All of the sudden my Windows 2008 Enterprise Terminal server stopped accepting connections.  I had about 30 users who couldn’t connect including administrators. I was looking all over the place for a fix and thought it could even be that i was out of licenses as I had 25 installed but 35 in use.  It turned out not to be that.  One error that i was getting was

Event ID 56

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.

After trying several things, including reactivating the server  using the “corrupt certificate” reason, and installing a hotfix that resolves issues related to terminal server certificates here’s how i fixed it. On the Terminal server, i opened up MMC and added Certficates snap-in for the Computer Account.   I went to the “Remote Desktop” >> “Certificates” folder and backed up the certificates that were there, Then I deleted them. I rebooted the server, which recreated those certificates.  Then i could connect with both admin accounts and non admin accounts.  I hope this post saves someone some time.

Credit to these two posts for helping me figure this out

http://blogs.technet.com/b/askperf/archive/2010/03/25/the-curious-case-of-event-id-56-with-source-termdd.aspx

http://arstechnica.com/civis/viewtopic.php?t=1131179

The exact event id.

Log Name:      System
Source:        TermDD
Date:          4/13/2015 2:59:59 PM
Event ID:      56
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      mytermserver.mydomain.com
Description:
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”&gt;
<System>
<Provider Name=”TermDD” />
<EventID Qualifiers=”49162″>56</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=”2015-04-13T18:59:59.865Z” />
<EventRecordID>643544</EventRecordID>
<Channel>System</Channel>
<Computer>mytermserver.mydomain.com</Computer>
<Security />
</System>
<EventData>
<Data>\Device\Termdd</Data>
<Binary>00000400010000000000000038000AC00000000038000AC00000000000000000000000000000000030030980</Binary>
</EventData>
</Event>

Advertisements