Event ID 1050 — Remote Desktop Services Authentication and Encryption
Applies To: Windows Server 2008 R2
Transport Layer Security (TLS) 1.0 enhances the security of sessions by providing server authentication and by encrypting RD Session Host server communications. The RD Session Host and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server during Remote Desktop Protocol (RDP) connections.
Event Details
Product: | Windows Operating System |
ID: | 1050 |
Source: | Microsoft-Windows-TerminalServices-RemoteConnectionManager |
Version: | 6.1 |
Symbolic Name: | EVENT_TS_SSL_SETTINGS_REQUIRED_CORRECTION |
Message: | The Terminal Server listener %1 is configured with inconsistent authentication and encryption settings. The Encryption Level is currently set to %2 and Security Layer is set to %3. These settings were automatically corrected to allow connections to proceed. Please change the Security Layer and Encryption Level settings in Group Policy or by using the Terminal Services Configuration tool in the Administrative Tools folder. |
Resolve
Review and modify authentication and encryption TLS 1.0 (SSL) settings on the RD Session Host server
To resolve this issue, check the encryption and authentication settings on the RD Session Host server to ensure that they are compatible, and that they are appropriate for your security requirements and the level of security that your client computers can support.
Note: Remote Desktop Connection 5.2 and later supports 128 bits of encryption.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Configure server authentication and encryption settings for a connection by using Remote Desktop Session Host Configuration
Keep in mind that certain authentication and encryption settings are not compatible. For example, if you select SSL (TLS 1.0) for the security layer and an encryption level of Low, you will receive an error message if you attempt to apply these settings. The error message will state that the encryption level is set too low for the security layer used.
To configure server authentication and encryption settings for a connection by using Remote Desktop Session Host Configuration:
- Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
- Under Connections, right-click the connection (for example, RDP-tcp), and then click Properties.
- In the Properties dialog box for the connection, click the General tab.
- Select the server authentication and encryption settings that are appropriate for your environment, based on your security requirements and the level of security that your client computers can support.
- If you select SSL (TLS 1.0), either select a certificate that is installed on the RD Session Host server or click Default to generate a self-signed certificate. To select a certificate that is installed on the RD Session Host server, click Select, and in the Select Certificate dialog box, select the certificate that you want to use, and then click OK.
- If you are using a self-signed certificate, the name of the certificate will display as Auto generated.
- Click OK.
Configure server authentication and encryption settings for a connection by using Group Policy
You can also configure server authentication and encryption settings by applying the following Group Policy settings:
- Set client connection encryption level
- Require use of specific security layer for remote (RDP) connections
- Server Authentication Certificate Template
- Require user authentication for remote connections by using Network Level Authentication
These Group Policy settings are located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that these Group Policy settings will take precedence over the settings configured in Remote Desktop Session Host Configuration, with the exception of the Server Authentication Certificate Template Group Policy setting.
You can configure the RD Session Host server to use the FIPS-compliant encryption level by applying the System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing Group Policy setting. This Group Policy setting is located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that this Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration and takes precedence over the Set client connection encryption level Group Policy setting.
For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help (https://go.microsoft.com/fwlink/?LinkId=143317) or the GPMC Help (https://go.microsoft.com/fwlink/?LinkId=143867) in the Windows Server 2008 R2 Technical Library.
Verify
When Transport Layer Security (TLS) 1.0 is functioning as expected for server authentication and encryption of RD Session Host server communications, clients can make connections to RD Session Host servers by using TLS 1.0 (SSL).
To verify that the TLS 1.0 (SSL) settings are correctly configured and working properly on the RD Session Host server to provide server authentication and encryption for connections, use Remote Desktop Connection from a client computer to connect to the RD Session Host server. If you can connect to the RD Session Host server and there is a lock symbol in the upper-left corner of the connection bar at the top of the window, TLS 1.0 (SSL) is being used for the connection.
Note: To ensure that the connection bar is displayed when you use Remote Desktop Connection to connect from a client computer, select full-screen mode when configuring Remote Desktop Connection settings.
To select full-screen mode in Remote Desktop Connection:
- Open Remote Desktop Connection. To open Remote Desktop Connection, click Start, click Accessories, and then click Remote Desktop Connection.
- Click Options to display the Remote Desktop Connection settings, and then click Display.
- Under Remote desktop size, drag the slider all the way to the right to ensure that the remote desktop that you plan to connect to is displayed in full-screen mode.