How to Fix “SSL Server Credential Private Key Error 0x8009030D” in Windows Server 2012 RDP


2 views

After a recent reboot of my Windows Server 2012 machine, Remote Desktop Protocol (RDP) connections started failing with the error:

"This computer can't connect to the remote computer. Try connecting again..."

Digging deeper, I found this critical error in the Event Log:

"A fatal error occurred when attempting to access the SSL server credential private key. 
The error code returned from the cryptographic module is 0x8009030D. 
The internal error state is 10001."

Before identifying the root cause, I verified several configuration aspects:

  • Port 3389 is open and listening (confirmed via netstat)
  • Windows Firewall is disabled
  • Network firewall rules allow RDP traffic
  • Terminal Services service is running
  • Registry key fDenyTSConnections is properly set to 0

The core problem appears to be with the SSL certificate's private key permissions. Even after:

  1. Generating new self-signed certificates
  2. Adding them to Trusted Roots and Personal stores
  3. Ensuring proper permissions on MachineKeys folder

The error persisted, suggesting a deeper system-level issue.

Research indicated this might relate to Windows Update KB2821895 (June 2013) which caused issues with the Remote Desktop Connection Broker role installation. Attempting to install this role failed with:

"One or more parent features are not installed"

Even though Hyper-V and other dependencies were present.

Here's the complete solution that worked:

Step 1: Repair Certificate Store Permissions

Run this PowerShell script to reset cryptographic permissions:

# Reset Crypto key permissions
$cryptoKeys = "$env:ProgramData\Microsoft\Crypto\RSA\MachineKeys"
icacls $cryptoKeys /reset
icacls $cryptoKeys /grant "NT AUTHORITY\SYSTEM:(F)"
icacls $cryptoKeys /grant "BUILTIN\Administrators:(F)"

Step 2: Recreate RDP Certificate

Generate a new self-signed certificate with proper key usage:

# Create new self-signed certificate
$cert = New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation "Cert:\LocalMachine\My" 
    -KeySpec KeyExchange -KeyUsage DigitalSignature,KeyEncipherment -KeyExportPolicy Exportable

# Export with private key
$pwd = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "C:\temp\RDPCert.pfx" -Password $pwd

# Import to proper stores
Import-PfxCertificate -FilePath "C:\temp\RDPCert.pfx" -CertStoreLocation "Cert:\LocalMachine\Root" -Password $pwd
Import-PfxCertificate -FilePath "C:\temp\RDPCert.pfx" -CertStoreLocation "Cert:\LocalMachine\Remote Desktop" -Password $pwd

Step 3: Apply Latest Windows Updates

Install these critical updates:

  • KB2871777 - Fixes Connection Broker installation issues
  • KB2821895 - Addresses cryptographic module problems

Step 4: Verify RDP Configuration

Final verification commands:

# Check RDP listening state
netstat -ano | findstr 3389

# Verify registry settings
reg query "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

# Check certificate binding
Get-ChildItem -Path "Cert:\LocalMachine\Remote Desktop" | Select-Object Thumbprint,Subject

For domain-joined servers, you can enforce RDP certificate settings via GPO:

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
- Set "Server Authentication Certificate Template" to your certificate thumbprint
- Enable "Always prompt for password upon connection"

After implementing these changes:

  1. Reboot the server
  2. Attempt RDP connection from client machine
  3. Check Event Viewer for any remaining cryptographic errors
  4. Verify the new certificate is being used in RDP session

This comprehensive approach addresses both the immediate cryptographic error and underlying system configuration issues that may have contributed to the problem.

When your Windows Server 2012 RDP service shows all green indicators but still fails with the cryptic error "This computer can't connect to the remote computer," it's time to dig deeper. The smoking gun appears in Event Viewer:

Event ID 36874:
"A fatal error occurred when attempting to access the SSL server credential private key. 
The error code returned from the cryptographic module is 0x8009030D. 
The internal error state is 10001."

First, verify the private key permissions for your RDP certificate:

# PowerShell command to check certificate thumbprint
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.FriendlyName -like "*Remote Desktop*"} | Select Thumbprint,FriendlyName

# Then locate the corresponding private key file
$certThumbprint = "YOUR_THUMBPRINT"
$cert = Get-ChildItem -Path Cert:\LocalMachine\My\$certThumbprint
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\" + ($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)
icacls $keyPath

The output should show SYSTEM and Administrators with FULL CONTROL permissions. If not, fix with:

icacls $keyPath /grant "NT AUTHORITY\SYSTEM:(F)"
icacls $keyPath /grant "BUILTIN\Administrators:(F)"

Ensure the certificate is properly bound to Terminal Services:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="YOUR_THUMBPRINT"

If you suspect the June 2013 update interference (KB2821895), here's how to verify and remediate:

# Check installed updates
Get-HotFix -Id KB2821895

# If present, apply the fix from KB2871777
# Download from: https://www.catalog.update.microsoft.com/Search.aspx?q=KB2871777

When standard certificate methods fail, try this PowerShell sequence to regenerate credentials:

# Remove existing RDP certificate
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name "SSLCertificateSHA1Hash"

# Force new certificate generation
$tsgs = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-Tcp'"
$tsgs.SetSSLCertificateSHA1Hash($null)

# Restart services
Restart-Service TermService -Force

For environments without Enterprise CA, use this PowerShell script to create a valid self-signed certificate:

$cert = New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation "Cert:\LocalMachine\My" 
    -KeyUsage DigitalSignature, KeyEncipherment -KeySpec KeyExchange 
    -HashAlgorithm SHA256 -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

$thumbprint = $cert.Thumbprint
Export-Certificate -Cert "Cert:\LocalMachine\My\$thumbprint" -FilePath "C:\temp\RDPCert.cer"
Import-Certificate -FilePath "C:\temp\RDPCert.cer" -CertStoreLocation "Cert:\LocalMachine\Root"

$tsgs = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-Tcp'"
$tsgs.SetSSLCertificateSHA1Hash($thumbprint)

Before giving up, verify these critical registry settings:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SSLCertificateSHA1Hash
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v X509Certificate