{"id":53,"date":"2018-11-21T18:59:55","date_gmt":"2018-11-21T18:59:55","guid":{"rendered":"https:\/\/unsrewiki.1sys1.com\/?p=53"},"modified":"2018-11-21T18:59:55","modified_gmt":"2018-11-21T18:59:55","slug":"unable-to-rdp-to-windows-server-credssp-encryption-oracle-remediation","status":"publish","type":"post","link":"https:\/\/server-help.org\/index.php\/2018\/11\/21\/unable-to-rdp-to-windows-server-credssp-encryption-oracle-remediation\/","title":{"rendered":"Unable to RDP to Windows Server: CredSSP Encryption Oracle Remediation!"},"content":{"rendered":"\n

Since March 2018, and with the release of Microsoft updates for Windows Server and Windows 7\/10, Credential Security Support Provider protocol (CredSSP)<\/strong> has been triggered . <\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

An authentication error has occurred.
\nThe function requested is not supported
\nRemote computer:
\nThis could be due to CredSSP encryption oracle remediation.
\nFor more information, see https:\/go.microsoft.com\/fwlink\/?linkid=866660<\/p>\n\n\n\n

Root Cause Analysis<\/strong><\/p>\n\n\n\n

To resolve a vulnerability issue with Credential Security Support Provider protocol (CredSSP), a monthly Windows update in May was applied which does two things:<\/p>\n\n\n\n

1.<\/em> Correct how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process<\/em><\/p>\n\n\n\n

2.<\/em> Change the group policy Encryption Oracle Remediation default setting from Vulnerable to Mitigated.<\/em><\/p>\n\n\n\n

This RDP authentication issue can occur if the local client<\/strong> and the remote host<\/strong> have differing Encryption Oracle Remediation<\/em> settings<\/strong> that define how to build an RDP session with CredSSP. If the server or client have different expectations on the establishment of a secure RDP session the connection could be blocked. There is the possibility that the current default setting could change from the tentative update and therefore impact the expected secure session requirement.<\/p>\n\n\n\n

Resolution\/ Fix<\/strong><\/p>\n\n\n\n

Ensure both client & server side have latest patch installed so that RDP can be established in a secure way.<\/p>\n\n\n\n

Alternative Work-arounds<\/strong><\/p>\n\n\n\n

Resolution 1<\/strong><\/p>\n\n\n\n

If you cannot RDP to VMs from your patched client, we can consider changing the policy settings on the client<\/strong> to temporarily gain RDP access to the servers. You can change the settings in Local Group Policy Editor. Execute gpedit.msc<\/strong> and browse to Computer Configuration \/ Administrative Templates \/ System \/ Credentials Delegation<\/strong> in the left pane:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

Change the Encryption Oracle Remediation<\/strong> policy to Enabled<\/strong>, and Protection Level<\/strong> to Vulnerable<\/strong>
\nSame steps on Windows 7 \/ 10
\n<\/p>\n\n\n\n

Resolution 2<\/strong>
\nIf your Windows client does not have group policy editor gpedit.msc<\/strong> or above \u201cOracle Remediation\u201d option:<\/p>\n\n\n\n

Windows 10<\/strong><\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Windows 7<\/strong><\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Remember to reinstall it when you are done.<\/em><\/strong><\/p>\n\n\n\n

Resolution 2 Work Around<\/strong><\/p>\n\n\n\n

If it is not possible to access to Local Group Policy Editor on the client (i.e. Windows Home versions), same change can be done through the registry:<\/p>\n\n\n\n

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\CredSSP\\Parameters\\ \/v AllowEncryptionOracle \/t REG_DWORD \/d 2<\/p>\n\n\n\n

After that, whether the established RDP session is secure or not depends on whether server is patched. Remember to undo<\/strong> this when all the servers are patched.<\/p>\n","protected":false},"excerpt":{"rendered":"

Since March 2018, and with the release of Microsoft updates for Windows Server and Windows 7\/10, Credential Security Support Provider protocol (CredSSP) has been triggered . An authentication error has occurred. The function requested is not supported Remote computer: This could be due to CredSSP encryption oracle remediation. For more information, see https:\/go.microsoft.com\/fwlink\/?linkid=866660 Root Cause…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/posts\/53"}],"collection":[{"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/comments?post=53"}],"version-history":[{"count":1,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/posts\/53\/revisions"}],"predecessor-version":[{"id":54,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/posts\/53\/revisions\/54"}],"wp:attachment":[{"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/media?parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/categories?post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/tags?post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}