Discussion:
Client to Client Remote Desktop Issue since enabling FIPS Crypto
(too old to reply)
GDKenoyer
2006-11-09 23:27:02 UTC
Permalink
This is somewhat similar to the previous question asked by Birddog.

Our policy has required me to implement FIPS Compliant System Crypto. To
(re)enable remote Server management, I upgraded the workstations' RDP to
v5.2.3790.1830 (from 5.1.2600.2186).

I now no longer get the "the client could no establish a connection..."
error box and can connect from my WinXP SP2 workstations to my W2k3 SP1
Servers fine.

BUT I cannot use the new client to connect to any other XP WORKSTATION. I
get an error box similar to the old "the client could not..." but this one
has a 4th "likely cause" of:

"The remote computer might not support the required FIPS security level.
Please lower the client side required security level Policy, or contact your
network administrator for assistance."

The FIPs is a domain-wide policy, and the workstations are current in
patches and have rebooted since the policy was imposed.

Ideas...?
(note: this is also posted in Daniel Petri's forums)
TP
2006-11-10 07:44:37 UTC
Permalink
When connecting to an XP Pro workstation, use the older
5.1.2600.2180 client. It is still installed on your workstation,
because it is part of the OS.

Use Start-->Run-->mstsc.exe

Or you can create a shortcut to it:

Right-click on the Desktop-->New-->Shortcut-->mstsc.exe

When you connect to an XP Pro machine, you will not be
using FIPS compliant encryption, because it is currently not
supported by XP.

-TP
Post by GDKenoyer
This is somewhat similar to the previous question asked by Birddog.
Our policy has required me to implement FIPS Compliant System Crypto.
To (re)enable remote Server management, I upgraded the workstations'
RDP to v5.2.3790.1830 (from 5.1.2600.2186).
I now no longer get the "the client could no establish a
connection..." error box and can connect from my WinXP SP2
workstations to my W2k3 SP1 Servers fine.
BUT I cannot use the new client to connect to any other XP
WORKSTATION. I get an error box similar to the old "the client could
"The remote computer might not support the required FIPS security
level. Please lower the client side required security level Policy,
or contact your network administrator for assistance."
The FIPs is a domain-wide policy, and the workstations are current in
patches and have rebooted since the policy was imposed.
Ideas...?
(note: this is also posted in Daniel Petri's forums)
GDKenoyer
2006-11-10 16:22:01 UTC
Permalink
Thanks TP.
Post by TP
When connecting to an XP Pro workstation, use the older
5.1.2600.2180 client.
Yep, I knew the older client was still there, but it's a pain to have to
use both.
Post by TP
When you connect to an XP Pro machine, you will not be
using FIPS compliant encryption, because it is currently not
supported by XP.
Perhaps I misunderstand what you mean by not supported.
Both XP and Win2k3 appear to have the same FIPS capability as noted in a few
articles, such as
http://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspx?mfr=true

I'm suspecting something to do with TLS....
TP
2006-11-10 16:52:48 UTC
Permalink
No, you didn't misunderstand me. :-)
Post by GDKenoyer
Post by TP
Excerpt
The protocols whose cryptographic processing takes advantage of the
components that have completed FIPS-140-1 or FIPS 140-2
(as appropriate) evaluation include:

...

The Microsoft Remote Desktop Protocol (RDP) 5.2 (or above) of Terminal
Service Client (available from Windows Server 2003) running on a
Windows XP (or above) machine, connecting to a Terminal Server session
on a Windows 2003 Server that is configured for FIPS-compatible encryption;
Post by GDKenoyer
Post by TP
End Excerpt
If we "chunk down" the above paragraph, we get:

Connecting
FROM XP machine
USING 5.2 client
TO 2003 w/FIPS

They are not making any claims that connecting from XP
to XP using RDP will support FIPS encryption.

-TP
Post by GDKenoyer
Thanks TP.
Post by TP
When connecting to an XP Pro workstation, use the older
5.1.2600.2180 client.
Yep, I knew the older client was still there, but it's a pain to
have to use both.
Post by TP
When you connect to an XP Pro machine, you will not be
using FIPS compliant encryption, because it is currently not
supported by XP.
Perhaps I misunderstand what you mean by not supported.
Both XP and Win2k3 appear to have the same FIPS capability as noted
in a few articles, such as
http://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspx?mfr=true
I'm suspecting something to do with TLS....
GDKenoyer
2006-11-10 17:07:01 UTC
Permalink
Ah, gotcha! That's what I feared you meant:
- Client <-> Server: OK
- Client <-> Client: Nope!

like Charlie Brown said: argh.

g
TP
2006-11-10 17:22:36 UTC
Permalink
Please click Yes next to Did this post answer the question?
on my earlier replies. This will help others using the group:

http://www.microsoft.com/wn3/locales/help/help_en-us.htm#RateAPost

Thanks!

-TP

Loading...