Cannot RDP to server after upgrading for TLS 1.2

Document ID : KB000121401
Last Modified Date : 20/11/2018
Show Technical Document Details
Issue:
Upgraded server to support TLS 1.2. Cannot connect to the server via PAM RDP; however, RDP from the desktop works fine.
Environment:
PAM 3.1.1
Resolution:
The cipher suite was disabled during the server upgrade.  Once it was re-enabled, PAM RDP worked again.
Additional Information:
 As of release 2.6, the RDP client (the applet) supports TLS 1.2 connections and supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. 

In 3.2 we introduced forward secrecy for the RDP applet: 
The RDP client applet supports TLS 1.2 connections and supports the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite. The RDP Client also supports forward secrecy using the following supported cipher suites: 

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. 

Starting with 3.2, for the highest level of security, ensure your RDP server (target Windows Device) is configured to use forward secrecy with TLS 1.2 communication. 

If you are on 3.1.1, your server has to support the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite.