Disable TLS 1.0 on Windows Server 2012 R2 with Remote Desktop Services configured
What if you need to disable TLS 1.0 on a Windows Server 2012 R2 machine but you have Remote Desktop Services configured? You might find…
What if you need to disable TLS 1.0 on a Windows Server 2012 R2 machine but you have Remote Desktop Services configured? You might find out when you disable TLS 1.0 that RDP will stop working and the Remote Desktop Connection Broker service will fail to start.
After googling around for an hour I found that the reason RDP stops working and the Remote Desktop Connection Broker service fails to start is because when RDS is configured without HA it uses Windows Internal Database (WID) as a back-end which does not support TLS 1.1/TLS1.2. This is a known issue as described by Microsoft here: https://support.microsoft.com/en-us/help/4036954/disabling-tls1-0-can-cause-rds-connection-broker-or-rdms-to-fail
I can promise you that anything else you find online about fixing this issue is unrelated to TLS 1.0 and enabling the Local Security Policy GPO for FIPS and setting the RDP protocol from SSL to RDP does nothing.
The solution I chose to implement was to configure RDS with HA using SQL Server 2017 Express as the database on the same server. I didn’t actually need HA, I just needed to be rid of WID so I could disable TLS 1.0 on the server. If you don’t use a connection broker you will be limited in RDS features as described here: https://support.microsoft.com/en-us/help/2833839/guidelines-for-installing-the-remote-desktop-session-host-role-service
- Install SQL Server 2017 Express (Core) (SQLEXPR_x64_ENU.exe) (https://stackoverflow.com/questions/39835986/sql-server-2016-express-full-download). If your computer doesn’t have internet access you’ll want the offline download linked above.
- Follow the prompts during installation and keep the default settings. When prompted to add users for windows authentication, add the NETWORK SERVICE user.
3. Install SQL Server Management Studio (SSMS-Setup-ENU.exe)
4. Open SQL Management Studio and connect. Expand Security > Logins, and right click on NETWORK SERVICE and select Properties. Then go to Server Roles and check the dbcreator role.
5. Make the folder C:\RCDB, then right click on it and go to Properties > Security, Edit Permissions and add the NETWORK SERVICE user with Full Control
6. Launch SQL Server Configuration Manager and navigate to SQL Server Network Configuration > Protocols for SQLEXPRESS. Right click on TCP/IP and on switch to the IP Addresses Tab. At the bottom under IPALL set TCP Port to 1433. Hit OK, then right click on TCP/IP and click Enable. Restart SQL Server
7. Open Server Manager and navigate to Remote Desktop Services > Overview. Right click on RD Connection Broker and select Configure High Availability. Enter the following information when prompted:
Database Connection String: DRIVER=SQL Server Native Client 11.0;SERVER=localhost;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;Database=RCDB
Folder to store database files: C:\RCDB
DNS round robin name: yourservername.yourdomain
8. If everything is successful you should be all done!
9. Run IISCrypto and select the PCI 3.2 template. Then re-check TLS 1.1 for Client and Server.
10. Reboot, make sure RDP still works and check that TLS 1.0 is disabled with testssl.sh (.\testssl.sh — fast myserver.mydomain:3389)
These are some common errors you may see in Event Viewer when troubleshooting the initial issue of RDS not starting if you disabled TLS 1.0 before following the above steps
The Remote Desktop Management Service fails to start with Error code: 0x88250003.
Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker.
User : [removed]
Error: Remote Desktop Connection Broker is not ready for RPC communication.
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
Thank you to the below articles which helped me write these steps.
https://nedimmehic.org/2017/05/16/remote-desktop-services-2016-connection-broker-high-availability/
http://microsoftplatform.blogspot.com/2012/04/rd-connection-broker-ha-sql-permissions.html
https://social.technet.microsoft.com/wiki/contents/articles/10390.windows-server-2012-deploying-rd-connection-broker-high-availability.aspx
https://social.technet.microsoft.com/wiki/contents/articles/10393.windows-server-2012-rds-rd-connection-broker-ha-sql-permissions.aspx