This document outlines the necessary steps to address RDP cipher suite compatibility issues when connecting to Windows 2022 Azure Edition servers via PAM.

PAM  releases up to 4.2.3 only support connecting to Windows servers over TLS 1.2 using one of the following three possible cipher suites.
TLS_RSA_WITH_AES_256_CBC_SHA256  
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256              (supports forward secrecy)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384    (supports forward secrecy and FIPS)

Some security hardened Windows servers, including Windows 2022 Azure Edition may not include one of these ciphers. The steps below are one method to enable these cipher suites but you may also need to review other Windows group policies to ensure they stay enabled. Your Windows security team should review for accuracy.

Steps to enable on the windows server.

1. Access Group Policy Editor: Open `gpedit.msc`.
2. Navigate to SSL Configuration: Go to `Computer Configuration > Administrative Templates > Network > SSL Configuration Settings`.
3. Configure SSL Cipher Suite Order: Open "SSL Cipher Suite Order."
4. Enable and Verify: Select "Enabled" and confirm that at least one of the PAM-supported cipher suites is present in the list.
5. Apply Settings: Click "Apply/Ok."
6. Reboot Server: A server reboot is mandatory for changes to take effect.

ECDSA Certificate Requirement: If `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` is required, the server certificate may need to be updated to an ECDSA certificate, as the default Windows RSA certificate does not support this cipher suite.

Review available cipher suites from powershell on the console
Get-TlsCipherSuite

Review available ciphers suited remotely  (can confirm firewall is open )
nmap -sV -p 3389 --script ssl-enum-ciphers <WINDOWS FQDN/IP>

Verify the cipher and certificate suites remotely (can confirm firewall is open and certificate is valid)
openssl s_client -connect <WINDOWS FQDN/IP>:3389   -cipher  AES256-SHA256
openssl s_client -connect <WINDOWS FQDN/IP>:3389   -cipher  DHE-RSA-AES128-GCM-SHA256
openssl s_client -connect <WINDOWS FQDN/IP>:3389   -cipher  ECDHE-ECDSA-AES256-GCM-SHA384

More information on available Microsoft ciphers.

From PAM 4.3 and 4.2.4 on, additional cipher suites are supported, specifically TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, all for connections to RDP servers using an RSA certificate.

For the built-in RDP access method supported cipher suites are documented on page Access Methods. For TCP/UDP services using application protocol RDP, i.e. the RDP Proxy service running on the PAM appliance in combination with a native RDP client, the list of supported cipher suites is found on page Create an RDP Proxy Service to Access a Device. The latter is available in 4.3 documentation only.

For PAM 4.2.0-4.2.3 the list of cipher suites supported by the RDP Proxy is:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_RSA_WITH_RC4_128_SHA (0x0005)