A PAM End User is getting the following message when attempting to RDP into a Windows server:

In the Windows Event logs on the Windows endpoint, the following message appears:

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.

PAM documentation lists cipher suites our RDP client supports on page Access Methods, under header RDP Client Applet Security Requirement. Use the Version dropdown list near the top to select the documentation page for your specific PAM release.

You can check with software like IISCrypto or directly in Windows documentation to see the list of cipher suites supported on your Windows endpoint.  If necessary move the coincidental cipher suites in the Windows list so that the match occurs early in the list, and if they are not installed, install them as needed. Keep in mind that which cipher suites in fact are active depends on the type of certificate you have installed. If an RSA certificate is installed, only cipher suites using the RSA digital signature algorithms will be active. With ECDSA certificates only cipher suites using ECDSA are available for selection.

Restart the server and try the connection again.

Please also note:  IISCrypto is a great tool for flipping registry settings to potentially implement ciphers. 

The best tools to see what is indeed active and available are nmap and openssl. The result will show cipher suites compatible with the type of certificate used by the RDP server only.

Example:

nmap -sV -p 3389 --script ssl-enum-ciphers <target hostname or ip address>

Nmap is a RPM delivered on many Linux/Unix distributions or it can be downloaded from nmap.org, to be installed on Windows or MacOS.