Certificates with SHA1 signature are not accepted in SPS 6.10 (4292503)

Certificates with SHA1 signature are not accepted in SPS 6.10

Certificates with SHA1 signature are no longer accepted in the OpenSSL sub-module that SPS is using for server authentication. Starting with SPS 6.10, RDP connections with SHA1 signed certificates cannot be established to Windows Servers.

This guide will provide steps on how to check if the certificate that the Remote Desktop service shows to SPS is correct and how to fix if it is not.

In this case of SHA1 signature, the Windows Server starts logging Schannel errors:

Error ID 36874 - An TLS 1.2 connection request was received from a remote client application,
but none of the cipher suites supported by the client application are supported by the server.
The TLS connection request has failed.

and SPS starts logging TLS errors:

2021-05-09T23:30:47+02:00 shunt83.scb.balabit zorp/scb_rdp[1705]:
core.debug(6): (svc/8LfkLuBq1MPQupZDFMHfh8/rds2_w2012r2:1/rdp): Setting SSL ciphers;
ciphers='HIGH:!aNULL:!eNULL:!EXPORT:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!CAMELLIA:@STRENGTH',
side='client'

2021-05-09T23:30:47+02:00 shunt83.scb.balabit zorp/scb_rdp[1705]:
core.debug(6): (svc/8LfkLuBq1MPQupZDFMHfh8/rds2_w2012r2:1/rdp): Setting SSL ciphers;
ciphers='HIGH:!aNULL:!eNULL:!EXPORT:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!CAMELLIA:@STRENGTH',
side='server'

2021-05-09T23:30:47+02:00 shunt83.scb.balabit zorp/scb_rdp[1705]:
core.error(1): (svc/8LfkLuBq1MPQupZDFMHfh8/rds2_w2012r2:1/server):
Stream read failed; stream='ZStreamFD', reason='Connection reset by peer'

2021-05-09T23:30:47+02:00 shunt83.scb.balabit zorp/scb_rdp[1705]:
core.error(1): (svc/8LfkLuBq1MPQupZDFMHfh8/rds2_w2012r2:1/rdp): SSL handshake failed; side='server',
error='error:00000000:(null):lib(0):(null):func(0):(null):reason(0)'

 

1., Open the management console on your Windows Server by launching MMC as an administrator, click File / Add/Remove Snap-in....

2., Select Certificates

3., Click Add >

4., Select Computer Account,

5., Click Next

6., Select Local computer

   Click Finish

   Click OK:

7., In the folders panel, browse for Certificates > Remote Desktop >  Certificates

Double click on the certificate
8., Select the Details tab
Check Signature hash algorithm field, SHA256 value is required.

If SHA1 is displayed, the certificate is no longer acceptable by SPS. To fix it, you have two options:

Option number 1: If RDS is using a self-signed certificate

The Remote Desktop Service maintains the certificate and re-generates it, when it is necessary (if the certificate has expired or missing from the certificate store). First, make sure that you update your system to the latest patch level, then delete the certificate and restart the Remote Desktop Configuration service. 

Right click on the certificate, select Delete > Yes:

Open the management console on your Windows Server by launching MMC as an administrator
Click File / Add/Remove Snap-in...
Select Services

Click Add >
Select Local Computer > Finish > OK

Under Console Root, double click on Services
On the right-hand side select Remote Desktop Configuration, right click and select Restart

Go to step one and check if the license is signed with SHA256. 

Option number 2: If RDS is using a certificate imported from PKI
Contact your PKI admin for a new certificate with SHA256 signing.