RDP connects but authentication fails

I have a couple of workstations that always fail authentication when I try to connect to them with RDP. The server and client configuration appears to be identical.

There was a Schannel error

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

Which I resolved(?) by changing the permissions on the CA assigned certificates to allow read access by the NETWORK SERVICE account.

Certificates all appear valid and I cannot see anything to indicate a fault in the application/system/security event logs.

All credentials fail to authenticate, not even the local administrator.

Does anyone have any ideas?

Summary of suggestions

• Check date/time sync. (checked okay)
• Change schannel logging verbosity (changed, unable to identify anything unusual)

Update 1

Enabled Debug/Analytic logging on TerminalServices-RemoteConnectionManager using wevtutil tool.

wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic /e:true wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug /e:true

The Debug logs show some errors.

TERMSRV: ERR::IConnection->Accept failed: 0xd000020f in CListenerEx::TransferWorkItem

TERMSRV: ERR::ptrExt->AcceptConnection failed: 0xd000020f in CConnectionEx::Accept

Update 2

I ran procmon during an attempt to authenticate. I couldn't find any issues.

I tried resetting the TCP/IP stack using netsh winsock reset and netsh int ip reset (this seems to fix inexplicable weirdness).

After a reboot the interface would not get configured with DHCP no matter what I tried. This machine was a VM so I just added a new nic and removed the old one.

Interestingly enough after this step the interface configured and RDP is now working on this machine.

I tried the netshell resets on another affected machine and although the interface successfully reconfigured after boot RDP is still failing authentication.

Maybe the problem is tied to the nic mac address...

Update 3

There is a physical machine that has identical symptoms as the VM, all logs so far show the same.

The problem still remains after:

• resetting netshell
• removing the nic device and adding again
• changing the nic mac address
• adding a completely new physical nic!

Under Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration, right click on the server configuration object (presented in the middle of the screen) and go to Properties > Security (click through the warning) and make sure BUILTIN\Remote Desktop Users are granted all access BUT Full Control. Also ensure BUILTIN\Administrators are granted full control.

Someone changed these settings on us for Server 2008 R2 and that caused this same issue.