After upgrade to PAM 4.2 attempts to access an RDP server via the PAM client fail with the following error:

SSL connection error insufficient_security(71).

The RDP server was running Windows release 2008 R2, which is no longer supported by PAM or by Microsoft.

Upgrade to 2012 R2 was sufficient to resolve the problem in this case, but the server was upgraded further to Windows 2022 to be fully supported by PAM and Microsoft.

If you observe this problem with connections to Windows 2012 R2, you are on extended Support for that release and you cannot upgrade the server just yet, review Microsoft Security Advisory 3174644. The default length of DHE key shares is 1024 in Windows 2012 R2, which is not accepted by the Cryptoprovider used in PAM releases 4.2+ and will result in an insufficient_security(71) error. Note that the Diffie-Hellman registry key under SCHANNEL\KeyExchangeAlgorithms may not exist, in which case you have to create it. Then add DWord ServerMinKeyBitLengh as instructed in the advisory. The new setting should take effect w/o having to reboot the server.

Documentation page Supported Environments lists the Windows releases supported by PAM 4.2 for access sessions and credential management. To check this for other PAM releases, replace "4-2" in the URL with another release, such as "4-1-8", or use the Version dropdown list near the top of the page to switch to a different release.

Additionally, you can download the IIS Cryto tool and once loaded, click "Best Practices" button and the above registry keys will be added.