| Event Id | 1064 |
| Source | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
| Description | The terminal server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occured: %1. |
| Event Information | According to Microsoft : Diagnose : This error is received when a certification authority (CA) has issued a certificate for the terminal server based on a certificate template that is specified in Group Policy, and one of the following conditions has occurred: The correct certificate template name is not specified in Group PolicyTo check whether the correct certificate template name is specified in Group Policy, use the Group Policy Management Console (GPMC). To perform this procedure, you must have membership in the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate authority. Note : To manage Group Policy on a Windows Server 2008-based domain controller,must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation. The permissions on the certificate template do not allow the terminal server to enroll for this type of certificate A terminal server computer account must have Enroll permissions to read the appropriate certificate template. To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or must have been delegated the appropriate authority. The certificate is not valid for the requested usage The certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers must have an Enhanced Key Usage (EKU) of Server Authentication. To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or must have been delegated the appropriate authority. The certificate template does not exist To perform this procedure,must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or must have been delegated the appropriate authority. The certificates that are based on the certificate template are not being issued to computers For a CA to issue certificates based on the certificate template, the certificate template must be added to the Certificate Templates container in the Certification Authority snap-in. To perform this procedure,must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or must have been delegated the appropriate authority. To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, Verify section to confirm that the feature is operating properly Cause : The correct certificate template name is not specified in Group Policy Resolution : Specify the correct certificate template in Group Policy To resolve this issue, specify the correct certificate template in Group Policy. To change Group Policy settings for a domain or an organizational unit (OU),must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy. Note : To manage Group Policy on a Windows Server 2008-based domain controller, must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation. Cause : The permissions on the certificate template do not allow the user to enroll for this type of certificate Resolution : Grant Enroll permissions for the certificate template to the terminal server To resolve this issue,must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers. The certificate template must be modified to grant Enroll permissions to the terminal server computer account. To perform this procedure,must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or must have been delegated the appropriate authority. Cause : The certificate is not valid for the requested usage Resolution : Add the Server Authentication EKU to the certificate template To resolve this issue,must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers. The certificate template must be modified to have an Enhanced Key Usage (EKU) of Server Authentication. To perform this procedure,must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or must have been delegated the appropriate authority. Cause : The certificate template does not exist Resolution : Create a new certificate template To create a certificate template by duplicating an existing template and using the existing template's properties as the default for the new template. Different applications and types of CAs support different certificate templates.Review the list of default certificate templates, and examine their properties to identify the existing certificate template that most closely meets the needs. This will minimize the amount of configuration work that you need to do. To perform this procedure,must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or must have been delegated the appropriate authority. To resolve this issue, do the following:
The certificates that are based on the certificate template are not being issued to computers Resolution : Add the certificate template to the Certificate Templates container To perform this procedure,must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or must have been delegated the appropriate authority. |
| Reference Links | Event ID 1064 from Source Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.