Cannot RDP to server after upgrading for TLS 1.2
search cancel

Cannot RDP to server after upgrading for TLS 1.2

book

Article ID: 121401

calendar_today

Updated On: 11-20-2018

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

Upgraded server to support TLS 1.2. Cannot connect to the server via PAM RDP; however, RDP from the desktop works fine.

Environment

PAM 3.1.1

Resolution

The cipher suite was disabled during the server upgrade.  Once it was re-enabled, PAM RDP worked again.

Additional Information

 As of release 2.6, the RDP client (the applet) supports TLS 1.2 connections and supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. 

In 3.2 we introduced forward secrecy for the RDP applet: 
The RDP client applet supports TLS 1.2 connections and supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. The RDP Client also supports forward secrecy using the following supported cipher suites: 

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. 

Starting with 3.2, for the highest level of security, ensure your RDP server (target Windows Device) is configured to use forward secrecy with TLS 1.2 communication. 

If you are on 3.1.1, your server has to support the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite.