Start by checking the basics as described in Microsoft's technet article on event 1130:
Make sure the Remote Desktop server has network connectivity to the licensing server. If you can ping the licensing server, you're probably OK as far as the basics go (but see below).
Make sure the license server is configured to be automatically discovered. Use the "Review Configuration" Action in the Remote Desktop Licensing Manager.
Check that the Remote Desktop server can discover the license server. Using the Licensing Diagnosis option in Remote Desktop Session Host configuration, make sure the licensing server appears in the list.
Check that the licensing service is running on the license server. The service name is TermServLicensing, the friendly name may be "Terminal Services
Licensing" or "Remote Desktop Licensing" depending on the version of Windows.
If you are using Windows Firewall, check that the Remote Desktop Licensing Server exceptions are enabled on the license server. If you are using a third-party firewall, or if there is an external firewall between the Remote Desktop server and the licensing server, make sure all the relevant ports are opened. See this forum thread, and also Which ports are used by a RDS 2012 deployment? on Technet.
In my case, however, the problem was with the Local Security Policy on the license server, specifically the "Access this computer from the network" option under User Rights Assignment. Although it does not appear to be documented, the Active Directory computer objects representing the Remote Desktop servers must be granted this right, either explicitly or indirectly. (The default setting includes Everyone, which is sufficient to allow Remote Desktop licensing to work.)
Once this access right was granted, the next Remote Desktop logon caused the missing X509 Certificate registry entries to be created, and event ID 1130 stopped appearing.
You should also check the "Deny access to this computer from the network" setting, which takes precedence, and any other configuration changes you might have made to the licensing server which could affect the Remote Desktop server's ability to establish an IPC logon. The security event log on the licensing server may be useful in determining whether the IPC logon is successful or not.
Additional notes:
If one of your Remote Desktop servers is experiencing this or any similar problem, you can still log into it remotely for troubleshooting purposes using this command line:
mstsc /admin /v:servername
In case the link in the question goes dead, you can reset the grace period as a temporary workaround by deleting the REG_BINARY value in this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod
(This is of course unsupported and should be used only with due care and at your own risk.)
If you have experienced the same problem but due to a cause not covered by my self-answer, please post another answer (preferably) or a comment. Thanks in advance!
