Event ID 1064 — Terminal Services Authentication and Encryption

Applies To: Windows Server 2008

Transport Layer Security (TLS) 1.0 enhances the security of Terminal Services sessions by providing server authentication and by encrypting terminal server communications. The terminal server and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate a terminal server when SSL (TLS 1.0) is used to secure communication between a client and a terminal server during Remote Desktop Protocol (RDP) connections.

Event Details

Product: Windows Operating System
ID: 1064
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Version: 6.0
Symbolic Name: EVENT_TS_SSL_TEMPLATE_CERT_CREATE_FAILED
Message: The terminal server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occured: %1.

Diagnose

This error is received when a certification authority (CA) has issued a certificate for the terminal server based on a certificate template that is specified in Group Policy, and one of the following conditions has occurred:

  • The correct certificate template name is not specified in Group Policy.
  • The permissions on the certificate template do not allow the terminal server to enroll for this type of certificate.
  • The certificate is not valid for the requested usage.
  • The certificate template does not exist.
  • The certificates that are based on the certificate template are not being issued to computers.

The Server Authentication Certificate Template Group Policy setting allows you to enter the name of the certificate template that is used to determine which certificate is used to authenticate the terminal server when using SSL or TLS 1.0 encryption. Entering the name of a certificate template allows automatic certificate selection to occur. After a certificate template name has been entered, certificates that were created by using that template are considered, and one of the eligible certificates is automatically selected for use.

Important: You must set the certificate template’s attributes Template display name and Template name to the same value.

For information about certificate templates, see "Implementing and Administering Certificate Templates in Windows Server 2008" (https://go.microsoft.com/fwlink/?LinkID=92522).

The correct certificate template name is not specified in Group Policy

To check whether the correct certificate template name is specified in Group Policy, use the Group Policy Management Console (GPMC).

To perform this procedure, you must have membership in the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate authority.

Note: To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation.

To check whether the correct certificate template name is specified in Group Policy:

  1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the organizational unit (OU) that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under Computer Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, expand Terminal Server, and then click Security.
  6. In the right pane, in the settings list, right-click Server Authentication Certificate Template, and then click Properties.
  7. On the Settings tab, check whether Enabled is selected and whether the name specified in Certificate Template Name is correct, and then click OK.
  8. If Enabled is not selected or the correct name is not specified for the certificate template, see the section titled "Specify the correct certificate template in Group Policy."

The permissions on the certificate template do not allow the terminal server to enroll for this type of certificate

A terminal server computer account must have Enroll permissions to read the appropriate certificate template.

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To check the permissions that are granted to the terminal server on the certificate template:

  1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
  4. In the console tree, click Certificate Templates.
  5. In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
  6. On the Security tab, under Group or user names, check whether the terminal server (or a security group that contains the terminal server) appears in the list, and then click it. With the terminal server (or the security group that contains the terminal server) selected, under Permissions, check whether the check box to allow Enroll permissions is selected, and then click OK.
  7. If the check box to allow Enroll permissions is not selected, see the section titled "Grant Enroll permissions for the certificate template to the terminal server."

The certificate is not valid for the requested usage

The certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers must have an Enhanced Key Usage (EKU) of Server Authentication.

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To check whether the Server Authentication Key Usage extension is specified in the certificate template:

  1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
  4. In the console tree, click Certificate Templates.
  5. In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
  6. On the Extensions tab, under Extensions included in this template, click Key Usage, and then click Edit.
  7. Check whether the Server Authentication key usage extension is selected, and then click OK to close the Properties dialog box for the certificate template.
  8. If the Server Authentication Key Usage extension is not selected, see the section titled "Add the Server Authentication EKU to the certificate template."

The certificate template does not exist

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To check whether the certificate template exists:

  1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
  4. In the console tree, click Certificate Templates.
  5. In the results pane, in the list of certificate templates, locate the certificate template that is used as the basis for the certificates that are enrolled to terminal servers.
  6. If the certificate template does not appear, see the section titled "Create a new certificate template."

The certificates that are based on the certificate template are not being issued to computers

For a CA to issue certificates based on the certificate template, the certificate template must be added to the Certificate Templates container in the Certification Authority snap-in.

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To check whether the certificate template has been added to the Certificate Templates container in the Certification Authority snap-in:

  1. On a computer where AD CS is installed, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certification Authority, click Add, and then click OK.
  4. Select the CA that you want to manage, and then click Finish.
  5. Expand Certificate Templates, and then check whether the appropriate certificate template appears in the list. The name of the certificate should match the name that is specified in the Server Authentication Certificate Template Group Policy setting. For more information, see "To check whether the correct certificate is specified in Group Policy" earlier in this topic.
  6. If the appropriate certificate template does not appear in the list, see the section titled "Add the certificate template to the Certificate Templates container."

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

The correct certificate template name is not specified in Group Policy

Specify the correct certificate template in Group Policy

The permissions on the certificate template do not allow the user to enroll for this type of certificate

Grant Enroll permissions for the certificate template to the terminal server

The certificate is not valid for the requested usage

Add the Server Authentication EKU to the certificate template

The certificate template does not exist

Create a new certificate template

The certificates that are based on the certificate template are not being issued to computers

Add the certificate template to the Certificate Templates container

Specify the correct certificate template in Group Policy

To resolve this issue, specify the correct certificate template in Group Policy. 

To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.

Note: To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console (GPMC) feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation.

