Remote Assistance connection to Windows Server 2003 with FIPS encryption does not work
On This PageSYMPTOMSMicrosoft has added the FIPS Compliant
setting to the options for Terminal Services encryption levels in Windows
Server 2003. A Windows Server 2003-based server that has the encryption level set
to FIPS Compliant cannot allow Remote Assistance connections
from a computer that is running Windows XP, Windows XP Service Pack 1 (SP1), or Windows XP Service Pack 2 (SP2). When you try to connect from a Windows XP-based client to a Terminal Services server, the connection may not succeed, and you may receive the following error message: Because of a security error, the client could not connect to the terminal server. After making sure that you are logged on to the network, try connecting to the server again. CAUSEWindows XP does not support the FIPS
Compliant encryption level. Therefore, a Windows XP-based computer cannot connect to a Windows Server
2003-based server for remote assistance. Additionally, a Windows XP-based computer cannot provide a Remote Assistance connection to a Windows Server 2003-based computer that is configured to require FIPS-compatible encryption. RESOLUTIONTo resolve this problem, install Remote Desktop Connection 6.0.
For more information about Remote Desktop Connection, click the following article number to view the article in the Microsoft Knowledge Base:
925876 (http://support.microsoft.com/kb/925876/)
Remote Desktop Connection (Terminal Services Client 6.0)
WORKAROUND Remote Desktop Connection (Terminal Services Client 6.0) can be installed on client computers that are running Windows XP SP2. To work around this problem in Windows XP or in Windows XP SP1, disable the FIPS encryption level. To disable the FIPS encryption level, you can change the Encryption level setting in the RDP-Tcp Properties dialog box, or you can use the Group Policy Object to disable FIPS data encryption system-wide. To disable the FIPS encryption level, use one of the following methods. Note There are two ways to enable the FIPS encryption level. If you have to disable the FIPS encryption level for Terminal Services, you must do this by using the same method that you originally used to enable the FIPS encryption level. Method 1To disable the FIPS encryption level by changing the Encryption level setting in the RDP-Tcp Properties dialog box, follow these steps:
Method 2To use the Group Policy Object to disable FIPS data encryption system-wide, follow these steps:
818735 (http://support.microsoft.com/kb/818735/)
White Paper: Administering Group Policy by Using the Group Policy Management Console
For more information about the GPO setting for System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click the following article number to view the article in the Microsoft Knowledge Base:
811833 (http://support.microsoft.com/kb/811833/)
The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and later versions
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. MORE INFORMATIONThe FIPS Compliant setting requires that
all data between the client and the server be encrypted by using encryption
methods that are validated by Federal Information Processing Standard 140-1.
When a Windows XP-based client tries to connect to a Windows Server 2003-based
server that requires FIPS-compliant encryption, the following errors occur:
APPLIES TO
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Help and Support
Back to the top
|
