-
Titel
RDP error - sessions are not working anymore since upgrade to 6.10 -
Beschreibung
After upgrading to version 6.10 an RDP error can occur. The error message shown can be one of the following:
"This computer can't connect to the remote computer"
"Authentication failed".
Direct connection to the server works.
-
Ursache
The SPS does not support the SHA1 algorithm, from version 6.10. Therefore the TLS handshake will fail if the client or server uses it.
The error is much more likely with older clients/servers, e.g. Windows 7, Windows Server 2008 R2, but can occur on newer system regardless.
The same error can also happen with other protocols, as per the deprecation of SHA1 isn't RDP specific (it's connected to openssl), but most commonly it is present in RDP.
One strong indication if the server logs contain SSL handshake failed errors.
One usual error:
SSL handshake failed; side='server', error='error:00000000:(null):lib(0):(null):func(0):(null):reason(0)' -
Lösung
Check the client/server supported SSL/TLS algorithms and update it if it is less then or equal to SHA1. Change it to SHA256 for example
Please consult Microsoft and the corresponding Windows version documentation to learn where to change the algorithm.
You may also check our other kb for tipps and for further info: https://support.oneidentity.com/one-identity-safeguard-for-privileged-sessions/kb/332391/certificates-with-sha1-signature-are-not-accepted-in-sps-6-10
-
Weitere Informationen
Windows 2008 RDP always uses TLS 1.0 which only works with SHA1. Our recommendation is to not use Windows 2008. Microsoft doesn't support it anymore and we also don't support it. Please check the list of supported systems in the Admin Guide. However, there is a patch for Windows Server 2008 which adds TLS 1.2 support. If it is really needed to continue using this system, then please patch it to TLS 1.2 and use SHA256 algorithm. https://www.microsoft.com/security/blog/2017/07/20/tls-1-2-support-added-to-windows-server-2008/