Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Remote Assistance connection to Windows Server 2003 with FIPS encryption does not work
Article ID: 811770 - View products that this article applies to.
Microsoft has added the FIPS Compliant setting to the options for Terminal Services encryption levels in Windows Server 2003. A Windows Server 2003-based server that has the encryption level set to FIPS Compliant cannot allow Remote Assistance connections from a computer that is running Windows XP, Windows XP Service Pack 1 (SP1), or Windows XP Service Pack 2 (SP2).
When you try to connect from a Windows XP-based client to a Terminal Services server, the connection may not succeed, and you may receive the following error message:
Because of a security error, the client could not connect to the terminal server. After making sure that you are logged on to the network, try connecting to the server again.
Windows XP does not support the FIPS Compliant encryption level. Therefore, a Windows XP-based computer cannot connect to a Windows Server 2003-based server for remote assistance. Additionally, a Windows XP-based computer cannot provide a Remote Assistance connection to a Windows Server 2003-based computer that is configured to require FIPS-compatible encryption.
To resolve this problem, install Remote Desktop Connection 6.0. For more information about Remote Desktop Connection, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/925876/ )Remote Desktop Connection (Terminal Services Client 6.0)
Remote Desktop Connection (Terminal Services Client 6.0) can be installed on client computers that are running Windows XP SP2.
To work around this problem in Windows XP or in Windows XP SP1, disable the FIPS encryption level. To disable the FIPS encryption level, you can change the Encryption level setting in the RDP-Tcp Properties dialog box, or you can use the Group Policy Object to disable FIPS data encryption system-wide. To disable the FIPS encryption level, use one of the following methods.
Note There are two ways to enable the FIPS encryption level. If you have to disable the FIPS encryption level for Terminal Services, you must do this by using the same method that you originally used to enable the FIPS encryption level.
Method 1To disable the FIPS encryption level by changing the Encryption level setting in the RDP-Tcp Properties dialog box, follow these steps:
Method 2To use the Group Policy Object to disable FIPS data encryption system-wide, follow these steps:
818735For more information about the GPO setting for System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/818735/ )White Paper: Administering Group Policy by Using the Group Policy Management Console
(http://support.microsoft.com/kb/811833/ )The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and later versions
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
The FIPS Compliant setting requires that all data between the client and the server be encrypted by using encryption methods that are validated by Federal Information Processing Standard 140-1. When a Windows XP-based client tries to connect to a Windows Server 2003-based server that requires FIPS-compliant encryption, the following errors occur:
Article ID: 811770 - Last Review: September 26, 2007 - Revision: 9.1