none
Disabling TLS 1.0 on Server 2012 R2 causes Remote Desktop Management Service to fail to start RRS feed

  • Question

  • Very basic RDS setup on Server 2012 R2.  Single VM running all roles.  Everything works fine until I disable TLS 1.0 on the Server.

    Then Remote Desktop Management Service fails to start with Error code: 0x88250003.  

    Service Control Manager error gives error code: %%2284126211

    And I see tons of SChannel 36871 errors: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

    Any ideas?


    Patrick

    Monday, August 15, 2016 8:11 PM

Answers

  • Hi Patrick,

    Thanks for your post.

    Disable TLS 1.0 will change the default setting of RDP.

    By default, if TLS is not being used, and this setting is not enabled on the client or on the server, the Remote Desktop Protocol (RDP) channel between the server and the client is encrypted by using the RC4 algorithm with a 128-bit key length. After you enable this setting on a Windows Server 2003-based computer, the following is true:

    1. The RDP channel is encrypted by using the 3DES algorithm in Cipher Block Chaining (CBC) mode with a 168-bit key length.
    2. The SHA-1 algorithm is used to create message digests.
    3. Clients must use the RDP 5.2 client program or a later version to connect.

    If you just want to disable TLS 1.0, you could change RDP security layer to start RDMS.

    For more information, please refer to the similar thread and the article below.

    Remote Desktop stopped working after disabling SSL 2.0 and TLS 1.0

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10?forum=smallbusinessserver

    "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows

    https://support.microsoft.com/en-us/kb/811833

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 16, 2016 2:20 AM
    Moderator

All replies

  • Hi Patrick,

    Thanks for your post.

    Disable TLS 1.0 will change the default setting of RDP.

    By default, if TLS is not being used, and this setting is not enabled on the client or on the server, the Remote Desktop Protocol (RDP) channel between the server and the client is encrypted by using the RC4 algorithm with a 128-bit key length. After you enable this setting on a Windows Server 2003-based computer, the following is true:

    1. The RDP channel is encrypted by using the 3DES algorithm in Cipher Block Chaining (CBC) mode with a 168-bit key length.
    2. The SHA-1 algorithm is used to create message digests.
    3. Clients must use the RDP 5.2 client program or a later version to connect.

    If you just want to disable TLS 1.0, you could change RDP security layer to start RDMS.

    For more information, please refer to the similar thread and the article below.

    Remote Desktop stopped working after disabling SSL 2.0 and TLS 1.0

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10?forum=smallbusinessserver

    "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows

    https://support.microsoft.com/en-us/kb/811833

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 16, 2016 2:20 AM
    Moderator
  • both the article posted above are old and ends without a fix. I have tired FIPS option and it does not work ether. It looks like all articles are ending with loop by ending the page with cross-reference to another articles
    Monday, January 28, 2019 10:41 PM
  • After googling around for an hour I found that the reason RDP stops working and the Remote Desktop Connection Broker service fails to start is because when RDS is configured without HA it uses Windows Internal Database (WID) as a back-end which does not support TLS 1.1/TLS1.2. This is a known issue as described by Microsoft here: https://support.microsoft.com/en-us/help/4036954/disabling-tls1-0-can-cause-rds-connection-broker-or-rdms-to-fail

    You can workaround it by using SQL Express as the backend. I describe how. medium.com / @what_if

    Friday, April 26, 2019 5:03 PM