After a round of updates one of the machine keys on a Server 2012 R2 permissions got changed so the only permission on the file is Everyone - Read.  Ever since then you cannot use regular RDP to connect to this server.  Everything else is functioning ok.  I can access the server by using the console in VM Ware.  Error logs are showing an SChannel error when trying to access server via RDP. Error details below:

Log Name:      System
Source:        Schannel
Date:          --
Event ID:      36870
Task Category: None
Level:         Error
Keywords:    
User:          SYSTEM
Computer:      XXXXX
Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D.
The internal error state is 10001.

Does anyone know how I can get the permissions back to default so RDP works again?  Please let me know if there's any other information that might be helpful.

Hi,

Is de Windows Update that's the cause of the everyone read permission? Can you confirm that you only have 'Read' permission set to 'everyone' on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys ?

When the correct permissions are missing, you have more information here: http://blogs.technet.com/b/askperf/archive/2014/10/22/rdp-fails-with-event-id-1058-amp-event-36870-with-remote-desktop-session-host-certificate-amp-ssl-communication.aspx

It was either a windows update, or I also updated the VM hardware on the machine that night as well.  The permissions on the MachineKeys folder is ok, and permissions on all the other keys are ok, it's only one key that the permissions are messed up on.  I did find that article previously which helped me identify what was going on with my server.  Will I be able to reset the permissions on that key file with the icacls command even though I don't have appropriate permissions?

Have you make a snapshot/backup from the server before updating? If so, restore this backup on an other location and try to replace the machinekey from the backup to the messed up environment. What's the file name of the key?

Make a backup from the location and try to reset the permissions with icals(open cmd as admin). Try to take the ownership of the folder(I think you've tested it already, just to be sure).

if you still have any problems, boot the server in "Safe Mode" and try to change the permissions.

The backups are long gone by now. The machine key in question is f686aace6942fb7f7ceb231212eef4a4_29fa9aaa-ef5b-4277-a4a7-cc9514b27d7c

Have a look to this article: https://social.technet.microsoft.com/Forums/lync/en-US/780c5113-d534-4b58-8baa-4912a98ae82e/remote-desktop-managment-not-working

there has to be a way to fix this problem. Did you test everything as I have described in my previous co

Hi,

Have you tried the method within the thread above to change registry permissions?

"For some reason the administrator did not have read permissions to the following:

f686aace6942fb7f7ceb231212eef4a4_........ located here C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

I had to change the owner of the file to local administrators, added administrators read and then set the owner back to SYSTEM."

Best Regards,

Amy