• State Not Answered
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 6538 views
  • Users 0 members are here
Options
Related

RDP Connection cannot proceed because authentication is not enabled in remote computer

rajeeb baral
over 2 years ago

Hello Everyone,

We have deployed SPP & SPS 6.11 in our dev environment. We have enabled for only SPP initiated sessions. The RDP Setting in SPS is to use TLS 1.2 (the default recommended one under safeguard_default). We didn't change any other default settings.

In the RDP Connection (safeguard_rdp), we have used TLS - Generate Certificate on Fly.

Scenarios -

1. When we are connecting a Windows 2016 server where the security layer value is 2 at the registry entry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp), the RDP connection works fine.

2. When we are connecting a Windows 2016 server where the security layer value is 1 or 0. It doesn't work. It says "The connection cannot proceed because authentication is not enabled and the remote computer requires that authentication be enable to connect". Reduce the Minimum TLS setting in safeguard_default to 1.1 or 1.0, it still doesn't work. 

What is the approach for the above scenario. Any common setting that will work for both? Or this error is for some other reasons.

Any advice is appreciated.

Thanks,

Rajeeb

  • 0 over 2 years ago

    Hi Rajeeb,

    What is the reason you would want to use security layer at 1 or 0?

    Security Layer 2 is the recommended setting and more secure right.

    In SPS under the connection policy, there is an option for selecting the Legacy RDP Security Layer or the "Allow fallback to legacy RDP Security Layer options" but this can significantly reduce the strength of the encryption used.

    Selecting these options is only recommended if you cannot overcome compatibility issues in any other way.

    To avoid security hazard, we recommend using TLS encryption.

    Thanks!

  • 0 over 2 years ago in reply to Tawfiq.Ahmad

    Thanks Tawfiq. It make sense. Successfully convinced our client to update this setting across all their Windows servers.

  • 0 over 2 years ago in reply to rajeeb baral

    Further update on this thread.

    If TLS 1.2 is used as the recommended setting for the RDP connections, and if you are choosing not to select the "legacy RDP support", then you have to make sure of a few GPOs/registries to have right values in your target windows host.

    The GPO for "Use of TLS 1.2" and "Require use of specific security layer for remote (RDP) connections" should be set to correct values in your Windows host for the RDP connections via SPS to work properly. 

    Enabling TLS 1.2

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server - 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client – 1

    RDP to support TLS 1.2

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer – 2

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\SecurityLayer - 2

    

    

    Hope this help.
    

    Regards,
    

    Rajeeb
    
			
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
						
				
						
				
				
		
		
    
			
		
    
	
    

    

    

    •