Solved: enabling only TLS 1.2 works for admin but not users
Posted by Amy Babinchak on 04 June 2018 03:26 PM
Helping IT pros figure out problem is what we do. Recently a client contacted us with a TLS problem via our helpdesk. (https://helpdesk.thirdtier.net) PCI compliance demands that you disable all protocols others than TLS 1.2 for credit card processing. However, after following documentation to disable all protocols except TLS 1.2 it was only working for admins not for general users.
The documentation provided by the vendor was wrong. Well, actually omitting something rather important.
CLIENT: Server 2012 Remote Desktop. Users connect via RemoteApp. Processes credit cards which requires a TLS1.2 connection. If I am logged into the desktop as "administrator" (the domain administrator and the account used for all domain admin tasks) I can process cards. If I connect to remoteapp and use administrator I can process cards. If I connect via remote desktop or remoteapp as any other user the transaction fails and if I wireshark it the transaction is not TLS1.2 which causes the failure.
THIRDTIER: Have you tried logging onto the RDS server itself, as one of the “problem” users and then running a test as that user via the SSLLABS site?
CLIENT: Interesting. I disabled IE Enhanced security mode and ran that page as administrator and user. As admin it passed all the tests. As user it fails the Protocol Support test. I then compared the settings in IE under Advanced -and the TLS boxes were all unchecked on the User profile and all checked on the admin profile.
THIRDTIER: How are you going with this issue, given we’ve narrowed it down to IE setting and you were going to put the GPO in place
CLIENT: Looks like the GPO worked. Everybody is processing cards this morning.thanks!
About Third Tier
Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.