| Event Information | According to Microsoft :
Cause :
This event is logged when the Terminal Server is configured to use a certificate that is expired.
Resolution :
Renew the certificate and then configure the terminal server to use the certificate for TLS 1.0 (SSL)
To resolve this issue, do the following:- Use Terminal Services Configuration to determine which certificate needs to be renewed.
- Renew the certificate being used by the terminal server by doing one of the following:
- Renew a certificate with the same key. Doing this allows you maximum compatibility with past uses of the accompanying key pair, but does nothing to enhance the security of the certificate and key pair. Once renewed, the old certificate will be archived.
- Renew a certificate with a new key. Doing this allows you to continue using an existing certificate and its associated data, while enhancing the strength of the key associated with the certificate. Once renewed, the old certificate and key pair will be archived.
- Configure the terminal server to use the certificate for TLS 1.0 (SSL).
If you are using a self-signed certificate that was automatically generated by the terminal server, note that the terminal server automatically renews the certificate 30 days before the certificate is set to expire.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Determine which certificate needs to be renewed
To determine which certificate needs to be renewed:- Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
- In the details pane, under Connections, right-click the connection, and then click Properties.
- On the General tab, click Select.
- In the Select Certificate dialog box, note the certificate that is selected, and then click View Certificate.
- In the Certificate dialog box, click General, and then check the expiration date. If the certificate is set to expire within a few days, follow the steps in "Renew a certificate with the same key" or "Renew a certificate with a new key."
- Click OK to close the Certificate dialog box.
- Click OK to close the Select Certificate dialog box.
- Click OK to close the Properties dialog box for the connection.
Renew a certificate with the same key
You can use this procedure to request certificates from an enterprise certification authority (CA) only.
To renew a certificate with the same key:- On the terminal server, open the Certificates snap-in for a computer. If you have not already added the Certificates snap-in console, you can do so by doing the following:
a.Click Start, click Run, type mmc, and then click OK.
b.On the File menu, click Add/Remove Snap-in.
c.In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
d.In the Certificates snap-in dialog box, click Computer account, and then click Next.
e.In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
f.In the Add or Remove snap-ins dialog box, click OK. - Confirm that the certificates are displayed by logical certificate stores. To do this, on the View menu, click Options, and in the View Options dialog box, confirm that Logical certificate stores is selected.
- In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), select Personal, and click Certificates.
- In the details pane, click the certificate that you are renewing.
- On the Action menu, point to All Tasks, select Advanced Operations, and then click Renew this certificate with the same key to start the Certificate Renewal Wizard.
- If more than one certificate is listed in the Request Certificates window, select the certificate that you want to renew, and then do one of the following:
- Use the default values to renew the certificate.
- Click Details, and then click Properties to provide your own certificate renewal settings. You need to know the CA issuing the certificate.
- Click Enroll.
- After the Certificate Renewal Wizard has successfully finished, click Finish.
Renew a certificate with a new key
You can use this procedure to request certificates from an enterprise CA only.
To renew a certificate with a new key:- On the terminal server, open the Certificates snap-in for a computer. If you have not already added the Certificates snap-in console, you can do so by doing the following:
a.Click Start, click Run, type mmc, and then click OK.
b.On the File menu, click Add/Remove Snap-in.
c.In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
d.In the Certificates snap-in dialog box, click Computer account, and then click Next.
e.In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
f.In the Add or Remove snap-ins dialog box, click OK. - Confirm that the certificates are displayed by logical certificate stores. To do this, on the View menu, click Options, and in the View Options dialog box, confirm that Logical certificate stores is selected.
- In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), select Personal, and click Certificates.
- In the details pane, click the certificate that you are renewing.
- On the Action menu, point to All Tasks, select Advanced Operations, and then click Renew this certificate with the same key to start the Certificate Renewal Wizard.
- In the Certificate Renewal Wizard, do one of the following:
- Use the default values to renew the certificate.
- To provide your own certificate renewal settings, click Details, and then click Properties. You will need to know the cryptographic service provider (CSP) and the CA that is issuing the certificate.
- Select the key length (measured in bits) of the public key associated with the certificate.
- You can also choose to enable strong private key protection. Enabling strong private key protection ensures that you are prompted for a password every time the private key is used. This is useful if you want to make sure that the private key is not used without your knowledge.
- When you are ready to request a certificate, click Enroll.
- After the Certificate Renewal Wizard has successfully finished, click Close.
Configure the terminal server to use the certificate for TLS 1.0 (SSL)
To configure the terminal server to use the certificate for TLS 1.0 (SSL):- Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
- In the details pane, under Connections, right-click RDP-tcp, and then click Properties.
- On the General tab, click Select.
- In the Select Certificate dialog box, click the certificate that you want to use, and then click OK.
|