RDS Connection Broker or RDMS fails after you disable TLS 1.0 in Windows Server

Applies to: Windows Server 2012 R2 StandardWindows Server 2016 Standard

Symptoms


Assume that you use the inbox Windows Internal Database (WID) in Windows Server. If you disable Transport Layer Security (TLS) 1.0 when you configure security settings, you experience the following issues:

  • The Remote Desktop service (RDS) may fail.
  • An existing RDS deployment that uses Remote Desktop Connection Broker and WID may fail.
  • The Remote Desktop Management service (RDMS) does not start.
  • You receive the following error message when you try to start the RDMS:
  • The Remote Desktop Connection Broker role cannot be installed.

Cause


This is expected behavior. This is because of the current dependencies between RDS and Windows Internal Database. RDMS and Connection Broker depend on TLS 1.0 to authenticate with the database. WID does not currently support TLS 1.2. Therefore, disabling TLS 1.0 breaks this communication.

Note RDS deployments that use Connection Broker have to establish an encrypted channel to WID by using one of the following methods:

  • TLS
  • SSL 3.0
  • FIPS

Resolution


To fix this issue, use one of the following methods:

  • Set up RDS without Connection Broker for a single server installation.
  • Do not disable TLS 1.0 on a single Connection Broker deployment.
  • Configure a high availability Connection Broker deployment that uses dedicated SQL Server.

    Note Microsoft has released an update to enable SQL Server communication to use TLS 1.2.