pegnose
Goto Top

RDP connection to Windows 10 client fails with code 0x904

I have a Win10 workstation to which I cannot RDP. I use the built-in RDP client from Win11. The connection fails with the following message (translated from German):

"Error code: 0x904
Extended error code: 0x7"

The workstation is fully set up and working fine otherwise. A lot of customization has been done by the main user. Would be a shame to have to do all this again. However, RDP is vital for the use case on this machine.

Unfortunately, I had trusted the main user with installing his own software. And for whatever reason he had been running Windows 7 Firewall Controll, and then later removed it. He contacted me when he found he cannot longer RDP.

What I have already tried:
- connecting via NetBios name as well as IPv4 address (both pingable)
- resetting the Windows firewall
- fully disabling Windows firewall
- resetting the complete network settings as per Win10
- uninstalling the network device from device manager (including driver software) and reinstalling it
- use a different NIC on this machine
- connect from a different guest (even Android)
- use Win10 Firewall Control portable to access the existing rules, but no avail (all has been deleted)
- use the Windows Store RDP app, it also fails to connect with this output (translated from German):

"Error code: 0x4
Extended Error code: 0x0
Activity ID: {98bd10a7-6d18-4103-9336-91673e6a0000}"

What I have checked:
- RDP related services are running
- RDP related firewall rules are set and enabled (plus disabling the firewall does not help)
- I can ping the machine
- I can access shared folders
- I can RDP into a different Windows 10 installation on the same machine (it's dual boot)

What else can I do?

Content-ID: 668888

Url: https://administrator.de/contentid/668888

Printed on: December 3, 2024 at 11:12 o'clock

pegnose
Solution pegnose Oct 20, 2024 at 18:22:23 (UTC)
Goto Top
Figured it out myself. Turns out there was an issue with the TLS certificate used for RDP services. I had to delete the current one.

I found got a System error event in the logs relating to the source "Schannel" (id 36870) and the TLS server private key. I also got a security Audit failure event (id 5016) pointing me to the TSSecKeySet1, which apparently failed to open.

The solution was to delete the TSL certificate used by RDP service. I did this via the mmc and the snap-in "Certificates"., where there is a section for Remote Desktop. It seems you can just delete the RDP certificate and a new one gets created upon next connection.

This old article also pointed me in the right direction:
https://oli.new-lan.de/2017/11/probleme-mit-rdp-schannel-event-id-36870- ...

Log Name:      System
Source:        Schannel
Date:          20.10.2024 19:47:00
Event ID:      36870
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      xxx
Description:
A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  
  <System>
    <Provider Name="Schannel" Guid="{1f678132-5938-4686-9fdc-c8ff68f15c85}" />  
    <EventID>36870</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2024-10-20T17:47:00.7027659Z" />  
    <EventRecordID>55148</EventRecordID>
    <Correlation ActivityID="{faca067a-2310-0002-d506-cafa1023db01}" />  
    <Execution ProcessID="980" ThreadID="596" />  
    <Channel>System</Channel>
    <Computer>xxx</Computer>
    <Security UserID="xxx" />  
  </System>
  <EventData>
    <Data Name="Type">server</Data>  
    <Data Name="ErrorCode">0x8009030d</Data>  
    <Data Name="ErrorStatus">10001</Data>  
  </EventData>
</Event>

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          20.10.2024 19:47:00
Event ID:      5061
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      xxx
Description:
Cryptographic operation.

Subject:
	Security ID:		NETWORK SERVICE
	Account Name:		xxx
	Account Domain:		xxx
	Logon ID:		0x3E4

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	UNKNOWN
	Key Name:	TSSecKeySet1
	Key Type:	Machine key.

Cryptographic Operation:
	Operation:	Open Key.
	Return Code:	0x80090016
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />  
    <EventID>5061</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2024-10-20T17:47:00.7027575Z" />  
    <EventRecordID>259778</EventRecordID>
    <Correlation ActivityID="{faca067a-2310-0002-d506-cafa1023db01}" />  
    <Execution ProcessID="980" ThreadID="596" />  
    <Channel>Security</Channel>
    <Computer>xxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">xxx</Data>  
    <Data Name="SubjectUserName">xxx</Data>  
    <Data Name="SubjectDomainName">xxx</Data>  
    <Data Name="SubjectLogonId">0x3e4</Data>  
    <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>  
    <Data Name="AlgorithmName">UNKNOWN</Data>  
    <Data Name="KeyName">TSSecKeySet1</Data>  
    <Data Name="KeyType">%%2499</Data>  
    <Data Name="Operation">%%2480</Data>  
    <Data Name="ReturnCode">0x80090016</Data>  
  </EventData>
</Event>