Forum Discussion
WID and RDCB with tls 1.2 only
Hi,
for compliance reasons we've to disable tls 1.0 on our systems and thereby encountered an unexpected error. The windows internal database and therefore also the remote desktop connection broker do *not* support anything newer than tls 1.0.
We're only allowed to use modern protocols like tls 1.2 or tls 1.3, therefore we've disabled all others within schannel. For now we have re-enabled tls 1.0 on the remote desktop connection broker, but we need to disable it again or we will not pass the certification.
Therefore my question: Is it possible to configure the windows internal database to use tls 1.2 and how is that done?
Best,
agowa338
Edit: There is even a UserVoice Entry: https://remotedesktop.uservoice.com/forums/266795-remote-desktop-services/suggestions/8527261-support-tls-1-2-in-rds-remote-desktop-services
According to the response from Microsoft from 2017 it should work, but as others already pointed out it still doesn't because of the windows internal database being TLS 1.0 only. How do others with PCI DSS handle this? Do you deploy an SQL Server for the Remote Desktop Connection Broker instead?
2 Replies
> Does your Connection Broker also have the RDWeb and Gateway roles installed?
No it doesn't, currently we have the role on a separate server because of the issue with the windows internal database.
> Do you need TLS 1.2 on your internal network, or just for External transports?
We need it for both. In fact we're going to no longer differentiate between internal and external, so that we can much more easily support multi cloud setups.
