RDP Issue in W7?

SaSkiller · February 2016

So I have a box running Windows 7, and a server running WS2k8R2. I've always been able to jump into it using RDP. The server isn't really open to the internet so I'm not worried about a security angle, but if something is indicative of it, let me know.

Today (and once before) I am unable to RDP into the server. I can connect to it through the mapped drive I have on the laptop, but can't RDP from that system to the server. I saw the server was pulling down an IPv6 address so I tried disabling that on both sides, I tried turning off the firewall on both sides, power cycles, and moving to wired only connection. I did a PACP and all I can tell is that the system is sending a reset, I can say that the error is thrown while it is attempting to secure the connection. I wonder if maybe a recent windows update messed with the authentication of RDP, not sure. I also checked and the server is configured to allow RDP connections.

Thoughts?

john_miranda · February 2016

Hmmm....I would check DNS, RDP/account permissions, IPs.

SaSkiller · February 2016

Well I don't think any of that is it, the PC can resolve web names as well as the name of the server itself, its pulling an IP and the IP can be pinged from the box. Also I can reach the server through a drive mapping. As far as RDP and account permissions, there are only 2 accounts, and the one im using is the Admin account which I can login with locally.

Nightflier101BL · February 2016

What is the exact error you're receiving? Check the Windows logs? It sounds like it might be account/permissions related. Also, you said "once before" you were unable to RDP - what was done to fix it/what was the issue then or what has changed between then and now?

SaSkiller · February 2016

So the exact error is the standard This computer can't connect to the remote computer. I cleared out the event logs and saw that when I attempt to connect I get schannel TLS errors. it appears that there is an issue with TLS or schannel. The issue occurs with any client that attempts to RDP into the box. And I can see there is a successful authentication. I downloaded KB308007 as I thought that would allow me to use TLS 1.2 (as the server claims it is 1.0, but I think its just legacy terminology).

Specific errors from event log 36874, 36888, and, 36888

EDIT: I think I know the problem and a workaround. The problem is that when I did a nessus scan of the server it warned me about vulnerable cipher suites. I took the weak ones out of the list.

Undoubtedly W7 is still attempting some of these, causing the issue.

Work-around, if I set the GPO to RDP encryption rather than SSL/TLS, then it allows me to connect. I think i'm going to try to get them to negotiate and settle on higher encryption, we'll see.

apr911 · February 2016

Chances are its actually server side... The machine cert issued for RDP negotiation gets very finicky when you start messing with ciphers, especially if the cert is from when the OS was installed (as most of them are).

I'd try launching the Certificate management snap-in and deleting the machine cert on the server, then disable RDP access and apply it, enable RDP access and apply it and reboot. The machine should generate a new cert and the new cert will likely work.

It's worked for me in the past, will probably work for you...

Mike7 · February 2016

SaSkiller wrote: »

I cleared out the event logs and saw that when I attempt to connect I get schannel TLS errors. it appears that there is an issue with TLS or schannel. The issue occurs with any client that attempts to RDP into the box. And I can see there is a successful authentication. I downloaded KB308007 as I thought that would allow me to use TLS 1.2 (as the server claims it is 1.0, but I think its just legacy terminology).

EDIT: I think I know the problem and a workaround. The problem is that when I did a nessus scan of the server it warned me about vulnerable cipher suites. I took the weak ones out of the list.

Work-around, if I set the GPO to RDP encryption rather than SSL/TLS, then it allows me to connect. I think i'm going to try to get them to negotiate and settle on higher encryption, we'll see.

The problem is RDP SSL/TLS encryption or NLA authentication in Windows Server 2008 R2 only support TLS 1.0. Nessus requires you to disable TLS 1.0 in support new PCI DSS.

You can install KB3080079 (Update to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2) to allow RDP to support TLS 1.1/1.2 on the server.

On Windows 7 client, you need to install RDC 8.0 update (KB 2592687 Remote Desktop Protocol (RDP) 8.0 update for Windows 7 and Windows Server 2008 R2) for RDP client TLS 1.2 support. Without the update, your Windows 7 client can only use TLS 1.0.

You missed the client update. Do try it and let us know the result.

SaSkiller · February 2016

I'll try both of these tonight.

Mike7 · March 2016

SaSkiller, hope you resolved it.

Anyway, I just tried the same thing on a Windows Server 2008 R2 and it works.
Steps below for your reference

Apply KB3080079 update and reboot
Disable TLS1.0 and below. I used IIS Crypto to modify and reboot
Use updated RDP client. Run, MSTSC. Click top left, About. You should get Remote Desktop Protocol 8.1 supported.
Use SSLScan to verify that TLS1.0 is disabled. (i.e. sslscan -rdp <IP>:3389)

RDP Issue in W7?

Comments