Windows Logon Agent now only supports TLS1.2. The administrator may want to configure safer cipher suites for SSL connections.
The general way for an administrator to configure is to add or remove cipher suites in the registry editor. The path to do this is "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" and configure ciphers for the multi-string value "Functions".
After changing the settings, the agent service needs to be restarted.
As the string definition of OpenSSL ciphers (we are using OpenSSL in our code) is different with the counterpart of RFC ciphers, we provide a mapper file "sslciphermap" under the installation folder for the program to check.
You can also useNMap tool (download from https://nmap.org/download.html) to check if the configuration takes effect on port 14284 (or port 14294 if using Windows Logon G2).
Use Command line: "nmap -sV --script ssl-enum-ciphers -p 14284 <host>"
an example result will be as follows...
