We are setup to use RDP through the TCP/UDP Services, where we launch the users local mstsc for RDP. This works with most RDP service, but for one RDP server the service fails with a generic "An internal error has occurred" message:
We verified that port 3389 is open from PAM to the problem RDP server. We have auto-logon configured and verified that the credentials are valid. A connection outside of PAM using the same credentials works.
Affects PAM releases up to 4.1.6.
The server had registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\AllowInsecureRenegoClients defined and set to 0. This causes a conflict with the third party library the RDP Proxy service running on the PAM server uses to establish secure connections.
The problem is expected to be fixed in PAM 4.1.7+ and PAM 4.2+. A hotfix is available for 4.1.5 on request.
As a workaround, if your security policies allow it, delete this registry key, or set it to 1. The RDP client on the PAM server will establish a secure TLS 1.2 connection using strong ciphers.
The RDP client used by the built-in RDP access method is based on a MS SDK and does not have a conflict with this registry key setting. But it is subject to the limitation discussed in KB 187142 and may not be a viable alternative for that reason.