3

Please note, this scenario is different from asimilar one: How do I disable TLS 1.0 without breaking RDP?

The linked question is about RDP and disabling TLS 1.0.

This question is about RemoteApp's and disabling TLS 1.0

I already have straight RDP over port 3389 working with TLS 1.2.

We have a 2012R2 Server hosting RemoteApp's.

We have the RD Gateway, RD Web Access, RD Connection Broker, RD Session Host roles installed on this server.

RemoteApp's are served through the RD Gateway over https. The only public port we have open is 443.

We have a public CA supplied wildcard SSL certificate installed in all of the RD Roles and IIS, so everything traces back to a trusted root cert.

The cert supports TLS 1.2, I see this in a webbrowser when I view the RDWeb website.

We are tying to disable TLS 1.0 on this server to tighten up the security. We are using IISCrypto 2.0 to disable TLS 1.0

When we disable TLS 1.0 two things are observed:

1.The RemoteApp's stop working. They cannot be launched from an end user machine.

2.Straight RDP connections work just fine.

When we re-enable TLS 1.0 the RemoteApp's work again.

SChannel logging confirms that RemoteApps are using TLS 1.2, so I would expect the RemoteApps to continue working when TLS 1.0 is disabled. However that is not what I am observing.

All client's are using fully updated/patched versions of Windows 8.1 and 10.

Phil Sayers
  • 33
  • 1
  • 1
  • 4

3 Answers3

5

After almost a year, I finally figured out a working solution for disabling TLS 1.0/1.1 without breaking RDP and Remote Desktop Services connectivity.

Run IISCrypto and disable TLS 1.0, TLS 1.1 and all bad ciphers.

On the Remote Desktop Services server running the gateway role, open the Local Security Policy and navigate to Security Options - System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Change the security setting to Enabled. Reboot for the changes to take effect.

Note that in some cases (especially if using self signed certificates on Server 2012 R2), the Security Policy option Network Security: LAN Manager authentication level may need to be set to Send NTLMv2 responses only.

Let me know if this works for you as well.

cardiothoracics
  • 124
  • 2
  • Have you used any RemoteApp's succesfully with this change? Or are you doing RDP with the RD Gateway (which is slightly different from RemoteApp's)? – Phil Sayers Feb 17 '17 at 22:41
  • I don't use RemoteApps in our environment, however, I had the same symptoms, i.e. I couldn't launch any published apps from the session host. Enabling FIPS resolved the issue. Let me know if this also resolves your RemoteApps issue. – cardiothoracics Feb 20 '17 at 19:07
  • Sorry, too many late nights. We do use RemoteApps, I was thinking of the RDWeb application feeds. And yes, the fix does work for RemoteApps that are published as part of the session host collection. – cardiothoracics Feb 24 '17 at 09:31
  • 1
    Confirmed, this works completely. We did run into issues with some Win 7 client users who needed TLS1.2 enabled on their machines. Combinations of [1] and [2] solved connection issues for the Win 7 machines. [1]https://blog.tmurphy.org/2015/07/rdp-client-not-authenticating-to-rd.html [2]https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi – Phil Sayers Nov 29 '18 at 17:59
  • Confirmed that this works on Windows Server 2016 as well! Thanks! – Tim Friesen Apr 17 '19 at 13:05
  • I actually first tried with TLS 1.0 and 1.1 disabled on the client side (using IISCrypto), but then not even RDP would work anymore. So I had to re-enabled TLS 1.0 and 1.1 on the client side. But leaving them disabled on the service is working great with the Local Security Policy changes. – Tim Friesen Apr 17 '19 at 13:08
1

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

This secretly re-enables the older protocols again. Microsoft is even not recommending use of the setting anymore.

I've been fighting this as well. I haven't found the right solution yet.

Microsoft DOC on setting

Microsoft Article not recommending

Cyberdude
  • 11
  • 1
1

Old posting, but I just happened to read an article that says if you are using the internal SQL server (WID) for the connection broker database, the connection broker needs TLS 1.0 enabled to talk to WID. You can get around this by using a "real" SQL Server database for the connection broker instead of the internal SQL WID.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/rds-connection-broker-or-rdms-fails-caused-by-disabled-tls-10

Carl Jones
  • 11
  • 1