RDP Proxy service fails with An internal error has occurred message
Article ID: 270954
Updated On:
Products
Issue/Introduction
We are setup to use RDP through the TCP/UDP Services, where we launch the users local mstsc for RDP. This works with most RDP service, but for one RDP server the service fails with a generic "An internal error has occurred" message:
We verified that port 3389 is open from PAM to the problem RDP server. We have auto-logon configured and verified that the credentials are valid. A connection outside of PAM using the same credentials works.
Environment
Affects PAM releases up to 4.1.6.
Cause
The server had registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\AllowInsecureRenegoClients defined and set to 0. This causes a conflict with the third party library the RDP Proxy service running on the PAM server uses to establish secure connections.
Resolution
The problem is expected to be fixed in PAM 4.1.7+ and PAM 4.2+. A hotfix is available for 4.1.5 on request.
As a workaround, if your security policies allow it, delete this registry key, or set it to 1. The RDP client on the PAM server will establish a secure TLS 1.2 connection using strong ciphers.
The RDP client used by the built-in RDP access method is based on a MS SDK and does not have a conflict with this registry key setting. But it is subject to the limitation discussed in KB 187142 and may not be a viable alternative for that reason.
Feedback
