问题描述

有一个用户在使用RDP连接自己的机器时，怎么也连不上。不论时调整导NLA还是调整到TLS，都不行。

解决过程

1. 远程协助了一次，没有什么头绪
2. 唯一的线索就是在协商加密算法的失败了。因为前端的种种限制，在选择RDP_PROTOCOL这个加密方式时，没法支持FIPS
3. 建议用户更改自己的加密方式，来回好几次也不行，用户坚称自己已经关闭FIPS了

FIPS is definitely off.

• "Local Computer Policy \ Computer Configuration \ Windows Setting \ Security Setting \ Local Policies \ Security Options \ System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" is disabled
• KLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled is set to zero.

解决方案

最终的最终，还是找到了另一个相关的选项，参考连接 Increase the security of your Windows Server 2012 Remote Desktop
为了防止网页失效，把关键信息记下来

To change the encryption level, navigate to the following registry key:
\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel

• Security Layer 1 – With a low security level, communications sent from the client to the server are encrypted using 56-bit encryption. Data sent from the server to the client is not encrypted. This setting is not recommended as you can be exposed to various attacks.
• Security Layer 2 – Having a client compatible security level, communications between the server and the client are encrypted at the maximum key strength supported by the client. Use this level when the Terminal Server is running in an environment containing mixed or legacy clients as this is the default setting on your OS.
• Security Layer 3 – With a high security level, communications between server and client are encrypted using 128-bit encryption. Use this level when the clients that access the Terminal Server also support 128-bit encryption. If this option is set, clients that do not support 128-bit encryption will not be able to connect.
• Security Layer 4 – This security level is FIPS-Compliant, meaning that all communication between the server and client are encrypted and decrypted with the Federal Information Processing Standard (FIPS) encryption algorithms. We recommend using this setting for maximum efficiency but only if both machines support this type of encryption.

后记

想开发RDP，不熟悉Windows Server的配置，的确会遇到许多问题。所以，如果有志于开发RDP应用的人，我的建议是，熟练掌握Windows Server RDS和Security的配置很重要。