A PAM End User is getting the following message when attempting to RDP into a Windows server:
CA PAM Server versions 4.x and above
In the Windows Event logs on the Windows endpoint, the following message appears:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
In our PAM documentation, we document the supported ciphers that we support:
Note: You can check with software like IISCrypto or directly in Windows documentation to see the list of ciphers supported on your Windows endpoint. If necessary move the coincidental ciphers in the Windows list so that the match occurs early in the list, and if they are not installed, install them as needed.
Restart the server and try the connection again.
Please also note: IISCrypto is a great tool for flipping registry settings to potentially implement ciphers. However some of the stronger ciphers (ECC/ECDSA ones) are only active when an ECC Cipher is binded to RDP.
Ultimately the best tool to see what is indeed active and available are nmap and openssl. Example:
nmap -sV -p 3389 --script ssl-enum-ciphers <target hostname or ip address>
Nmap is a RPM delivered on many Linux/Unix distributions or it can be downloaded from nmap.org, to be installed on Windows or MacOS