Windows 7 clients connecting to the RDS running on Win server 2008 R2 very frequently get the error message "Because of an error in the data encryption, this session will end…".
This occurs if the Windows 7 clients are connected via WiFi, then use a VPN connection to get inside the firewall (this issue is on both PPTP VPN run by the Microsoft Routing and Remote Access and the IPSEC VPN run by the Cisco ASA 5510), this happens on every Win 7 client connecting (providing they are connected via WiFi), if they are connected to the internal WiFi this issue does not occur.
What is odd is that an XP client connecting exactly the same way (WiFi -> VPN -> RDC) does not experience this issue and connects fine every time.
I have done the following:
- Tried both IPSEC and PPTP VPNs
- All the MTU values are set to 1500 both ends,
- the large send offload (called LSO & Jumbo Packets in the Advanced tab) on the 2k8 server has been disabled in the NIC (have also disabled the TCP Chimney Offload),
- Disabled all checksum offloading in the NIC advanced settings
- tried multiple versions of the NIC drivers on the 2k8 server,
- tried multiple WiFi connections and the same happens everywhere,
- tried multiple VPN clients (not just the Cisco VPN Client)
- tried various combinations of the pre-fragmentation settings on the ASA
- tried changing the encryption in the RDS connector
- Deleted and resetup the RDS connector
- Tried multiple different windows 7 clients with different Wireless NICs.
- Tried removing all connections items from the LAN connector on the server (was only running with IPv4, File and Print Sharing, Client for Microsoft Networks).
- Setup an wireless connection external to the network with an outside IP and reproduced the issue but when i moved that wireless point inside the network the issue went away as the VPN connection was no longer needed.
The server is an HP Proliant ML350 G6 (which uses the broadcom NetXtreme Gigabit Server Card), firewall is an ASA 5510.
Any one got any ideas? Im beginning to run dry.
Thanks for any help.
Best Answer
The fact that XP stations are not seeing this but Win7 is, suggests to me that the fault lay within Network Level Authentication somewhere. This uses the CredSSP protocol. I don't think there is a way for the client to say to not attempt that, nor is there one on the server that I'm aware of.