprocessing (Security)

Updated: September 21, 2007

Applies To: Windows Server 2008

Group Policy preprocessing uses security to act on behalf of the computer or user. Incorrect permissions or security failures can prevent Group Policy from applying to the computer or user.

Event Details

Product: Windows Operating System
ID: 1055
Source: Microsoft-Windows-GroupPolicy
Version: 6.0
Symbolic Name: gpEvent_FAILED_MACHINENAME
Message: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Resolve
Determine computer name

The Group Policy service logs the name of the domain controller and the error code. This information appears on the Details tab of the error message in Event Viewer. The error code (displayed as a decimal) and error description fields further identify the reason for the failure. Evaluate the error code with the list below:

  • Error code 14
  • Error code 525
  • Error code 1355
  • Error code 1727

Error code 14 (Not enough storage is available to complete this operation)

This error code might indicate that Windows does not have enough memory to complete the task. Investigate the system event log for any other memory specific issues.

Error code 525 (The specified user does not exist)

This error code might indicate incorrect permissions on the organizational unit. The user requires read access to the organizational unit that contains the user object. Similarly, computers require read access to the organizational unit that contains the computer object.

Error code 1355 (The specified domain either does not exist or could not be contacted)

This error code might indicate a fault or improper configuration with name resolution (DNS). Use nslookup to confirm you can resolve addresses of the domain controllers in the user domain. Use Networking troubleshooting procedures to further diagnose the problem (http://go.microsoft.com/fwlink/?LinkId=92706 ).

Error code 1727 (The remote procedure call failed and did not execute)

This error code might indicate firewall rules are preventing communication with a domain controller. If you have third-party firewall software installed, check the configuration of the firewall or try temporarily disabling it and verifying Group Policy processes successfully. Use Networking troubleshooting procedures or procedures from your third-party firewall software to further diagnose the problem (http://go.microsoft.com/fwlink/?LinkId=92706).

Verify

Group Policy applies during computer startup and user logon. Afterward, Group Policy applies every 90 to 120 minutes. Events appearing in the event log may not reflect the most current state of Group Policy. Therefore, you should always refresh Group Policy to determine if Group Policy is working correctly.

To refresh Group Policy on a specific computer:

  1. Open the Start menu. Click All Programs and then click Accessories.
  2. Click Command Prompt.
  3. In the command prompt window, type gpupdate and then press ENTER.
  4. When the gpupdate command completes, open the Event Viewer.

Group Policy is working correctly if the last Group Policy event to appear in the System event log has one of the following event IDs:

  • 1500
  • 1501
  • 1502
  • 1503

Related Management Information

Group Policy Preprocessing (Security)

Group Policy Infrastructure

Related:

The service database is locked.

Details
Product: Windows Operating System
Event ID: 1055
Source: Kernel
Version: 5.0
Component: System Resources
Symbolic Name: ERROR_SERVICE_DATABASE_LOCKED
Message: The service database is locked.
   
Explanation

An application might have tried to lock a service database that was already locked. Or an application might have tried to start a service when the service database was locked.

   
User Action

Wait a few minutes, and then try the operation again.

Related:

No Personal Address Book entries were migrated for user ‘{user name}’.

Details
Product: Exchange
Event ID: 1055
Source: MSExchangeMig
Version: 6.0
Component: Migration Wizard
Symbolic Name: CCMAIL_EXPORT_BADPARAMS_PAB_WARN
Message: No Personal Address Book entries were migrated for user ‘{user name}’.
   
Explanation
Personal Address Books (PABs) were available for cc:Mail users after version 8.3. The user may not have a PAB, or the address book could not be migrated.
   
User Action
If the user does have a PAB, verify that the installed version of Export.exe utility supports the /PAB command-line switch.If the user does not have a PAB, this message can be ignored.

Related:

Windows cannot determine the computer name. (%1). Group Policy processing aborted.

Details
Product: Windows Operating System
Event ID: 1055
Source: Userenv
Version: 5.2
Symbolic Name: EVENT_FAILED_MACHINENAME
Message: Windows cannot determine the computer name. (%1). Group Policy processing aborted.
   
Explanation

A network connectivity or network configuration problem is preventing Group Policy settings from being applied. Group Policy processing for the computer or user fails and will continue to fail until this error is resolved.

   
User Action

To troubleshoot this problem, try one or all of the following:

  • Review the event description to obtain additional details regarding why the machine has an account problem.
  • In Event Viewer, click System, and then look for any networking-related messages, such as Netlogon messages, that indicate a network connectivity issue.
  • At the command prompt, type netdiag, and look for any errors. Typically, these errors have to be resolved before Group Policy processing can continue.For more information about using NetDiag, see article Q265706, “DCDiag and NetDiag Facilitate Join and DC Creation,“ in the Microsoft Knowledge Base.
  • At the command prompt, type gpupdate, and then check the Event Viewer to see if the Userenv events are logged again.
  • To verify that the domain controller can be contacted through Domain Name System (DNS), try to access \\mydomain.com\sysvol\mydomain.com, where mydomain.com represents the fully qualified DNS name of your domain.
  • Verify that you can access the domain controller by using tools such as Active Directory Users and Computers.
  • Check whether other computers on your network are having the same problem.
  • If this is a forest trust scenario, ensure that the forest for the user account is currently available and can be contacted from the computer where policy processing failed.
  • Use verbose logging to debug this error. The log file explains the specific error.For more information about enabling userenv logging, see article 221833 , “How to Enable User Environment Debug Logging in Retail Builds of Windows” at the Microsoft Knowledge Base.

If none of the previous user actions identified the problem, follow the steps in “Troubleshooting Group Policy in Windows Server 2003” at the Microsoft Web site.

Related: