RDP cipher suite compatibility issues when connecting to Windows 2022 Azure Edition
search cancel

RDP cipher suite compatibility issues when connecting to Windows 2022 Azure Edition

book

Article ID: 401066

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

This document outlines the necessary steps to address RDP cipher suite compatibility issues when connecting to Windows 2022 Azure Edition servers via PAM.

Resolution

PAM  only supports connecting to Windows servers  over TLS 1.2 using one of the following three possible ciphersuites.
TLS_RSA_WITH_AES_256_CBC_SHA256  
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256              (supports forward secrecy)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384    (supports forward secrecy and FIPS)

Some security hardened Windows servers, including Windows 2022 Azure Edition may not include one of these ciphers. The steps below are one method to enable these cipher suites but you may also need to review other Windows group policies to ensure they stay enabled. Your Windows security team should review for accuracy.


Steps to enable on the windows server.

  1. Access Group Policy Editor: Open `gpedit.msc`.
  2. Navigate to SSL Configuration: Go to `Computer Configuration > Administrative Templates > Network > SSL Configuration Settings`.
  3. Configure SSL Cipher Suite Order: Open "SSL Cipher Suite Order."
  4. Enable and Verify: Select "Enabled" and confirm that at least one of the PAM-supported cipher suites is present in the list.
  5. Apply Settings: Click "Apply/Ok."
  6. Reboot Server: A server reboot is mandatory for changes to take effect.

ECDSA Certificate Requirement: If `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` is required, the server certificate may need to be updated to an ECDSA certificate, as the default Windows RSA certificate does not support this cipher suite.

 

Review available cipher suites from powershell on the console
Get-TlsCipherSuite

Review available ciphers suited remotely  (can confirm firewall is open )
nmap -sV -p 3389 --script ssl-enum-ciphers <WINDOWS FQDN/IP>

Verify the cipher and certificate suites remotely (can confirm firewall is open and certificate is valid)
openssl s_client -connect <WINDOWS FQDN/IP>:3389   -cipher  AES256-SHA256
openssl s_client -connect <WINDOWS FQDN/IP>:3389   -cipher  DHE-RSA-AES128-GCM-SHA256
openssl s_client -connect <WINDOWS FQDN/IP>:3389   -cipher  ECDHE-ECDSA-AES256-GCM-SHA384

 

Additional Information

More information on available Microsoft ciphers.

Note: Support for additional cipher versions may be added in PAM version 4.3 and higher when released. See enhancements in the product manuals when availalable for updated cipher support

 

Powered by Wolken Software