none
RD Gateway Unable to Negotiate TLS 1.2 with Windows 7 clients RRS feed

  • Question

  • We have a requirement to disable TLS 1.0 to meet PCI compliance.  We have remote desktop gateway installed on a Windows 2012 R2 server and disabled TLS 1.0.  Windows 8 and 10 PCs can still connect to the remote desktop server through the remote desktop gateway, however Windows 7 clients just won't connect anymore.

    We have installed the update on the Windows 7 clients, https://support.microsoft.com/en-us/kb/3080079, however this is still not working.

    Steps to reproduce:
    1. Install and configure an RD Gateway.

    2. Disable TLS 1.0 on the Gateway

    3. On a Windows 7 computer, enable TLS 1.2 for RDP by installing KB3080079

    4. Attempt to use the Gateway from the Win7 computer

    5. Despair as the Gateway refuses to negotiate TLS 1.2, attempts to use 1.0, then fails to connect.

    From SCHANNEL logs, making a direct rdp connection from the patched Windows 7 client to a target seems to allow TLS 1.2 negotiation, but going through the Gateway forces TLS 1.0 negotiation. Interestingly, when TLS 1.0 is enabled on the gateway, Windows 7 clients will negotiate TLS 1.0 while connecting to the Gateway, then use TLS 1.2 for the "final" connection to the target.

    Any ideas?

    halemat1

    Friday, May 13, 2016 2:42 PM

Answers

  • Hello, this issue is fixed in the KB 3140245. Make sure you create the correct registry entries. You need to install this update on the Windows 7 machine & 2008 R2 Server if it is acting as the gateway.

    

    

    

    • Proposed as answer by rt49lx Friday, May 13, 2016 9:39 PM
    • Marked as answer by halemat1 Saturday, May 14, 2016 12:17 PM
    Friday, May 13, 2016 9:39 PM

All replies

  • Hello, this issue is fixed in the KB 3140245. Make sure you create the correct registry entries. You need to install this update on the Windows 7 machine & 2008 R2 Server if it is acting as the gateway.

    

    

    

    • Proposed as answer by rt49lx Friday, May 13, 2016 9:39 PM
    • Marked as answer by halemat1 Saturday, May 14, 2016 12:17 PM
    Friday, May 13, 2016 9:39 PM
  • The update was already applied, so I can confirm that adding both registry keys with a value of 0x00000800 to my Win7 client forces the client to negotiate TLS1.2. Thanks so much!
    Saturday, May 14, 2016 12:17 PM
  • Hi,

    Glad to hear that it works and thank you for sharing your solution with the forum community!

    Please feel free to let us know if there are any further requirements.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 16, 2016 6:55 AM
    Moderator