Schannel Event 36870 – A fatal error occurred – RDP

Came in one morning to reports that nobody can access a particular Windows Server 2012R2 RDS server.  To keep from being too wordy, I took some time and narrowed it down to just an issue with that one particular server, not RDS itself.  As I kept digging I came across numerous instances of the following Schannel Event 36870 error on the effected RDS host, which I could then reproduce by attempting to make an RDP connection to the server experiencing the issue.

Now this led me down quite a number of SSL certificate rabbit holes, but the winner came from this stackoverflow article, which referenced this Microsoft blog post, in which scenario 2 was my solution.  I restored default permissions to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, restarted the box, and wha-lah!  RDP was functional again!

HAProxy Configuration for Remote Desktop Services

Remote Desktop Services can be a touchy subject for some, but I find the solution to work well.  When the need to provide external access arises I will typically use HAProxy to, you never would have guessed it, proxy the traffic to the appropriate places.  It has proven to be rock solid in its performance, and offers decent logging when issues arise.  Please note that there should be additional security measures taken to secure this, so don’t just drop it in and think you’re done.

A lot of the configuration options are simply taken from the HAProxy documentation.  I do suggest taking some time and reading through a lot of the common options to help fine tune your config.  Before I drop the my “template” config, let’s do a quick overview of what it contains (though I will have comments in the config).  First things first, I set up the built in stats page.  This is very useful and I don’t see much reason not to set it up.  I then redirect port 80 traffic (http) to port 443 (https/SSL).  Next up is to proxy any https/SSL traffic in to the RDS server.  Finally, we proxy the RDP traffic through and we’re good to go!

 

Client Machine Cannot Launch RDS Apps. Event 4625 Status 0xC000035B.

My help desk gave me a shout today saying that a particular user could not launch an RDS app from their computer.  Naturally I checked all the basics with test account and all was operating as expected so I knew it had to be something with the client machine.

I did a bunch of more basic troubleshooting (I didn’t have a lot of faith in this particular technician) and then started digging through the logs on the RDS Gateway box until I found the following little bugger (Event 4625):

Naturally this doesn’t tell me anything, but with a little Google-Fu I came up with this source.  I changed the LmCompatibilityLevel value to 3 or higher as directed, gave the machine a reboot, and wha-lah it worked.  The value can be found at HKLM\SYSTEM\CurrentControlSet\Control\Lsa.