To specify the certificate template name in Group Policy:

  1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the OU that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under Computer Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, expand Terminal Server, and then click Security.
  6. In the right pane, in the settings list, right-click Server Authentication Certificate Template, and then click Properties.
  7. On the Settings tab, click Enabled (if this Group Policy setting is not already enabled), and in Certificate Template Name, type the name of the correct certificate template.
  8. Click OK.

For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help (https://go.microsoft.com/fwlink/?LinkId=101633) or the GPMC Help (https://go.microsoft.com/fwlink/?LinkId=101634) in the Windows Server 2008 Technical Library.

Grant Enroll permissions for the certificate template to the terminal server

To resolve this issue, you must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers. The certificate template must be modified to grant Enroll permissions to the terminal server computer account.

For information about certificate templates, see "Implementing and Administering Certificate Templates in Windows Server 2008" (https://go.microsoft.com/fwlink/?LinkID=92522).

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To grant Enroll permissions for the certificate template to the terminal server:

  1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
  4. In the console tree, click Certificate Templates.
  5. In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
  6. On the Security tab, under Group or user names, ensure that the terminal server (or a security group that contains the terminal server) appears in the list, and then click it. If it does not appear, add it.
  7. With the terminal server (or security group that contains the terminal server) selected, under Permissions, select the check box to allow Enroll permissions.
  8. Click OK to close the Properties dialog box for the certificate template.

 

Add the Server Authentication EKU to the certificate template

To resolve this issue, you must modify the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for server certificates enrolled to terminal servers. The certificate template must be modified to have an Enhanced Key Usage (EKU) of Server Authentication.

For information about certificate templates, see "Implementing and Administering Certificate Templates in Windows Server 2008" (https://go.microsoft.com/fwlink/?LinkID=92522).

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To add the Server Authentication Key Usage extension to the certificate template:

  1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
  4. In the console tree, click Certificate Templates.
  5. In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
  6. On the Extensions tab, under Extensions included in this template, click Key Usage, and then click Edit.
  7. Add the Server Authentication EKU, and then close the dialog box.
  8. Click OK to close the Properties dialog box for the certificate template.

Create a new certificate template

To resolve this issue, do the following:

  • Create a new certificate template. Active Directory Certificate Services (AD CS) will use this template as the basis for server certificates enrolled to terminal servers.
  • Add the certificate template to the Certificate Templates container in the Certification Authority (CA) snap-in. Doing this enables the server certificate to be issued to terminal servers.

Create a new certificate template

You can create a certificate template by duplicating an existing template and using the existing template's properties as the default for the new template. Different applications and types of CAs support different certificate templates. For example, some certificate templates can only be issued and managed by enterprise CAs running Windows Server 2003, and some may require that the CA be running Windows Server 2008. Review the list of default certificate templates, and examine their properties to identify the existing certificate template that most closely meets your needs. This will minimize the amount of configuration work that you need to do.

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To create a certificate template:

  1. On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
  4. In the console tree, click Certificate Templates.
  5. In the list of templates, right-click the template to copy from, and then click Duplicate Template.
  6. Choose the minimum version of the CA that you want to support.
  7. Type a new name for this certificate template.
  8. Configure additional settings as needed, and then click OK.

Add the certificate template to the Certificate Templates container in the Certification Authority snap-in

For a CA to issue certificates based on the certificate template, you need to add the certificate template to the Certificate Templates container in the Certification Authority snap-in. To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To add the certificate template to the Certificate Templates container:

  1. On a computer where AD CS is installed, open the Certification Authority snap-in. To open the Certification Authority snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certification Authority, click Add, and then click OK.
  4. Select the CA that you want to manage, and then click Finish.
  5. Right-click the Certificate Templates container, click New, and then click Certificate Template to Issue.
  6. Select the certificate template that you want, and then click OK.

Add the certificate template to the Certificate Templates container

To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.

To add the certificate template to the Certificate Templates container in the Certification Authority snap-in:

  1. On a computer where AD CS is installed, open the Certification Authority snap-in. To open the Certification Authority snap-in, click Start, click Run, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certification Authority, click Add, and then click OK.
  4. Select the CA that you want to manage, and then click Finish.
  5. Right-click the Certificate Templates container, click New, and then click Certificate Template to Issue.
  6. Select the certificate template that you want, and then click OK.

Verify

When Transport Layer Security (TLS) 1.0 is functioning as expected for server authentication and encryption of terminal server communications, clients can make connections to terminal servers by using TLS 1.0 (SSL).

To verify that the TLS 1.0 (SSL) settings are correctly configured and working properly on the terminal server to provide server authentication and encryption for connections, use Remote Desktop Connection from a client computer to connect to the terminal server. If you can connect to the terminal server and there is a lock symbol in the upper-left corner of the connection bar at the top of the window, TLS 1.0 (SSL) is being used for the connection.

Note: To ensure that the connection bar is displayed when you use Remote Desktop Connection to connect from a client computer, select full-screen mode when configuring Remote Desktop Connection settings.

To select full-screen mode in Remote Desktop Connection:

  1. Open Remote Desktop Connection. To open Remote Desktop Connection, click Start, click Accessories, and then click Remote Desktop Connection.
  2. Click Options to display the Remote Desktop Connection settings, and then click Display.
  3. Under Remote desktop size, drag the slider all the way to the right to ensure that the remote desktop that you plan to connect to is displayed in full-screen mode.

Terminal Services Authentication and Encryption

Terminal Services