Event ID 1050 — Terminal Services Authentication and Encryption
Applies To: Windows Server 2008
Transport Layer Security (TLS) 1.0 enhances the security of Terminal Services sessions by providing server authentication and by encrypting terminal server communications. The terminal server and the client computer must be correctly configured for clients to make successful remote connections and for TLS to provide enhanced security. For example, a certificate is needed to authenticate a terminal server when SSL (TLS 1.0) is used to secure communication between a client and a terminal server during Remote Desktop Protocol (RDP) connections.
|Product:||Windows Operating System|
|Message:||The Terminal Server listener %1 is configured with inconsistent authentication and encryption settings. The Encryption Level is currently set to %2 and Security Layer is set to %3. These settings were automatically corrected to allow connections to proceed. Please change the Security Layer and Encryption Level settings in Group Policy or by using the Terminal Services Configuration tool in the Administrative Tools folder.|
Review and modify authentication and encryption TLS 1.0 (SSL) settings on the terminal server
To resolve this issue, check the encryption and authentication settings on the terminal server to ensure that they are compatible, and that they are appropriate for your security requirements and the level of security that your client computers can support.
Note: To determine the maximum encryption strength supported by the version of Remote Desktop Connection running on the computer, start Remote Desktop Connection, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. Look for the phrase "Maximum encryption strength" in the About Remote Desktop Connection dialog box. Remote Desktop Connection 5.2 and later supports 128 bits of encryption.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Configure server authentication and encryption settings for a connection by using Terminal Services Configuration
Keep in mind that certain authentication and encryption settings are not compatible. For example, if you select SSL (TLS 1.0) for the security layer and an encryption level of Low, you will receive an error message if you attempt to apply these settings. The error message will state that the encryption level is set too low for the security layer used.
To configure server authentication and encryption settings for a connection by using Terminal Services Configuration:
- Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
- Under Connections, right-click the connection (for example, RDP-tcp), and then click Properties.
- In the Properties dialog box for the connection, click the General tab.
- Select the server authentication and encryption settings that are appropriate for your environment, based on your security requirements and the level of security that your client computers can support.
- If you select SSL (TLS 1.0), either select a certificate that is installed on the terminal server or click Default to generate a self-signed certificate. To select a certificate that is installed on the terminal server, click Select, and in the Select Certificate dialog box, select the certificate that you want to use, and then click OK.
- If you are using a self-signed certificate, the name of the certificate will display as Auto generated.
- Click OK.
Configure server authentication and encryption settings for a connection by using Group Policy
You can also configure server authentication and encryption settings by applying the following Group Policy settings:
- Set client connection encryption level
- Require use of specific security layer for remote (RDP) connections
- Server Authentication Certificate Template
- Require user authentication for remote connections by using Network Level Authentication
These Group Policy settings are located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that these Group Policy settings will take precedence over the settings configured in Terminal Services Configuration, with the exception of the Server Authentication Certificate Template Group policy setting.
For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help (http://go.microsoft.com/fwlink/?LinkId=101633) or the GPMC Help (http://go.microsoft.com/fwlink/?LinkId=101634) in the Windows Server 2008 Technical Library.
You can configure the terminal server to use the FIPS-compliant encryption level by applying the System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing Group Policy setting. This Group Policy setting is located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that this Group Policy setting will take precedence over the setting configured in Terminal Services Configuration and takes precedence over the Set client connection encryption level Group Policy setting.
When Transport Layer Security (TLS) 1.0 is functioning as expected for server authentication and encryption of terminal server communications, clients can make connections to terminal servers by using TLS 1.0 (SSL).
To verify that the TLS 1.0 (SSL) settings are correctly configured and working properly on the terminal server to provide server authentication and encryption for connections, use Remote Desktop Connection from a client computer to connect to the terminal server. If you can connect to the terminal server and there is a lock symbol in the upper-left corner of the connection bar at the top of the window, TLS 1.0 (SSL) is being used for the connection.
Note: To ensure that the connection bar is displayed when you use Remote Desktop Connection to connect from a client computer, select full-screen mode when configuring Remote Desktop Connection settings.
To select full-screen mode in Remote Desktop Connection:
- Open Remote Desktop Connection. To open Remote Desktop Connection, click Start, click Accessories, and then click Remote Desktop Connection.
- Click Options to display the Remote Desktop Connection settings, and then click Display.
- Under Remote desktop size, drag the slider all the way to the right to ensure that the remote desktop that you plan to connect to is displayed in full-screen mode.